HID: CVE-2018-9516

HID: debug: check length before copy_to_user() Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.9.y&id=4a30c12542290f1def08b9ef0d677c024c500589 Change-Id: I2c6c79c1f44b3ef6f9c5e386d3c1c5c3971da7da Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
author: Andreas Wellving <andreas.wellving@enea.com> 2018-10-26 13:40:52 +0200
committer: Andreas Wellving <andreas.wellving@enea.com> 2018-10-26 13:40:52 +0200
commit: 9d79a74903e810c7fbaf80000f4dea85f33de202 (patch)
tree: 5112c9a0047c6786f5ad87f883728e82e9a692bb
parent: 588a9af2bd15ab9a86cd9672293e9c8942964c1a (diff)
download: enea-kernel-cache-9d79a74903e810c7fbaf80000f4dea85f33de202.tar.gz
2 files changed, 62 insertions, 0 deletions
diff --git a/patches/cve/4.9.x.scc b/patches/cve/4.9.x.scc
index 96a5b31..c9bec68 100644
--- a/patches/cve/4.9.x.scc
+++ b/patches/cve/4.9.x.scc
@@ -15,3 +15,6 @@ SRC_URI += "file://CVE-2017-18255-perf-core-Fix-the-perf_cpu_time_max_percent-ch
 #CVEs fixed in 4.9.111:
 SRC_URI += "file://CVE-2018-13406-video-uvesafb-Fix-integer-overflow-in-allocation.patch"
+#CVEs fixed in 4.9.112:
+SRC_URI += "file://CVE-2018-9516-HID-debug-check-length-before-copy_to_user.patch"
diff --git a/patches/cve/CVE-2018-9516-HID-debug-check-length-before-copy_to_user.patch b/patches/cve/CVE-2018-9516-HID-debug-check-length-before-copy_to_user.patch
new file mode 100644
index 0000000..ccdbb0c
--- /dev/null
+++ b/patches/cve/CVE-2018-9516-HID-debug-check-length-before-copy_to_user.patch
@@ -0,0 +1,59 @@
+From 4a30c12542290f1def08b9ef0d677c024c500589 Mon Sep 17 00:00:00 2001
+From: Daniel Rosenberg <drosen@google.com>
+Date: Mon, 2 Jul 2018 16:59:37 -0700
+Subject: [PATCH] HID: debug: check length before copy_to_user()
+commit 717adfdaf14704fd3ec7fa2c04520c0723247eac upstream.
+If our length is greater than the size of the buffer, we
+overflow the buffer
+Cc: stable@vger.kernel.org
+Signed-off-by: Daniel Rosenberg <drosen@google.com>
+Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
+CVE: CVE-2018-9516
+Upstream-Status: Backport [https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.9.y&id=4a30c12542290f1def08b9ef0d677c024c500589]
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
+---
+ drivers/hid/hid-debug.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+diff --git a/drivers/hid/hid-debug.c b/drivers/hid/hid-debug.c
+index acfb522a432a..29423691c105 100644
+--- a/drivers/hid/hid-debug.c
+++ b/drivers/hid/hid-debug.c
+@@ -1152,6 +1152,8 @@ static ssize_t hid_debug_events_read(struct file *file, char __user *buffer,
+                        goto out;
+                if (list->tail > list->head) {
+                        len = list->tail - list->head;
+                       if (len > count)
+                               len = count;
+ 
+                        if (copy_to_user(buffer + ret, &list->hid_debug_buf[list->head], len)) {
+                                ret = -EFAULT;
+@@ -1161,6 +1163,8 @@ static ssize_t hid_debug_events_read(struct file *file, char __user *buffer,
+                        list->head += len;
+                } else {
+                        len = HID_DEBUG_BUFSIZE - list->head;
+                       if (len > count)
+                               len = count;
+ 
+                        if (copy_to_user(buffer, &list->hid_debug_buf[list->head], len)) {
+                                ret = -EFAULT;
+@@ -1168,7 +1172,9 @@ static ssize_t hid_debug_events_read(struct file *file, char __user *buffer,
+                        }
+                        list->head = 0;
+                        ret += len;
+-                       goto copy_rest;
+                       count -= len;
+                       if (count > 0)
+                               goto copy_rest;
+                }
+ 
+        }
author	Andreas Wellving <andreas.wellving@enea.com>	2018-10-26 13:40:52 +0200
committer	Andreas Wellving <andreas.wellving@enea.com>	2018-10-26 13:40:52 +0200
commit	9d79a74903e810c7fbaf80000f4dea85f33de202 (patch)
tree	5112c9a0047c6786f5ad87f883728e82e9a692bb
parent	588a9af2bd15ab9a86cd9672293e9c8942964c1a (diff)
download	enea-kernel-cache-9d79a74903e810c7fbaf80000f4dea85f33de202.tar.gz

