Merge remote-tracking branch 'origin/f30' into f30-user-thl-vanilla-fedora

18 files changed, 112 insertions, 30 deletions

diff --git a/Input-gtco-bounds-check-collection-indent-level.patch b/Input-gtco-bounds-check-collection-indent-level.patch
new file mode 100644
index 000000000..f74c2dfcf
--- /dev/null
+++ b/Input-gtco-bounds-check-collection-indent-level.patch
@@ -0,0 +1,76 @@
+From c9fcba15565f3db7232489366c87c298c4198b0a Mon Sep 17 00:00:00 2001
+From: Grant Hernandez <granthernandez@google.com>
+Date: Thu, 11 Jul 2019 15:22:32 -0700
+Subject: [PATCH] Input: gtco - bounds check collection indent level
+
+The GTCO tablet input driver configures itself from an HID report sent
+via USB during the initial enumeration process. Some debugging messages
+are generated during the parsing. A debugging message indentation
+counter is not bounds checked, leading to the ability for a specially
+crafted HID report to cause '-' and null bytes be written past the end
+of the indentation array. As long as the kernel has CONFIG_DYNAMIC_DEBUG
+enabled, this code will not be optimized out.  This was discovered
+during code review after a previous syzkaller bug was found in this
+driver.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Grant Hernandez <granthernandez@google.com>
+---
+ drivers/input/tablet/gtco.c | 19 ++++++++++++++++---
+ 1 file changed, 16 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/input/tablet/gtco.c b/drivers/input/tablet/gtco.c
+index 4b8b9d7aa75e..9771052ed027 100644
+--- a/drivers/input/tablet/gtco.c
++++ b/drivers/input/tablet/gtco.c
+@@ -78,6 +78,7 @@ Scott Hill shill@gtcocalcomp.com
+ 
+ /* Max size of a single report */
+ #define REPORT_MAX_SIZE       10
++#define MAX_COLLECTION_LEVELS  10
+ 
+ 
+ /* Bitmask whether pen is in range */
+@@ -223,8 +224,7 @@ static void parse_hid_report_descriptor(struct gtco *device, char * report,
+ 	char  maintype = 'x';
+ 	char  globtype[12];
+ 	int   indent = 0;
+-	char  indentstr[10] = "";
+-
++	char  indentstr[MAX_COLLECTION_LEVELS+1] = {0};
+ 
+ 	dev_dbg(ddev, "======>>>>>>PARSE<<<<<<======\n");
+ 
+@@ -350,6 +350,12 @@ static void parse_hid_report_descriptor(struct gtco *device, char * report,
+ 			case TAG_MAIN_COL_START:
+ 				maintype = 'S';
+ 
++				if (indent == MAX_COLLECTION_LEVELS) {
++					dev_err(ddev, "Collection level %d would exceed limit of %d\n",
++						indent+1, MAX_COLLECTION_LEVELS);
++					break;
++				}
++
+ 				if (data == 0) {
+ 					dev_dbg(ddev, "======>>>>>> Physical\n");
+ 					strcpy(globtype, "Physical");
+@@ -369,8 +375,15 @@ static void parse_hid_report_descriptor(struct gtco *device, char * report,
+ 				break;
+ 
+ 			case TAG_MAIN_COL_END:
+-				dev_dbg(ddev, "<<<<<<======\n");
+ 				maintype = 'E';
++
++				if (indent == 0) {
++					dev_err(ddev, "Collection level already at zero\n");
++					break;
++				}
++
++				dev_dbg(ddev, "<<<<<<======\n");
++
+ 				indent--;
+ 				for (x = 0; x < indent; x++)
+ 					indentstr[x] = '-';
+-- 
+2.21.0
+
diff --git a/configs/fedora/generic/CONFIG_IMA_DEFAULT_HASH_SHA1 b/configs/fedora/generic/CONFIG_IMA_DEFAULT_HASH_SHA1
