diff options
author | Andreas Wellving <andreas.wellving@enea.com> | 2018-10-26 13:40:52 +0200 |
---|---|---|
committer | Andreas Wellving <andreas.wellving@enea.com> | 2018-10-26 13:40:52 +0200 |
commit | 9d79a74903e810c7fbaf80000f4dea85f33de202 (patch) | |
tree | 5112c9a0047c6786f5ad87f883728e82e9a692bb | |
parent | 588a9af2bd15ab9a86cd9672293e9c8942964c1a (diff) | |
download | enea-kernel-cache-9d79a74903e810c7fbaf80000f4dea85f33de202.tar.gz |
HID: CVE-2018-9516
HID: debug: check length before copy_to_user()
Reference:
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.9.y&id=4a30c12542290f1def08b9ef0d677c024c500589
Change-Id: I2c6c79c1f44b3ef6f9c5e386d3c1c5c3971da7da
Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
-rw-r--r-- | patches/cve/4.9.x.scc | 3 | ||||
-rw-r--r-- | patches/cve/CVE-2018-9516-HID-debug-check-length-before-copy_to_user.patch | 59 |
2 files changed, 62 insertions, 0 deletions
diff --git a/patches/cve/4.9.x.scc b/patches/cve/4.9.x.scc index 96a5b31..c9bec68 100644 --- a/patches/cve/4.9.x.scc +++ b/patches/cve/4.9.x.scc | |||
@@ -15,3 +15,6 @@ SRC_URI += "file://CVE-2017-18255-perf-core-Fix-the-perf_cpu_time_max_percent-ch | |||
15 | 15 | ||
16 | #CVEs fixed in 4.9.111: | 16 | #CVEs fixed in 4.9.111: |
17 | SRC_URI += "file://CVE-2018-13406-video-uvesafb-Fix-integer-overflow-in-allocation.patch" | 17 | SRC_URI += "file://CVE-2018-13406-video-uvesafb-Fix-integer-overflow-in-allocation.patch" |
18 | |||
19 | #CVEs fixed in 4.9.112: | ||
20 | SRC_URI += "file://CVE-2018-9516-HID-debug-check-length-before-copy_to_user.patch" | ||
diff --git a/patches/cve/CVE-2018-9516-HID-debug-check-length-before-copy_to_user.patch b/patches/cve/CVE-2018-9516-HID-debug-check-length-before-copy_to_user.patch new file mode 100644 index 0000000..ccdbb0c --- /dev/null +++ b/patches/cve/CVE-2018-9516-HID-debug-check-length-before-copy_to_user.patch | |||
@@ -0,0 +1,59 @@ | |||
1 | From 4a30c12542290f1def08b9ef0d677c024c500589 Mon Sep 17 00:00:00 2001 | ||
2 | From: Daniel Rosenberg <drosen@google.com> | ||
3 | Date: Mon, 2 Jul 2018 16:59:37 -0700 | ||
4 | Subject: [PATCH] HID: debug: check length before copy_to_user() | ||
5 | |||
6 | commit 717adfdaf14704fd3ec7fa2c04520c0723247eac upstream. | ||
7 | |||
8 | If our length is greater than the size of the buffer, we | ||
9 | overflow the buffer | ||
10 | |||
11 | Cc: stable@vger.kernel.org | ||
12 | Signed-off-by: Daniel Rosenberg <drosen@google.com> | ||
13 | Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com> | ||
14 | |||
15 | CVE: CVE-2018-9516 | ||
16 | Upstream-Status: Backport [https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.9.y&id=4a30c12542290f1def08b9ef0d677c024c500589] | ||
17 | |||
18 | Signed-off-by: Jiri Kosina <jkosina@suse.cz> | ||
19 | Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> | ||
20 | Signed-off-by: Andreas Wellving <andreas.wellving@enea.com> | ||
21 | --- | ||
22 | drivers/hid/hid-debug.c | 8 +++++++- | ||
23 | 1 file changed, 7 insertions(+), 1 deletion(-) | ||
24 | |||
25 | diff --git a/drivers/hid/hid-debug.c b/drivers/hid/hid-debug.c | ||
26 | index acfb522a432a..29423691c105 100644 | ||
27 | --- a/drivers/hid/hid-debug.c | ||
28 | +++ b/drivers/hid/hid-debug.c | ||
29 | @@ -1152,6 +1152,8 @@ static ssize_t hid_debug_events_read(struct file *file, char __user *buffer, | ||
30 | goto out; | ||
31 | if (list->tail > list->head) { | ||
32 | len = list->tail - list->head; | ||
33 | + if (len > count) | ||
34 | + len = count; | ||
35 | |||
36 | if (copy_to_user(buffer + ret, &list->hid_debug_buf[list->head], len)) { | ||
37 | ret = -EFAULT; | ||
38 | @@ -1161,6 +1163,8 @@ static ssize_t hid_debug_events_read(struct file *file, char __user *buffer, | ||
39 | list->head += len; | ||
40 | } else { | ||
41 | len = HID_DEBUG_BUFSIZE - list->head; | ||
42 | + if (len > count) | ||
43 | + len = count; | ||
44 | |||
45 | if (copy_to_user(buffer, &list->hid_debug_buf[list->head], len)) { | ||
46 | ret = -EFAULT; | ||
47 | @@ -1168,7 +1172,9 @@ static ssize_t hid_debug_events_read(struct file *file, char __user *buffer, | ||
48 | } | ||
49 | list->head = 0; | ||
50 | ret += len; | ||
51 | - goto copy_rest; | ||
52 | + count -= len; | ||
53 | + if (count > 0) | ||
54 | + goto copy_rest; | ||
55 | } | ||
56 | |||
57 | } | ||
58 | |||
59 | |||