From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Tue, 1 Sep 2020 14:39:29 +0000 (+0200)
Subject: 4.4-stable patches
X-Git-Tag: v4.4.235~16
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=be320e18ea96f6d3804b300637080211df199a79;p=thirdparty%2Fkernel%2Fstable-queue.git

4.4-stable patches

added patches:
	hid-hiddev-fix-slab-out-of-bounds-write-in-hiddev_ioctl_usage.patch
---

diff --git a/queue-4.4/hid-hiddev-fix-slab-out-of-bounds-write-in-hiddev_ioctl_usage.patch b/queue-4.4/hid-hiddev-fix-slab-out-of-bounds-write-in-hiddev_ioctl_usage.patch
new file mode 100644
index 00000000000..cde5f55182c
--- /dev/null
+++ b/queue-4.4/hid-hiddev-fix-slab-out-of-bounds-write-in-hiddev_ioctl_usage.patch
@@ -0,0 +1,42 @@
+From 25a097f5204675550afb879ee18238ca917cba7a Mon Sep 17 00:00:00 2001
+From: Peilin Ye <yepeilin.cs@gmail.com>
+Date: Wed, 29 Jul 2020 07:37:12 -0400
+Subject: HID: hiddev: Fix slab-out-of-bounds write in hiddev_ioctl_usage()
+
+From: Peilin Ye <yepeilin.cs@gmail.com>
+
+commit 25a097f5204675550afb879ee18238ca917cba7a upstream.
+
+`uref->usage_index` is not always being properly checked, causing
+hiddev_ioctl_usage() to go out of bounds under some cases. Fix it.
+
+Reported-by: syzbot+34ee1b45d88571c2fa8b@syzkaller.appspotmail.com
+Link: https://syzkaller.appspot.com/bug?id=f2aebe90b8c56806b050a20b36f51ed6acabe802
+Reviewed-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Peilin Ye <yepeilin.cs@gmail.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hid/usbhid/hiddev.c |    4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/hid/usbhid/hiddev.c
++++ b/drivers/hid/usbhid/hiddev.c
+@@ -554,12 +554,16 @@ static noinline int hiddev_ioctl_usage(s
+ 
+ 		switch (cmd) {
+ 		case HIDIOCGUSAGE:
++			if (uref->usage_index >= field->report_count)
++				goto inval;
+ 			uref->value = field->value[uref->usage_index];
+ 			if (copy_to_user(user_arg, uref, sizeof(*uref)))
+ 				goto fault;
+ 			goto goodreturn;
+ 
+ 		case HIDIOCSUSAGE:
++			if (uref->usage_index >= field->report_count)
++				goto inval;
+ 			field->value[uref->usage_index] = uref->value;
+ 			goto goodreturn;
+ 
diff --git a/queue-4.4/series b/queue-4.4/series
index b4b61cd4b17..7028ef91a63 100644
--- a/queue-4.4/series
+++ b/queue-4.4/series
@@ -58,3 +58,4 @@ usb-ignore-uas-for-jmicron-jms567-ata-atapi-bridge.patch
 usb-host-ohci-exynos-fix-error-handling-in-exynos_ohci_probe.patch
 usb-storage-add-unusual_uas-entry-for-sony-psz-drives.patch
 btrfs-check-the-right-error-variable-in-btrfs_del_di.patch
+hid-hiddev-fix-slab-out-of-bounds-write-in-hiddev_ioctl_usage.patch