From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: Guenter Roeck <linux@roeck-us.net>
Cc: stable@vger.kernel.org, Vladis Dronov <vdronov@redhat.com>,
Oleg Nesterov <oleg@redhat.com>,
Benjamin Tissoires <benjamin.tissoires@redhat.com>
Subject: Re: [PATCH v4.14.y] HID: debug: fix the ring buffer implementation
Date: Wed, 13 Feb 2019 15:18:08 +0100 [thread overview]
Message-ID: <20190213141808.GD10202@kroah.com> (raw)
In-Reply-To: <1549905985-28911-1-git-send-email-linux@roeck-us.net>
On Mon, Feb 11, 2019 at 09:26:25AM -0800, Guenter Roeck wrote:
> From: Vladis Dronov <vdronov@redhat.com>
>
> commit 13054abbaa4f1fd4e6f3b4b63439ec033b4c8035 upstream.
>
> Ring buffer implementation in hid_debug_event() and hid_debug_events_read()
> is strange allowing lost or corrupted data. After commit 717adfdaf147
> ("HID: debug: check length before copy_to_user()") it is possible to enter
> an infinite loop in hid_debug_events_read() by providing 0 as count, this
> locks up a system. Fix this by rewriting the ring buffer implementation
> with kfifo and simplify the code.
>
> This fixes CVE-2019-3819.
>
> v2: fix an execution logic and add a comment
> v3: use __set_current_state() instead of set_current_state()
>
> Link: https://bugzilla.redhat.com/show_bug.cgi?id=1669187
> Fixes: cd667ce24796 ("HID: use debugfs for events/reports dumping")
> Fixes: 717adfdaf147 ("HID: debug: check length before copy_to_user()")
> Signed-off-by: Vladis Dronov <vdronov@redhat.com>
> Reviewed-by: Oleg Nesterov <oleg@redhat.com>
> Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> [groeck: backport to v4.14.y]
> Signed-off-by: Guenter Roeck <linux@roeck-us.net>
> ---
> This patch is marked v4.18+, but commit 717adfdaf147 is marked for stable
> and found its way into all stable releases. Therefore, this patch is needed
> in older stable releases as well. This patch only applies to v4.14.y;
> backport to v4.9.y will follow.
>
> Copying patch author and reviewers to make sure I didn't miss anything.
>
> drivers/hid/hid-debug.c | 121 ++++++++++++++++++----------------------------
> include/linux/hid-debug.h | 9 ++--
> 2 files changed, 51 insertions(+), 79 deletions(-)
Vladis sent backports that are a bit different from yours, so I'll go
with his now :)
thanks,
greg k-h
next prev parent reply other threads:[~2019-02-13 14:18 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-02-11 17:26 [PATCH v4.14.y] HID: debug: fix the ring buffer implementation Guenter Roeck
2019-02-13 14:18 ` Greg Kroah-Hartman [this message]
2019-02-13 15:04 ` Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190213141808.GD10202@kroah.com \
--to=gregkh@linuxfoundation.org \
--cc=benjamin.tissoires@redhat.com \
--cc=linux@roeck-us.net \
--cc=oleg@redhat.com \
--cc=stable@vger.kernel.org \
--cc=vdronov@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).