From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: Guenter Roeck <linux@roeck-us.net>
Cc: stable@vger.kernel.org, Vladis Dronov <vdronov@redhat.com>,
Oleg Nesterov <oleg@redhat.com>,
Benjamin Tissoires <benjamin.tissoires@redhat.com>
Subject: Re: [PATCH v4.14.y] HID: debug: fix the ring buffer implementation
Date: Wed, 13 Feb 2019 15:18:08 +0100 [thread overview]
Message-ID: <20190213141808.GD10202@kroah.com> (raw)
In-Reply-To: <1549905985-28911-1-git-send-email-linux@roeck-us.net>
On Mon, Feb 11, 2019 at 09:26:25AM -0800, Guenter Roeck wrote:
> From: Vladis Dronov <vdronov@redhat.com>
>
> commit 13054abbaa4f1fd4e6f3b4b63439ec033b4c8035 upstream.
>
> Ring buffer implementation in hid_debug_event() and hid_debug_events_read()
> is strange allowing lost or corrupted data. After commit 717adfdaf147
> ("HID: debug: check length before copy_to_user()") it is possible to enter
> an infinite loop in hid_debug_events_read() by providing 0 as count, this
> locks up a system. Fix this by rewriting the ring buffer implementation
> with kfifo and simplify the code.
>
> This fixes CVE-2019-3819.
>
> v2: fix an execution logic and add a comment
> v3: use __set_current_state() instead of set_current_state()
>
> Link: https://bugzilla.redhat.com/show_bug.cgi?id=1669187
> Fixes: cd667ce24796 ("HID: use debugfs for events/reports dumping")
> Fixes: 717adfdaf147 ("HID: debug: check length before copy_to_user()")
> Signed-off-by: Vladis Dronov <vdronov@redhat.com>
> Reviewed-by: Oleg Nesterov <oleg@redhat.com>
> Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> [groeck: backport to v4.14.y]
> Signed-off-by: Guenter Roeck <linux@roeck-us.net>
> ---
> This patch is marked v4.18+, but commit 717adfdaf147 is marked for stable
> and found its way into all stable releases. Therefore, this patch is needed
> in older stable releases as well. This patch only applies to v4.14.y;
> backport to v4.9.y will follow.
>
> Copying patch author and reviewers to make sure I didn't miss anything.
>
> drivers/hid/hid-debug.c | 121 ++++++++++++++++++----------------------------
> include/linux/hid-debug.h | 9 ++--
> 2 files changed, 51 insertions(+), 79 deletions(-)
Vladis sent backports that are a bit different from yours, so I'll go
with his now :)
thanks,
greg k-h
next prev parent reply other threads:[~2019-02-13 14:18 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-02-11 17:26 [PATCH v4.14.y] HID: debug: fix the ring buffer implementation Guenter Roeck
2019-02-13 14:18 ` Greg Kroah-Hartman [this message]
2019-02-13 15:04 ` Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190213141808.GD10202@kroah.com \
--to=gregkh@linuxfoundation.org \
--cc=benjamin.tissoires@redhat.com \
--cc=linux@roeck-us.net \
--cc=oleg@redhat.com \
--cc=stable@vger.kernel.org \
--cc=vdronov@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.