]> git.ipfire.org Git - thirdparty/kernel/stable-queue.git/commitdiff
5.4-stable patches
authorGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Tue, 1 Sep 2020 14:42:07 +0000 (16:42 +0200)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Tue, 1 Sep 2020 14:42:07 +0000 (16:42 +0200)
added patches:
hid-hiddev-fix-slab-out-of-bounds-write-in-hiddev_ioctl_usage.patch

queue-5.4/hid-hiddev-fix-slab-out-of-bounds-write-in-hiddev_ioctl_usage.patch [new file with mode: 0644]
queue-5.4/series

diff --git a/queue-5.4/hid-hiddev-fix-slab-out-of-bounds-write-in-hiddev_ioctl_usage.patch b/queue-5.4/hid-hiddev-fix-slab-out-of-bounds-write-in-hiddev_ioctl_usage.patch
new file mode 100644 (file)
index 0000000..799bbb6
--- /dev/null
@@ -0,0 +1,42 @@
+From 25a097f5204675550afb879ee18238ca917cba7a Mon Sep 17 00:00:00 2001
+From: Peilin Ye <yepeilin.cs@gmail.com>
+Date: Wed, 29 Jul 2020 07:37:12 -0400
+Subject: HID: hiddev: Fix slab-out-of-bounds write in hiddev_ioctl_usage()
+
+From: Peilin Ye <yepeilin.cs@gmail.com>
+
+commit 25a097f5204675550afb879ee18238ca917cba7a upstream.
+
+`uref->usage_index` is not always being properly checked, causing
+hiddev_ioctl_usage() to go out of bounds under some cases. Fix it.
+
+Reported-by: syzbot+34ee1b45d88571c2fa8b@syzkaller.appspotmail.com
+Link: https://syzkaller.appspot.com/bug?id=f2aebe90b8c56806b050a20b36f51ed6acabe802
+Reviewed-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Peilin Ye <yepeilin.cs@gmail.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hid/usbhid/hiddev.c |    4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/hid/usbhid/hiddev.c
++++ b/drivers/hid/usbhid/hiddev.c
+@@ -519,12 +519,16 @@ static noinline int hiddev_ioctl_usage(s
+               switch (cmd) {
+               case HIDIOCGUSAGE:
++                      if (uref->usage_index >= field->report_count)
++                              goto inval;
+                       uref->value = field->value[uref->usage_index];
+                       if (copy_to_user(user_arg, uref, sizeof(*uref)))
+                               goto fault;
+                       goto goodreturn;
+               case HIDIOCSUSAGE:
++                      if (uref->usage_index >= field->report_count)
++                              goto inval;
+                       field->value[uref->usage_index] = uref->value;
+                       goto goodreturn;
index 3fda4a050ddc6afd4436b2a852b68aa93c07ae43..b0db77adb2f24db35b740c6725a6f84f40f1b25d 100644 (file)
@@ -209,3 +209,4 @@ kheaders-remove-the-last-bashism-to-allow-sh-to-run-it.patch
 kheaders-explain-why-include-config-autoconf.h-is-excluded-from-md5sum.patch
 kbuild-add-variables-for-compression-tools.patch
 kbuild-fix-broken-builds-because-of-gzip-bzip2-lzop-variables.patch
+hid-hiddev-fix-slab-out-of-bounds-write-in-hiddev_ioctl_usage.patch