diff --git a/patches/cve/4.9.x.scc b/patches/cve/4.9.x.scc index 96a5b31..c9bec68 100644 --- a/patches/cve/4.9.x.scc +++ b/patches/cve/4.9.x.scc
@@ -15,3 +15,6 @@ SRC_URI += "file://CVE-2017-18255-perf-core-Fix-the-perf_cpu_time_max_percent-ch
15		15
16	#CVEs fixed in 4.9.111:	16	#CVEs fixed in 4.9.111:
17	SRC_URI += "file://CVE-2018-13406-video-uvesafb-Fix-integer-overflow-in-allocation.patch"	17	SRC_URI += "file://CVE-2018-13406-video-uvesafb-Fix-integer-overflow-in-allocation.patch"
		18
		19	#CVEs fixed in 4.9.112:
		20	SRC_URI += "file://CVE-2018-9516-HID-debug-check-length-before-copy_to_user.patch"


diff --git a/patches/cve/CVE-2018-9516-HID-debug-check-length-before-copy_to_user.patch b/patches/cve/CVE-2018-9516-HID-debug-check-length-before-copy_to_user.patch new file mode 100644 index 0000000..ccdbb0c --- /dev/null +++ b/patches/cve/CVE-2018-9516-HID-debug-check-length-before-copy_to_user.patch
@@ -0,0 +1,59 @@
		1	From 4a30c12542290f1def08b9ef0d677c024c500589 Mon Sep 17 00:00:00 2001
		2	From: Daniel Rosenberg <drosen@google.com>
		3	Date: Mon, 2 Jul 2018 16:59:37 -0700
		4	Subject: [PATCH] HID: debug: check length before copy_to_user()
		5
		6	commit 717adfdaf14704fd3ec7fa2c04520c0723247eac upstream.
		7
		8	If our length is greater than the size of the buffer, we
		9	overflow the buffer
		10
		11	Cc: stable@vger.kernel.org
		12	Signed-off-by: Daniel Rosenberg <drosen@google.com>
		13	Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
		14
		15	CVE: CVE-2018-9516
		16	Upstream-Status: Backport [https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.9.y&id=4a30c12542290f1def08b9ef0d677c024c500589]
		17
		18	Signed-off-by: Jiri Kosina <jkosina@suse.cz>
		19	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
		20	Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
		21	---
		22	drivers/hid/hid-debug.c \| 8 +++++++-
		23	1 file changed, 7 insertions(+), 1 deletion(-)
		24
		25	diff --git a/drivers/hid/hid-debug.c b/drivers/hid/hid-debug.c
		26	index acfb522a432a..29423691c105 100644
		27	--- a/drivers/hid/hid-debug.c
		28	+++ b/drivers/hid/hid-debug.c
		29	@@ -1152,6 +1152,8 @@ static ssize_t hid_debug_events_read(struct file file, char __user buffer,
		30	goto out;
		31	if (list->tail > list->head) {
		32	len = list->tail - list->head;
		33	+ if (len > count)
		34	+ len = count;
		35
		36	if (copy_to_user(buffer + ret, &list->hid_debug_buf[list->head], len)) {
		37	ret = -EFAULT;
		38	@@ -1161,6 +1163,8 @@ static ssize_t hid_debug_events_read(struct file file, char __user buffer,
		39	list->head += len;
		40	} else {
		41	len = HID_DEBUG_BUFSIZE - list->head;
		42	+ if (len > count)
		43	+ len = count;
		44
		45	if (copy_to_user(buffer, &list->hid_debug_buf[list->head], len)) {
		46	ret = -EFAULT;
		47	@@ -1168,7 +1172,9 @@ static ssize_t hid_debug_events_read(struct file file, char __user buffer,
		48	}
		49	list->head = 0;
		50	ret += len;
		51	- goto copy_rest;
		52	+ count -= len;
		53	+ if (count > 0)
		54	+ goto copy_rest;
		55	}
		56
		57	}
		58
		59