From: Greg Kroah-Hartman Date: Tue, 10 Oct 2017 15:12:30 +0000 (+0200) Subject: 3.18-stable patches X-Git-Tag: v3.18.75~17 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=e247b983d04a8d8a9b30eade32de38871f9eca94;p=thirdparty%2Fkernel%2Fstable-queue.git 3.18-stable patches added patches: driver-core-platform-don-t-read-past-the-end-of-driver_override-buffer.patch hid-i2c-hid-allocate-hid-buffers-for-real-worst-case.patch --- diff --git a/queue-3.18/driver-core-platform-don-t-read-past-the-end-of-driver_override-buffer.patch b/queue-3.18/driver-core-platform-don-t-read-past-the-end-of-driver_override-buffer.patch new file mode 100644 index 00000000000..e23dcc232af --- /dev/null +++ b/queue-3.18/driver-core-platform-don-t-read-past-the-end-of-driver_override-buffer.patch @@ -0,0 +1,38 @@ +From bf563b01c2895a4bfd1a29cc5abc67fe706ecffd Mon Sep 17 00:00:00 2001 +From: Nicolai Stange +Date: Mon, 11 Sep 2017 09:45:42 +0200 +Subject: driver core: platform: Don't read past the end of "driver_override" buffer + +From: Nicolai Stange + +commit bf563b01c2895a4bfd1a29cc5abc67fe706ecffd upstream. + +When printing the driver_override parameter when it is 4095 and 4094 bytes +long, the printing code would access invalid memory because we need count+1 +bytes for printing. + +Reject driver_override values of these lengths in driver_override_store(). + +This is in close analogy to commit 4efe874aace5 ("PCI: Don't read past the +end of sysfs "driver_override" buffer") from Sasha Levin. + +Fixes: 3d713e0e382e ("driver core: platform: add device binding path 'driver_override'") +Signed-off-by: Nicolai Stange +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/base/platform.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/base/platform.c ++++ b/drivers/base/platform.c +@@ -729,7 +729,8 @@ static ssize_t driver_override_store(str + struct platform_device *pdev = to_platform_device(dev); + char *driver_override, *old, *cp; + +- if (count > PATH_MAX) ++ /* We need to keep extra room for a newline */ ++ if (count >= (PAGE_SIZE - 1)) + return -EINVAL; + + driver_override = kstrndup(buf, count, GFP_KERNEL); diff --git a/queue-3.18/hid-i2c-hid-allocate-hid-buffers-for-real-worst-case.patch b/queue-3.18/hid-i2c-hid-allocate-hid-buffers-for-real-worst-case.patch new file mode 100644 index 00000000000..b5630257593 --- /dev/null +++ b/queue-3.18/hid-i2c-hid-allocate-hid-buffers-for-real-worst-case.patch @@ -0,0 +1,36 @@ +From 8320caeeffdefec3b58b9d4a7ed8e1079492fe7b Mon Sep 17 00:00:00 2001 +From: Adrian Salido +Date: Fri, 8 Sep 2017 10:55:27 -0700 +Subject: HID: i2c-hid: allocate hid buffers for real worst case + +From: Adrian Salido + +commit 8320caeeffdefec3b58b9d4a7ed8e1079492fe7b upstream. + +The buffer allocation is not currently accounting for an extra byte for +the report id. This can cause an out of bounds access in function +i2c_hid_set_or_send_report() with reportID > 15. + +Signed-off-by: Adrian Salido +Reviewed-by: Benson Leung +Signed-off-by: Guenter Roeck +Signed-off-by: Dmitry Torokhov +Signed-off-by: Jiri Kosina +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hid/i2c-hid/i2c-hid.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/hid/i2c-hid/i2c-hid.c ++++ b/drivers/hid/i2c-hid/i2c-hid.c +@@ -526,7 +526,8 @@ static int i2c_hid_alloc_buffers(struct + { + /* the worst case is computed from the set_report command with a + * reportID > 15 and the maximum report length */ +- int args_len = sizeof(__u8) + /* optional ReportID byte */ ++ int args_len = sizeof(__u8) + /* ReportID */ ++ sizeof(__u8) + /* optional ReportID byte */ + sizeof(__u16) + /* data register */ + sizeof(__u16) + /* size of the report */ + report_size; /* report */ diff --git a/queue-3.18/series b/queue-3.18/series index dbd5c16d41a..dadd2be3203 100644 --- a/queue-3.18/series +++ b/queue-3.18/series @@ -22,3 +22,5 @@ uwb-properly-check-kthread_run-return-value.patch uwb-ensure-that-endpoint-is-interrupt.patch lsm-fix-smack_inode_removexattr-and-xattr_getsecurity-memleak.patch alsa-usx2y-suppress-kernel-warning-at-page-allocation-failures.patch +driver-core-platform-don-t-read-past-the-end-of-driver_override-buffer.patch +hid-i2c-hid-allocate-hid-buffers-for-real-worst-case.patch