On Mon, Feb 11, 2019 at 09:26:25AM -0800, Guenter Roeck wrote:
> From: Vladis Dronov <vdronov@xxxxxxxxxx>
>
> commit 13054abbaa4f1fd4e6f3b4b63439ec033b4c8035 upstream.
>
> Ring buffer implementation in hid_debug_event() and hid_debug_events_read()
> is strange allowing lost or corrupted data. After commit 717adfdaf147
> ("HID: debug: check length before copy_to_user()") it is possible to enter
> an infinite loop in hid_debug_events_read() by providing 0 as count, this
> locks up a system. Fix this by rewriting the ring buffer implementation
> with kfifo and simplify the code.
>
> This fixes CVE-2019-3819.
>
> v2: fix an execution logic and add a comment
> v3: use __set_current_state() instead of set_current_state()
>
> Link: https://bugzilla.redhat.com/show_bug.cgi?id=1669187
> Fixes: cd667ce24796 ("HID: use debugfs for events/reports dumping")
> Fixes: 717adfdaf147 ("HID: debug: check length before copy_to_user()")
> Signed-off-by: Vladis Dronov <vdronov@xxxxxxxxxx>
> Reviewed-by: Oleg Nesterov <oleg@xxxxxxxxxx>
> Signed-off-by: Benjamin Tissoires <benjamin.tissoires@xxxxxxxxxx>
> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
> [groeck: backport to v4.14.y]
> Signed-off-by: Guenter Roeck <linux@xxxxxxxxxxxx>
> ---
> This patch is marked v4.18+, but commit 717adfdaf147 is marked for stable
> and found its way into all stable releases. Therefore, this patch is needed
> in older stable releases as well. This patch only applies to v4.14.y;
> backport to v4.9.y will follow.
>
> Copying patch author and reviewers to make sure I didn't miss anything.
>
> drivers/hid/hid-debug.c | 121 ++++++++++++++++++----------------------------
> include/linux/hid-debug.h | 9 ++--
> 2 files changed, 51 insertions(+), 79 deletions(-)
Vladis sent backports that are a bit different from yours, so I'll go
with his now :)
thanks,
greg k-h