index f1f433af9..b51889849 100644
--- a/configs/fedora/generic/CONFIG_IMA_DEFAULT_HASH_SHA1
+++ b/configs/fedora/generic/CONFIG_IMA_DEFAULT_HASH_SHA1
@@ -1 +1 @@
-CONFIG_IMA_DEFAULT_HASH_SHA1=y
+# CONFIG_IMA_DEFAULT_HASH_SHA1 is not set
diff --git a/configs/fedora/generic/CONFIG_IMA_DEFAULT_HASH_SHA256 b/configs/fedora/generic/CONFIG_IMA_DEFAULT_HASH_SHA256
index 29bd8f86d..e627fd9e9 100644
--- a/configs/fedora/generic/CONFIG_IMA_DEFAULT_HASH_SHA256
+++ b/configs/fedora/generic/CONFIG_IMA_DEFAULT_HASH_SHA256
@@ -1 +1 @@
-# CONFIG_IMA_DEFAULT_HASH_SHA256 is not set
+CONFIG_IMA_DEFAULT_HASH_SHA256=y
diff --git a/kernel-aarch64-debug.config b/kernel-aarch64-debug.config
index 3ee558d02..0df3a161d 100644
--- a/kernel-aarch64-debug.config
+++ b/kernel-aarch64-debug.config
@@ -2383,8 +2383,8 @@ CONFIG_IIO_TRIGGERED_BUFFER=m
 CONFIG_IIO_TRIGGER=y
 # CONFIG_IKCONFIG is not set
 # CONFIG_IMA_APPRAISE is not set
-CONFIG_IMA_DEFAULT_HASH_SHA1=y
-# CONFIG_IMA_DEFAULT_HASH_SHA256 is not set
+# CONFIG_IMA_DEFAULT_HASH_SHA1 is not set
+CONFIG_IMA_DEFAULT_HASH_SHA256=y
 CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY=y
 CONFIG_IMA_LSM_RULES=y
 CONFIG_IMA_MEASURE_PCR_IDX=10
diff --git a/kernel-aarch64.config b/kernel-aarch64.config
index 9964d6d8a..51e461f6e 100644
--- a/kernel-aarch64.config
+++ b/kernel-aarch64.config
@@ -2367,8 +2367,8 @@ CONFIG_IIO_TRIGGERED_BUFFER=m
 CONFIG_IIO_TRIGGER=y
 # CONFIG_IKCONFIG is not set
 # CONFIG_IMA_APPRAISE is not set
-CONFIG_IMA_DEFAULT_HASH_SHA1=y
-# CONFIG_IMA_DEFAULT_HASH_SHA256 is not set
+# CONFIG_IMA_DEFAULT_HASH_SHA1 is not set
+CONFIG_IMA_DEFAULT_HASH_SHA256=y
 CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY=y
 CONFIG_IMA_LSM_RULES=y
 CONFIG_IMA_MEASURE_PCR_IDX=10
diff --git a/kernel-armv7hl-debug.config b/kernel-armv7hl-debug.config
index d0d81b8ad..48a70ba1f 100644
--- a/kernel-armv7hl-debug.config
+++ b/kernel-armv7hl-debug.config
@@ -2426,8 +2426,8 @@ CONFIG_IIO_TRIGGERED_BUFFER=m
 CONFIG_IIO_TRIGGER=y
 # CONFIG_IKCONFIG is not set
 # CONFIG_IMA_APPRAISE is not set
-CONFIG_IMA_DEFAULT_HASH_SHA1=y
-# CONFIG_IMA_DEFAULT_HASH_SHA256 is not set
+# CONFIG_IMA_DEFAULT_HASH_SHA1 is not set
+CONFIG_IMA_DEFAULT_HASH_SHA256=y
 CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY=y
 CONFIG_IMA_LSM_RULES=y
 CONFIG_IMA_MEASURE_PCR_IDX=10
diff --git a/kernel-armv7hl-lpae-debug.config b/kernel-armv7hl-lpae-debug.config
index 1350ca8c1..4576ca723 100644
--- a/kernel-armv7hl-lpae-debug.config
+++ b/kernel-armv7hl-lpae-debug.config
@@ -2340,8 +2340,8 @@ CONFIG_IIO_TRIGGERED_BUFFER=m
 CONFIG_IIO_TRIGGER=y
 # CONFIG_IKCONFIG is not set
 # CONFIG_IMA_APPRAISE is not set
-CONFIG_IMA_DEFAULT_HASH_SHA1=y
-# CONFIG_IMA_DEFAULT_HASH_SHA256 is not set
+# CONFIG_IMA_DEFAULT_HASH_SHA1 is not set
+CONFIG_IMA_DEFAULT_HASH_SHA256=y
 CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY=y
 CONFIG_IMA_LSM_RULES=y
 CONFIG_IMA_MEASURE_PCR_IDX=10
diff --git a/kernel-armv7hl-lpae.config b/kernel-armv7hl-lpae.config
index 72ec631ba..9d0457154 100644
--- a/kernel-armv7hl-lpae.config
