--- /dev/null
+From bf563b01c2895a4bfd1a29cc5abc67fe706ecffd Mon Sep 17 00:00:00 2001
+From: Nicolai Stange <nstange@suse.de>
+Date: Mon, 11 Sep 2017 09:45:42 +0200
+Subject: driver core: platform: Don't read past the end of "driver_override" buffer
+
+From: Nicolai Stange <nstange@suse.de>
+
+commit bf563b01c2895a4bfd1a29cc5abc67fe706ecffd upstream.
+
+When printing the driver_override parameter when it is 4095 and 4094 bytes
+long, the printing code would access invalid memory because we need count+1
+bytes for printing.
+
+Reject driver_override values of these lengths in driver_override_store().
+
+This is in close analogy to commit 4efe874aace5 ("PCI: Don't read past the
+end of sysfs "driver_override" buffer") from Sasha Levin.
+
+Fixes: 3d713e0e382e ("driver core: platform: add device binding path 'driver_override'")
+Signed-off-by: Nicolai Stange <nstange@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/base/platform.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/base/platform.c
++++ b/drivers/base/platform.c
+@@ -729,7 +729,8 @@ static ssize_t driver_override_store(str
+ struct platform_device *pdev = to_platform_device(dev);
+ char *driver_override, *old, *cp;
+
+- if (count > PATH_MAX)
++ /* We need to keep extra room for a newline */
++ if (count >= (PAGE_SIZE - 1))
+ return -EINVAL;
+
+ driver_override = kstrndup(buf, count, GFP_KERNEL);
--- /dev/null
+From 8320caeeffdefec3b58b9d4a7ed8e1079492fe7b Mon Sep 17 00:00:00 2001
+From: Adrian Salido <salidoa@google.com>
+Date: Fri, 8 Sep 2017 10:55:27 -0700
+Subject: HID: i2c-hid: allocate hid buffers for real worst case
+
+From: Adrian Salido <salidoa@google.com>
+
+commit 8320caeeffdefec3b58b9d4a7ed8e1079492fe7b upstream.
+
+The buffer allocation is not currently accounting for an extra byte for
+the report id. This can cause an out of bounds access in function
+i2c_hid_set_or_send_report() with reportID > 15.
+
+Signed-off-by: Adrian Salido <salidoa@google.com>
+Reviewed-by: Benson Leung <bleung@chromium.org>
+Signed-off-by: Guenter Roeck <groeck@chromium.org>
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hid/i2c-hid/i2c-hid.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/hid/i2c-hid/i2c-hid.c
++++ b/drivers/hid/i2c-hid/i2c-hid.c
+@@ -526,7 +526,8 @@ static int i2c_hid_alloc_buffers(struct
+ {
+ /* the worst case is computed from the set_report command with a
+ * reportID > 15 and the maximum report length */
+- int args_len = sizeof(__u8) + /* optional ReportID byte */
++ int args_len = sizeof(__u8) + /* ReportID */
++ sizeof(__u8) + /* optional ReportID byte */
+ sizeof(__u16) + /* data register */
+ sizeof(__u16) + /* size of the report */
+ report_size; /* report */
uwb-ensure-that-endpoint-is-interrupt.patch
lsm-fix-smack_inode_removexattr-and-xattr_getsecurity-memleak.patch
alsa-usx2y-suppress-kernel-warning-at-page-allocation-failures.patch
+driver-core-platform-don-t-read-past-the-end-of-driver_override-buffer.patch
+hid-i2c-hid-allocate-hid-buffers-for-real-worst-case.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
