Merge remote-tracking branch 'origin/f29' into f29-user-thl-vanilla-fedora

2 files changed, 82 insertions, 0 deletions

diff --git a/Input-gtco-bounds-check-collection-indent-level.patch b/Input-gtco-bounds-check-collection-indent-level.patch
new file mode 100644
index 000000000..f74c2dfcf
--- /dev/null
+++ b/Input-gtco-bounds-check-collection-indent-level.patch
@@ -0,0 +1,76 @@
+From c9fcba15565f3db7232489366c87c298c4198b0a Mon Sep 17 00:00:00 2001
+From: Grant Hernandez <granthernandez@google.com>
+Date: Thu, 11 Jul 2019 15:22:32 -0700
+Subject: [PATCH] Input: gtco - bounds check collection indent level
+
+The GTCO tablet input driver configures itself from an HID report sent
+via USB during the initial enumeration process. Some debugging messages
+are generated during the parsing. A debugging message indentation
+counter is not bounds checked, leading to the ability for a specially
+crafted HID report to cause '-' and null bytes be written past the end
+of the indentation array. As long as the kernel has CONFIG_DYNAMIC_DEBUG
+enabled, this code will not be optimized out.  This was discovered
+during code review after a previous syzkaller bug was found in this
+driver.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Grant Hernandez <granthernandez@google.com>
+---
+ drivers/input/tablet/gtco.c | 19 ++++++++++++++++---
+ 1 file changed, 16 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/input/tablet/gtco.c b/drivers/input/tablet/gtco.c
+index 4b8b9d7aa75e..9771052ed027 100644
+--- a/drivers/input/tablet/gtco.c
++++ b/drivers/input/tablet/gtco.c
+@@ -78,6 +78,7 @@ Scott Hill shill@gtcocalcomp.com
+ 
+ /* Max size of a single report */
+ #define REPORT_MAX_SIZE       10
++#define MAX_COLLECTION_LEVELS  10
+ 
+ 
+ /* Bitmask whether pen is in range */
+@@ -223,8 +224,7 @@ static void parse_hid_report_descriptor(struct gtco *device, char * report,
+ 	char  maintype = 'x';
+ 	char  globtype[12];
+ 	int   indent = 0;
+-	char  indentstr[10] = "";
+-
++	char  indentstr[MAX_COLLECTION_LEVELS+1] = {0};
+ 
+ 	dev_dbg(ddev, "======>>>>>>PARSE<<<<<<======\n");
+ 
+@@ -350,6 +350,12 @@ static void parse_hid_report_descriptor(struct gtco *device, char * report,
+ 			case TAG_MAIN_COL_START:
+ 				maintype = 'S';
+ 
++				if (indent == MAX_COLLECTION_LEVELS) {
++					dev_err(ddev, "Collection level %d would exceed limit of %d\n",
++						indent+1, MAX_COLLECTION_LEVELS);
++					break;
++				}
++
+ 				if (data == 0) {
+ 					dev_dbg(ddev, "======>>>>>> Physical\n");
+ 					strcpy(globtype, "Physical");
+@@ -369,8 +375,15 @@ static void parse_hid_report_descriptor(struct gtco *device, char * report,
+ 				break;
+ 
+ 			case TAG_MAIN_COL_END:
+-				dev_dbg(ddev, "<<<<<<======\n");
+ 				maintype = 'E';
++
++				if (indent == 0) {
++					dev_err(ddev, "Collection level already at zero\n");
++					break;
++				}
++
++				dev_dbg(ddev, "<<<<<<======\n");
++
+ 				indent--;
+ 				for (x = 0; x < indent; x++)
+ 					indentstr[x] = '-';
+-- 
+2.21.0
+
diff --git a/kernel.spec b/kernel.spec
index b72c743e0..d31af34a2 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -646,6 +646,9 @@ Patch546: netfilter-ctnetlink-Fix-regression-in-conntrack-entry.patch
 # https://patchwork.kernel.org/patch/11029027/
 Patch547: iwlwifi-mvm-disable-TX-AMSDU-on-older-NICs.patch
 
+# CVE-2019-13631 rhbz 1731000 1731001
+Patch548: Input-gtco-bounds-check-collection-indent-level.patch
+
 # END OF PATCH DEFINITIONS
 
 %endif
@@ -1887,6 +1890,9 @@ fi
 #
 #
 %changelog
+* Thu Jul 18 2019 Jeremy Cline <jcline@redhat.com>
+- Fix CVE-2019-13631 (rhbz 1731000 1731001)
+
 * Mon Jul 15 2019 Jeremy Cline <jcline@redhat.com> - 5.1.18-200
 - Linux v5.1.18