+++ b/kernel-armv7hl-lpae.config
@@ -2325,8 +2325,8 @@ CONFIG_IIO_TRIGGERED_BUFFER=m
 CONFIG_IIO_TRIGGER=y
 # CONFIG_IKCONFIG is not set
 # CONFIG_IMA_APPRAISE is not set
-CONFIG_IMA_DEFAULT_HASH_SHA1=y
-# CONFIG_IMA_DEFAULT_HASH_SHA256 is not set
+# CONFIG_IMA_DEFAULT_HASH_SHA1 is not set
+CONFIG_IMA_DEFAULT_HASH_SHA256=y
 CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY=y
 CONFIG_IMA_LSM_RULES=y
 CONFIG_IMA_MEASURE_PCR_IDX=10
diff --git a/kernel-armv7hl.config b/kernel-armv7hl.config
index 8d2811ab0..388b1e254 100644
--- a/kernel-armv7hl.config
+++ b/kernel-armv7hl.config
@@ -2411,8 +2411,8 @@ CONFIG_IIO_TRIGGERED_BUFFER=m
 CONFIG_IIO_TRIGGER=y
 # CONFIG_IKCONFIG is not set
 # CONFIG_IMA_APPRAISE is not set
-CONFIG_IMA_DEFAULT_HASH_SHA1=y
-# CONFIG_IMA_DEFAULT_HASH_SHA256 is not set
+# CONFIG_IMA_DEFAULT_HASH_SHA1 is not set
+CONFIG_IMA_DEFAULT_HASH_SHA256=y
 CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY=y
 CONFIG_IMA_LSM_RULES=y
 CONFIG_IMA_MEASURE_PCR_IDX=10
diff --git a/kernel-i686-debug.config b/kernel-i686-debug.config
index f89797c5d..2ce656236 100644
--- a/kernel-i686-debug.config
+++ b/kernel-i686-debug.config
@@ -2148,8 +2148,8 @@ CONFIG_IIO_TRIGGER=y
 # CONFIG_IKCONFIG is not set
 # CONFIG_IMA_APPRAISE is not set
 # CONFIG_IMA_ARCH_POLICY is not set
-CONFIG_IMA_DEFAULT_HASH_SHA1=y
-# CONFIG_IMA_DEFAULT_HASH_SHA256 is not set
+# CONFIG_IMA_DEFAULT_HASH_SHA1 is not set
+CONFIG_IMA_DEFAULT_HASH_SHA256=y
 CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY=y
 CONFIG_IMA_LSM_RULES=y
 CONFIG_IMA_MEASURE_PCR_IDX=10
diff --git a/kernel-i686.config b/kernel-i686.config
index fe4a05435..4aaff465d 100644
--- a/kernel-i686.config
+++ b/kernel-i686.config
@@ -2131,8 +2131,8 @@ CONFIG_IIO_TRIGGER=y
 # CONFIG_IKCONFIG is not set
 # CONFIG_IMA_APPRAISE is not set
 # CONFIG_IMA_ARCH_POLICY is not set
-CONFIG_IMA_DEFAULT_HASH_SHA1=y
-# CONFIG_IMA_DEFAULT_HASH_SHA256 is not set
+# CONFIG_IMA_DEFAULT_HASH_SHA1 is not set
+CONFIG_IMA_DEFAULT_HASH_SHA256=y
 CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY=y
 CONFIG_IMA_LSM_RULES=y
 CONFIG_IMA_MEASURE_PCR_IDX=10
diff --git a/kernel-ppc64le-debug.config b/kernel-ppc64le-debug.config
index c9abec928..fa9fe3fec 100644
--- a/kernel-ppc64le-debug.config
+++ b/kernel-ppc64le-debug.config
@@ -1957,8 +1957,8 @@ CONFIG_IIO_TRIGGERED_BUFFER=m
 CONFIG_IIO_TRIGGER=y
 # CONFIG_IKCONFIG is not set
 # CONFIG_IMA_APPRAISE is not set
-CONFIG_IMA_DEFAULT_HASH_SHA1=y
-# CONFIG_IMA_DEFAULT_HASH_SHA256 is not set
+# CONFIG_IMA_DEFAULT_HASH_SHA1 is not set
+CONFIG_IMA_DEFAULT_HASH_SHA256=y
 # CONFIG_IMA is not set
 CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY=y
 CONFIG_IMA_LSM_RULES=y
diff --git a/kernel-ppc64le.config b/kernel-ppc64le.config
index 4884618b4..8863f4c01 100644
--- a/kernel-ppc64le.config
+++ b/kernel-ppc64le.config
@@ -1940,8 +1940,8 @@ CONFIG_IIO_TRIGGERED_BUFFER=m
 CONFIG_IIO_TRIGGER=y
 # CONFIG_IKCONFIG is not set
 # CONFIG_IMA_APPRAISE is not set
-CONFIG_IMA_DEFAULT_HASH_SHA1=y
-# CONFIG_IMA_DEFAULT_HASH_SHA256 is not set
+# CONFIG_IMA_DEFAULT_HASH_SHA1 is not set
