From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <SRS0=l45o=QU=vger.kernel.org=stable-owner@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-5.5 required=3.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED,
	DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SIGNED_OFF_BY,
	SPF_PASS,USER_AGENT_MUTT autolearn=ham autolearn_force=no version=3.4.0
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by smtp.lore.kernel.org (Postfix) with ESMTP id D06EDC282C2
	for <stable@archiver.kernel.org>; Wed, 13 Feb 2019 14:18:12 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.kernel.org (Postfix) with ESMTP id 9CD31222BA
	for <stable@archiver.kernel.org>; Wed, 13 Feb 2019 14:18:12 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
	s=default; t=1550067492;
	bh=mbIEyf5nfwEEugGVUHH7U+3DOqBu1cE++DYNhwxuvIg=;
	h=Date:From:To:Cc:Subject:References:In-Reply-To:List-ID:From;
	b=AooU9Gbeld8+2aghLy51tCZvqtgHNJy42qCkwPoWcymwT0+X/IOwn9YKno9yvR4/4
	 tnv8WH289XHZDAMxjvO4fO2PLozUtOTeSML6b9QLzcdMzjjrKG9NmtLIgQczM4lYQA
	 td++yu5dcpDIdJLfiI1jHaRvwOAeFN6c7wsPTn80=
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1730986AbfBMOSM (ORCPT <rfc822;stable@archiver.kernel.org>);
        Wed, 13 Feb 2019 09:18:12 -0500
Received: from mail.kernel.org ([198.145.29.99]:52444 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1730964AbfBMOSL (ORCPT <rfc822;stable@vger.kernel.org>);
        Wed, 13 Feb 2019 09:18:11 -0500
Received: from localhost (5356596B.cm-6-7b.dynamic.ziggo.nl [83.86.89.107])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by mail.kernel.org (Postfix) with ESMTPSA id C9C3F222B5;
        Wed, 13 Feb 2019 14:18:10 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=default; t=1550067491;
        bh=mbIEyf5nfwEEugGVUHH7U+3DOqBu1cE++DYNhwxuvIg=;
        h=Date:From:To:Cc:Subject:References:In-Reply-To:From;
        b=CXsOxLbIaGUvOnL13lKiteQpbQ4usaZrTrSnIAln+ft3LxPjlrvkfh59XckPqys4w
         09bl5vySlmPQVtRD5kKwnxsPhZO3Ur96tCVslH+zhD2vTBzxNf5g47M0+8VMRyLuKW
         O2wCylOaAJM4PQ9QF1R7HcI0LhALVNQ5moDyNpD0=
Date:   Wed, 13 Feb 2019 15:18:08 +0100
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     Guenter Roeck <linux@roeck-us.net>
Cc:     stable@vger.kernel.org, Vladis Dronov <vdronov@redhat.com>,
        Oleg Nesterov <oleg@redhat.com>,
        Benjamin Tissoires <benjamin.tissoires@redhat.com>
Subject: Re: [PATCH v4.14.y] HID: debug: fix the ring buffer implementation
Message-ID: <20190213141808.GD10202@kroah.com>
References: <1549905985-28911-1-git-send-email-linux@roeck-us.net>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <1549905985-28911-1-git-send-email-linux@roeck-us.net>
User-Agent: Mutt/1.11.3 (2019-02-01)
Sender: stable-owner@vger.kernel.org
Precedence: bulk
List-ID: <stable.vger.kernel.org>
X-Mailing-List: stable@vger.kernel.org

On Mon, Feb 11, 2019 at 09:26:25AM -0800, Guenter Roeck wrote:
> From: Vladis Dronov <vdronov@redhat.com>
> 
> commit 13054abbaa4f1fd4e6f3b4b63439ec033b4c8035 upstream.
> 
> Ring buffer implementation in hid_debug_event() and hid_debug_events_read()
> is strange allowing lost or corrupted data. After commit 717adfdaf147
> ("HID: debug: check length before copy_to_user()") it is possible to enter
> an infinite loop in hid_debug_events_read() by providing 0 as count, this
> locks up a system. Fix this by rewriting the ring buffer implementation
> with kfifo and simplify the code.
> 
> This fixes CVE-2019-3819.
> 
> v2: fix an execution logic and add a comment
> v3: use __set_current_state() instead of set_current_state()
> 
> Link: https://bugzilla.redhat.com/show_bug.cgi?id=1669187
> Fixes: cd667ce24796 ("HID: use debugfs for events/reports dumping")
> Fixes: 717adfdaf147 ("HID: debug: check length before copy_to_user()")
> Signed-off-by: Vladis Dronov <vdronov@redhat.com>
> Reviewed-by: Oleg Nesterov <oleg@redhat.com>
> Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> [groeck: backport to v4.14.y]
> Signed-off-by: Guenter Roeck <linux@roeck-us.net>
> ---
> This patch is marked v4.18+, but commit 717adfdaf147 is marked for stable
> and found its way into all stable releases. Therefore, this patch is needed
> in older stable releases as well. This patch only applies to v4.14.y;
> backport to v4.9.y will follow.
> 
> Copying patch author and reviewers to make sure I didn't miss anything.
> 
>  drivers/hid/hid-debug.c   | 121 ++++++++++++++++++----------------------------
>  include/linux/hid-debug.h |   9 ++--
>  2 files changed, 51 insertions(+), 79 deletions(-)

Vladis sent backports that are a bit different from yours, so I'll go
with his now :)

thanks,

greg k-h