HID: CVE-2018-9516

HID: debug: check length before copy_to_user() References: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.9.y&id=4a30c12542290f1def08b9ef0d677c024c500589 Change-Id: Id70114f96d06b7d085e4fa3f5f8b09a84ae24528 Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
author: Andreas Wellving <andreas.wellving@enea.com> 2018-10-12 15:58:02 +0200
committer: Adrian Dudau <Adrian.Dudau@enea.com> 2018-10-16 17:39:51 +0200
commit: 7d11a35246278eab7f0b00496407efb1c16d5fb9 (patch)
tree: a69ec8b882a465ca3549396064bbddab04a2663f
parent: 9089c328a92479aae24cc5dd5153816531398fd9 (diff)
download: enea-kernel-cache-7d11a35246278eab7f0b00496407efb1c16d5fb9.tar.gz
2 files changed, 57 insertions, 0 deletions
diff --git a/patches/cve/4.9.x.scc b/patches/cve/4.9.x.scc
index bd68a48..0121888 100644
--- a/patches/cve/4.9.x.scc
+++ b/patches/cve/4.9.x.scc
@@ -33,4 +33,5 @@ patch CVE-2018-10878-ext4-always-check-block-group-bounds-in-ext4_init_bl.patch
 patch CVE-2018-10879-ext4-make-sure-bitmaps-and-the-inode-table-don-t-ove.patch
 patch CVE-2018-10881-ext4-clear-i_data-in-ext4_inode_info-when-removing-i.patch
 patch CVE-2018-10882-ext4-add-more-inode-number-paranoia-checks.patch
+patch CVE-2018-9516-HID-debug-check-length-before-copy_to_user.patch
diff --git a/patches/cve/CVE-2018-9516-HID-debug-check-length-before-copy_to_user.patch b/patches/cve/CVE-2018-9516-HID-debug-check-length-before-copy_to_user.patch
new file mode 100644
index 0000000..e99f097
--- /dev/null
+++ b/patches/cve/CVE-2018-9516-HID-debug-check-length-before-copy_to_user.patch
@@ -0,0 +1,56 @@
+From 717adfdaf14704fd3ec7fa2c04520c0723247eac Mon Sep 17 00:00:00 2001
+From: Daniel Rosenberg <drosen@google.com>
+Date: Mon, 2 Jul 2018 16:59:37 -0700
+Subject: [PATCH] HID: debug: check length before copy_to_user()
+If our length is greater than the size of the buffer, we
+overflow the buffer
+CVE: CVE-2018-11237   
+Upstream-Status: Backport  
+Cc: stable@vger.kernel.org
+Signed-off-by: Daniel Rosenberg <drosen@google.com>
+Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
+---
+ drivers/hid/hid-debug.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+diff --git a/drivers/hid/hid-debug.c b/drivers/hid/hid-debug.c
+index 4f4e7a0..4db8e14 100644
+--- a/drivers/hid/hid-debug.c
+++ b/drivers/hid/hid-debug.c
+@@ -1154,6 +1154,8 @@ static ssize_t hid_debug_events_read(struct file *file, char __user *buffer,
+                        goto out;
+                if (list->tail > list->head) {
+                        len = list->tail - list->head;
+                       if (len > count)
+                               len = count;
+ 
+                        if (copy_to_user(buffer + ret, &list->hid_debug_buf[list->head], len)) {
+                                ret = -EFAULT;
+@@ -1163,6 +1165,8 @@ static ssize_t hid_debug_events_read(struct file *file, char __user *buffer,
+                        list->head += len;
+                } else {
+                        len = HID_DEBUG_BUFSIZE - list->head;
+                       if (len > count)
+                               len = count;
+ 
+                        if (copy_to_user(buffer, &list->hid_debug_buf[list->head], len)) {
+                                ret = -EFAULT;
+@@ -1170,7 +1174,9 @@ static ssize_t hid_debug_events_read(struct file *file, char __user *buffer,
+                        }
+                        list->head = 0;
+                        ret += len;
+-                       goto copy_rest;
+                       count -= len;
+                       if (count > 0)
+                               goto copy_rest;
+                }
+ 
+        }
+--
author	Andreas Wellving <andreas.wellving@enea.com>	2018-10-12 15:58:02 +0200
committer	Adrian Dudau <Adrian.Dudau@enea.com>	2018-10-16 17:39:51 +0200
commit	7d11a35246278eab7f0b00496407efb1c16d5fb9 (patch)
tree	a69ec8b882a465ca3549396064bbddab04a2663f
parent	9089c328a92479aae24cc5dd5153816531398fd9 (diff)
download	enea-kernel-cache-7d11a35246278eab7f0b00496407efb1c16d5fb9.tar.gz

