On Mon, Feb 11, 2019 at 04:36:48PM +0100, Vladis Dronov wrote:
> commit 13054abbaa4f1fd4e6f3b4b63439ec033b4c8035 upstream.
>
> Ring buffer implementation in hid_debug_event() and hid_debug_events_read()
> is strange allowing lost or corrupted data. After commit 717adfdaf147
> ("HID: debug: check length before copy_to_user()") it is possible to enter
> an infinite loop in hid_debug_events_read() by providing 0 as count, this
> locks up a system. Fix this by rewriting the ring buffer implementation
> with kfifo and simplify the code.
>
> This fixes CVE-2019-3819.
>
> Backport to v4.14: 2 tree-wide patches 6396bb22151 ("treewide: kzalloc() ->
> kcalloc()") and a9a08845e9ac ("vfs: do bulk POLL* -> EPOLL* replacement")
> are missing in v4.14 so cherry-pick relevant pieces.
>
> Link: https://bugzilla.redhat.com/show_bug.cgi?id=1669187
> Cc: stable@xxxxxxxxxxxxxxx # v4.14
> Fixes: cd667ce24796 ("HID: use debugfs for events/reports dumping")
> Fixes: 717adfdaf147 ("HID: debug: check length before copy_to_user()")
> Signed-off-by: Vladis Dronov <vdronov@xxxxxxxxxx>
Thanks for all 4 of these backports, now queued up.
greg k-h
