On Mon, Feb 11, 2019 at 09:26:25AM -0800, Guenter Roeck wrote:
From: Vladis Dronov vdronov@redhat.com
commit 13054abbaa4f1fd4e6f3b4b63439ec033b4c8035 upstream.
Ring buffer implementation in hid_debug_event() and hid_debug_events_read() is strange allowing lost or corrupted data. After commit 717adfdaf147 ("HID: debug: check length before copy_to_user()") it is possible to enter an infinite loop in hid_debug_events_read() by providing 0 as count, this locks up a system. Fix this by rewriting the ring buffer implementation with kfifo and simplify the code.
This fixes CVE-2019-3819.
v2: fix an execution logic and add a comment v3: use __set_current_state() instead of set_current_state()
Link: https://bugzilla.redhat.com/show_bug.cgi?id=1669187 Fixes: cd667ce24796 ("HID: use debugfs for events/reports dumping") Fixes: 717adfdaf147 ("HID: debug: check length before copy_to_user()") Signed-off-by: Vladis Dronov vdronov@redhat.com Reviewed-by: Oleg Nesterov oleg@redhat.com Signed-off-by: Benjamin Tissoires benjamin.tissoires@redhat.com Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org [groeck: backport to v4.14.y] Signed-off-by: Guenter Roeck linux@roeck-us.net
This patch is marked v4.18+, but commit 717adfdaf147 is marked for stable and found its way into all stable releases. Therefore, this patch is needed in older stable releases as well. This patch only applies to v4.14.y; backport to v4.9.y will follow.
Copying patch author and reviewers to make sure I didn't miss anything.
drivers/hid/hid-debug.c | 121 ++++++++++++++++++---------------------------- include/linux/hid-debug.h | 9 ++-- 2 files changed, 51 insertions(+), 79 deletions(-)
Vladis sent backports that are a bit different from yours, so I'll go with his now :)
thanks,
greg k-h