+CONFIG_IMA_DEFAULT_HASH_SHA256=y
 # CONFIG_IMA is not set
 CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY=y
 CONFIG_IMA_LSM_RULES=y
diff --git a/kernel-s390x-debug.config b/kernel-s390x-debug.config
index 41f884a15..5fa14d4af 100644
--- a/kernel-s390x-debug.config
+++ b/kernel-s390x-debug.config
@@ -1937,8 +1937,8 @@ CONFIG_IIO_TRIGGERED_BUFFER=m
 CONFIG_IIO_TRIGGER=y
 # CONFIG_IKCONFIG is not set
 # CONFIG_IMA_APPRAISE is not set
-CONFIG_IMA_DEFAULT_HASH_SHA1=y
-# CONFIG_IMA_DEFAULT_HASH_SHA256 is not set
+# CONFIG_IMA_DEFAULT_HASH_SHA1 is not set
+CONFIG_IMA_DEFAULT_HASH_SHA256=y
 CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY=y
 CONFIG_IMA_LSM_RULES=y
 CONFIG_IMA_MEASURE_PCR_IDX=10
diff --git a/kernel-s390x.config b/kernel-s390x.config
index 3d07d6ec4..23b666043 100644
--- a/kernel-s390x.config
+++ b/kernel-s390x.config
@@ -1920,8 +1920,8 @@ CONFIG_IIO_TRIGGERED_BUFFER=m
 CONFIG_IIO_TRIGGER=y
 # CONFIG_IKCONFIG is not set
 # CONFIG_IMA_APPRAISE is not set
-CONFIG_IMA_DEFAULT_HASH_SHA1=y
-# CONFIG_IMA_DEFAULT_HASH_SHA256 is not set
+# CONFIG_IMA_DEFAULT_HASH_SHA1 is not set
+CONFIG_IMA_DEFAULT_HASH_SHA256=y
 CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY=y
 CONFIG_IMA_LSM_RULES=y
 CONFIG_IMA_MEASURE_PCR_IDX=10
diff --git a/kernel-x86_64-debug.config b/kernel-x86_64-debug.config
index ec5e71147..d0fc05bb0 100644
--- a/kernel-x86_64-debug.config
+++ b/kernel-x86_64-debug.config
@@ -2193,8 +2193,8 @@ CONFIG_IIO_TRIGGER=y
 # CONFIG_IKCONFIG is not set
 # CONFIG_IMA_APPRAISE is not set
 # CONFIG_IMA_ARCH_POLICY is not set
-CONFIG_IMA_DEFAULT_HASH_SHA1=y
-# CONFIG_IMA_DEFAULT_HASH_SHA256 is not set
+# CONFIG_IMA_DEFAULT_HASH_SHA1 is not set
+CONFIG_IMA_DEFAULT_HASH_SHA256=y
 CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY=y
 CONFIG_IMA_LSM_RULES=y
 CONFIG_IMA_MEASURE_PCR_IDX=10
diff --git a/kernel-x86_64.config b/kernel-x86_64.config
index c45a4ecc6..0be460e83 100644
--- a/kernel-x86_64.config
+++ b/kernel-x86_64.config
@@ -2176,8 +2176,8 @@ CONFIG_IIO_TRIGGER=y
 # CONFIG_IKCONFIG is not set
 # CONFIG_IMA_APPRAISE is not set
 # CONFIG_IMA_ARCH_POLICY is not set
-CONFIG_IMA_DEFAULT_HASH_SHA1=y
-# CONFIG_IMA_DEFAULT_HASH_SHA256 is not set
+# CONFIG_IMA_DEFAULT_HASH_SHA1 is not set
+CONFIG_IMA_DEFAULT_HASH_SHA256=y
 CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY=y
 CONFIG_IMA_LSM_RULES=y
 CONFIG_IMA_MEASURE_PCR_IDX=10
diff --git a/kernel.spec b/kernel.spec
index ed53e9f39..5d48ee954 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -648,6 +648,9 @@ Patch546: netfilter-ctnetlink-Fix-regression-in-conntrack-entry.patch
 # https://patchwork.kernel.org/patch/11029027/
 Patch547: iwlwifi-mvm-disable-TX-AMSDU-on-older-NICs.patch
 
+# CVE-2019-13631 rhbz 1731000 1731001
+Patch548: Input-gtco-bounds-check-collection-indent-level.patch
+
 # END OF PATCH DEFINITIONS
 
 %endif
@@ -1889,6 +1892,9 @@ fi
 #
 #
 %changelog
+* Thu Jul 18 2019 Jeremy Cline <jcline@redhat.com>
+- Fix CVE-2019-13631 (rhbz 1731000 1731001)
+
 * Mon Jul 15 2019 Jeremy Cline <jcline@redhat.com> - 5.1.18-300
 - Linux v5.1.18