diff --git a/patches/cve/4.9.x.scc b/patches/cve/4.9.x.scc index bd68a48..0121888 100644 --- a/patches/cve/4.9.x.scc +++ b/patches/cve/4.9.x.scc
@@ -33,4 +33,5 @@ patch CVE-2018-10878-ext4-always-check-block-group-bounds-in-ext4_init_bl.patch
33	patch CVE-2018-10879-ext4-make-sure-bitmaps-and-the-inode-table-don-t-ove.patch	33	patch CVE-2018-10879-ext4-make-sure-bitmaps-and-the-inode-table-don-t-ove.patch
34	patch CVE-2018-10881-ext4-clear-i_data-in-ext4_inode_info-when-removing-i.patch	34	patch CVE-2018-10881-ext4-clear-i_data-in-ext4_inode_info-when-removing-i.patch
35	patch CVE-2018-10882-ext4-add-more-inode-number-paranoia-checks.patch	35	patch CVE-2018-10882-ext4-add-more-inode-number-paranoia-checks.patch
		36	patch CVE-2018-9516-HID-debug-check-length-before-copy_to_user.patch
36		37


diff --git a/patches/cve/CVE-2018-9516-HID-debug-check-length-before-copy_to_user.patch b/patches/cve/CVE-2018-9516-HID-debug-check-length-before-copy_to_user.patch new file mode 100644 index 0000000..e99f097 --- /dev/null +++ b/patches/cve/CVE-2018-9516-HID-debug-check-length-before-copy_to_user.patch
@@ -0,0 +1,56 @@
		1	From 717adfdaf14704fd3ec7fa2c04520c0723247eac Mon Sep 17 00:00:00 2001
		2	From: Daniel Rosenberg <drosen@google.com>
		3	Date: Mon, 2 Jul 2018 16:59:37 -0700
		4	Subject: [PATCH] HID: debug: check length before copy_to_user()
		5
		6	If our length is greater than the size of the buffer, we
		7	overflow the buffer
		8
		9	CVE: CVE-2018-11237
		10	Upstream-Status: Backport
		11
		12	Cc: stable@vger.kernel.org
		13	Signed-off-by: Daniel Rosenberg <drosen@google.com>
		14	Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
		15	Signed-off-by: Jiri Kosina <jkosina@suse.cz>
		16	Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
		17	---
		18	drivers/hid/hid-debug.c \| 8 +++++++-
		19	1 file changed, 7 insertions(+), 1 deletion(-)
		20
		21	diff --git a/drivers/hid/hid-debug.c b/drivers/hid/hid-debug.c
		22	index 4f4e7a0..4db8e14 100644
		23	--- a/drivers/hid/hid-debug.c
		24	+++ b/drivers/hid/hid-debug.c
		25	@@ -1154,6 +1154,8 @@ static ssize_t hid_debug_events_read(struct file file, char __user buffer,
		26	goto out;
		27	if (list->tail > list->head) {
		28	len = list->tail - list->head;
		29	+ if (len > count)
		30	+ len = count;
		31
		32	if (copy_to_user(buffer + ret, &list->hid_debug_buf[list->head], len)) {
		33	ret = -EFAULT;
		34	@@ -1163,6 +1165,8 @@ static ssize_t hid_debug_events_read(struct file file, char __user buffer,
		35	list->head += len;
		36	} else {
		37	len = HID_DEBUG_BUFSIZE - list->head;
		38	+ if (len > count)
		39	+ len = count;
		40
		41	if (copy_to_user(buffer, &list->hid_debug_buf[list->head], len)) {
		42	ret = -EFAULT;
		43	@@ -1170,7 +1174,9 @@ static ssize_t hid_debug_events_read(struct file file, char __user buffer,
		44	}
		45	list->head = 0;
		46	ret += len;
		47	- goto copy_rest;
		48	+ count -= len;
		49	+ if (count > 0)
		50	+ goto copy_rest;
		51	}
		52
		53	}
		54	--
		55
		56