diff options
author | Jeremy Cline <jcline@redhat.com> | 2019-07-18 10:00:16 -0400 |
---|---|---|
committer | Jeremy Cline <jcline@redhat.com> | 2019-07-18 10:01:55 -0400 |
commit | a8a6833aef0bb2ead647dff8883e95896eb6e2e4 (patch) | |
tree | 4d2a329331eba9549128cf65d5fc41b3d5330c6b | |
parent | 834c4d4fdcb4a08871f42907d5ec8c21547cf6c4 (diff) | |
download | kernel-a8a6833aef0bb2ead647dff8883e95896eb6e2e4.tar.gz kernel-a8a6833aef0bb2ead647dff8883e95896eb6e2e4.tar.xz kernel-a8a6833aef0bb2ead647dff8883e95896eb6e2e4.zip |
Fix CVE-2019-13631 (rhbz 1731000 1731001)
-rw-r--r-- | Input-gtco-bounds-check-collection-indent-level.patch | 76 | ||||
-rw-r--r-- | kernel.spec | 6 |
2 files changed, 82 insertions, 0 deletions
diff --git a/Input-gtco-bounds-check-collection-indent-level.patch b/Input-gtco-bounds-check-collection-indent-level.patch new file mode 100644 index 000000000..f74c2dfcf --- /dev/null +++ b/Input-gtco-bounds-check-collection-indent-level.patch @@ -0,0 +1,76 @@ +From c9fcba15565f3db7232489366c87c298c4198b0a Mon Sep 17 00:00:00 2001 +From: Grant Hernandez <granthernandez@google.com> +Date: Thu, 11 Jul 2019 15:22:32 -0700 +Subject: [PATCH] Input: gtco - bounds check collection indent level + +The GTCO tablet input driver configures itself from an HID report sent +via USB during the initial enumeration process. Some debugging messages +are generated during the parsing. A debugging message indentation +counter is not bounds checked, leading to the ability for a specially +crafted HID report to cause '-' and null bytes be written past the end +of the indentation array. As long as the kernel has CONFIG_DYNAMIC_DEBUG +enabled, this code will not be optimized out. This was discovered +during code review after a previous syzkaller bug was found in this +driver. + +Cc: stable@vger.kernel.org +Signed-off-by: Grant Hernandez <granthernandez@google.com> +--- + drivers/input/tablet/gtco.c | 19 ++++++++++++++++--- + 1 file changed, 16 insertions(+), 3 deletions(-) + +diff --git a/drivers/input/tablet/gtco.c b/drivers/input/tablet/gtco.c +index 4b8b9d7aa75e..9771052ed027 100644 +--- a/drivers/input/tablet/gtco.c ++++ b/drivers/input/tablet/gtco.c +@@ -78,6 +78,7 @@ Scott Hill shill@gtcocalcomp.com + + /* Max size of a single report */ + #define REPORT_MAX_SIZE 10 ++#define MAX_COLLECTION_LEVELS 10 + + + /* Bitmask whether pen is in range */ +@@ -223,8 +224,7 @@ static void parse_hid_report_descriptor(struct gtco *device, char * report, + char maintype = 'x'; + char globtype[12]; + int indent = 0; +- char indentstr[10] = ""; +- ++ char indentstr[MAX_COLLECTION_LEVELS+1] = {0}; + + dev_dbg(ddev, "======>>>>>>PARSE<<<<<<======\n"); + +@@ -350,6 +350,12 @@ static void parse_hid_report_descriptor(struct gtco *device, char * report, + case TAG_MAIN_COL_START: + maintype = 'S'; + ++ if (indent == MAX_COLLECTION_LEVELS) { ++ dev_err(ddev, "Collection level %d would exceed limit of %d\n", ++ indent+1, MAX_COLLECTION_LEVELS); ++ break; ++ } ++ + if (data == 0) { + dev_dbg(ddev, "======>>>>>> Physical\n"); + strcpy(globtype, "Physical"); +@@ -369,8 +375,15 @@ static void parse_hid_report_descriptor(struct gtco *device, char * report, + break; + + case TAG_MAIN_COL_END: +- dev_dbg(ddev, "<<<<<<======\n"); + maintype = 'E'; ++ ++ if (indent == 0) { ++ dev_err(ddev, "Collection level already at zero\n"); ++ break; ++ } ++ ++ dev_dbg(ddev, "<<<<<<======\n"); ++ + indent--; + for (x = 0; x < indent; x++) + indentstr[x] = '-'; +-- +2.21.0 + diff --git a/kernel.spec b/kernel.spec index d0e17eb7a..6032b661d 100644 --- a/kernel.spec +++ b/kernel.spec @@ -629,6 +629,9 @@ Patch546: netfilter-ctnetlink-Fix-regression-in-conntrack-entry.patch # https://patchwork.kernel.org/patch/11029027/ Patch547: iwlwifi-mvm-disable-TX-AMSDU-on-older-NICs.patch +# CVE-2019-13631 rhbz 1731000 1731001 +Patch548: Input-gtco-bounds-check-collection-indent-level.patch + # END OF PATCH DEFINITIONS %endif @@ -1867,6 +1870,9 @@ fi # # %changelog +* Thu Jul 18 2019 Jeremy Cline <jcline@redhat.com> +- Fix CVE-2019-13631 (rhbz 1731000 1731001) + * Mon Jul 15 2019 Jeremy Cline <jcline@redhat.com> - 5.1.18-200 - Linux v5.1.18 |