diff options
author | Thorsten Leemhuis <fedora@leemhuis.info> | 2019-07-21 19:23:12 +0200 |
---|---|---|
committer | Thorsten Leemhuis <fedora@leemhuis.info> | 2019-07-21 19:23:12 +0200 |
commit | d78acd272050c215695799bf9242e91c382e5281 (patch) | |
tree | 60a894f48b076e6e1a777ad47e187d6c2fde20b4 | |
parent | 4e4971edcd1f4c914591f46de9a3cf1c682d4361 (diff) | |
parent | 3d5a0b43e81f1ec5e6e2be3d777406d170935e79 (diff) | |
download | kernel-d78acd272050c215695799bf9242e91c382e5281.tar.gz kernel-d78acd272050c215695799bf9242e91c382e5281.tar.xz kernel-d78acd272050c215695799bf9242e91c382e5281.zip |
Merge remote-tracking branch 'origin/f30' into f30-user-thl-vanilla-fedora
-rw-r--r-- | Input-gtco-bounds-check-collection-indent-level.patch | 76 | ||||
-rw-r--r-- | configs/fedora/generic/CONFIG_IMA_DEFAULT_HASH_SHA1 | 2 | ||||
-rw-r--r-- | configs/fedora/generic/CONFIG_IMA_DEFAULT_HASH_SHA256 | 2 | ||||
-rw-r--r-- | kernel-aarch64-debug.config | 4 | ||||
-rw-r--r-- | kernel-aarch64.config | 4 | ||||
-rw-r--r-- | kernel-armv7hl-debug.config | 4 | ||||
-rw-r--r-- | kernel-armv7hl-lpae-debug.config | 4 | ||||
-rw-r--r-- | kernel-armv7hl-lpae.config | 4 | ||||
-rw-r--r-- | kernel-armv7hl.config | 4 | ||||
-rw-r--r-- | kernel-i686-debug.config | 4 | ||||
-rw-r--r-- | kernel-i686.config | 4 | ||||
-rw-r--r-- | kernel-ppc64le-debug.config | 4 | ||||
-rw-r--r-- | kernel-ppc64le.config | 4 | ||||
-rw-r--r-- | kernel-s390x-debug.config | 4 | ||||
-rw-r--r-- | kernel-s390x.config | 4 | ||||
-rw-r--r-- | kernel-x86_64-debug.config | 4 | ||||
-rw-r--r-- | kernel-x86_64.config | 4 | ||||
-rw-r--r-- | kernel.spec | 6 |
18 files changed, 112 insertions, 30 deletions
diff --git a/Input-gtco-bounds-check-collection-indent-level.patch b/Input-gtco-bounds-check-collection-indent-level.patch new file mode 100644 index 000000000..f74c2dfcf --- /dev/null +++ b/Input-gtco-bounds-check-collection-indent-level.patch @@ -0,0 +1,76 @@ +From c9fcba15565f3db7232489366c87c298c4198b0a Mon Sep 17 00:00:00 2001 +From: Grant Hernandez <granthernandez@google.com> +Date: Thu, 11 Jul 2019 15:22:32 -0700 +Subject: [PATCH] Input: gtco - bounds check collection indent level + +The GTCO tablet input driver configures itself from an HID report sent +via USB during the initial enumeration process. Some debugging messages +are generated during the parsing. A debugging message indentation +counter is not bounds checked, leading to the ability for a specially +crafted HID report to cause '-' and null bytes be written past the end +of the indentation array. As long as the kernel has CONFIG_DYNAMIC_DEBUG +enabled, this code will not be optimized out. This was discovered +during code review after a previous syzkaller bug was found in this +driver. + +Cc: stable@vger.kernel.org +Signed-off-by: Grant Hernandez <granthernandez@google.com> +--- + drivers/input/tablet/gtco.c | 19 ++++++++++++++++--- + 1 file changed, 16 insertions(+), 3 deletions(-) + +diff --git a/drivers/input/tablet/gtco.c b/drivers/input/tablet/gtco.c +index 4b8b9d7aa75e..9771052ed027 100644 +--- a/drivers/input/tablet/gtco.c ++++ b/drivers/input/tablet/gtco.c +@@ -78,6 +78,7 @@ Scott Hill shill@gtcocalcomp.com + + /* Max size of a single report */ + #define REPORT_MAX_SIZE 10 ++#define MAX_COLLECTION_LEVELS 10 + + + /* Bitmask whether pen is in range */ +@@ -223,8 +224,7 @@ static void parse_hid_report_descriptor(struct gtco *device, char * report, + char maintype = 'x'; + char globtype[12]; + int indent = 0; +- char indentstr[10] = ""; +- ++ char indentstr[MAX_COLLECTION_LEVELS+1] = {0}; + + dev_dbg(ddev, "======>>>>>>PARSE<<<<<<======\n"); + +@@ -350,6 +350,12 @@ static void parse_hid_report_descriptor(struct gtco *device, char * report, + case TAG_MAIN_COL_START: + maintype = 'S'; + ++ if (indent == MAX_COLLECTION_LEVELS) { ++ dev_err(ddev, "Collection level %d would exceed limit of %d\n", ++ indent+1, MAX_COLLECTION_LEVELS); ++ break; ++ } ++ + if (data == 0) { + dev_dbg(ddev, "======>>>>>> Physical\n"); + strcpy(globtype, "Physical"); +@@ -369,8 +375,15 @@ static void parse_hid_report_descriptor(struct gtco *device, char * report, + break; + + case TAG_MAIN_COL_END: +- dev_dbg(ddev, "<<<<<<======\n"); + maintype = 'E'; ++ ++ if (indent == 0) { ++ dev_err(ddev, "Collection level already at zero\n"); ++ break; ++ } ++ ++ dev_dbg(ddev, "<<<<<<======\n"); ++ + indent--; + for (x = 0; x < indent; x++) + indentstr[x] = '-'; +-- +2.21.0 + diff --git a/configs/fedora/generic/CONFIG_IMA_DEFAULT_HASH_SHA1 b/configs/fedora/generic/CONFIG_IMA_DEFAULT_HASH_SHA1 index f1f433af9..b51889849 100644 --- a/configs/fedora/generic/CONFIG_IMA_DEFAULT_HASH_SHA1 +++ b/configs/fedora/generic/CONFIG_IMA_DEFAULT_HASH_SHA1 @@ -1 +1 @@ -CONFIG_IMA_DEFAULT_HASH_SHA1=y +# CONFIG_IMA_DEFAULT_HASH_SHA1 is not set diff --git a/configs/fedora/generic/CONFIG_IMA_DEFAULT_HASH_SHA256 b/configs/fedora/generic/CONFIG_IMA_DEFAULT_HASH_SHA256 index 29bd8f86d..e627fd9e9 100644 --- a/configs/fedora/generic/CONFIG_IMA_DEFAULT_HASH_SHA256 +++ b/configs/fedora/generic/CONFIG_IMA_DEFAULT_HASH_SHA256 @@ -1 +1 @@ -# CONFIG_IMA_DEFAULT_HASH_SHA256 is not set +CONFIG_IMA_DEFAULT_HASH_SHA256=y diff --git a/kernel-aarch64-debug.config b/kernel-aarch64-debug.config index 3ee558d02..0df3a161d 100644 --- a/kernel-aarch64-debug.config +++ b/kernel-aarch64-debug.config @@ -2383,8 +2383,8 @@ CONFIG_IIO_TRIGGERED_BUFFER=m CONFIG_IIO_TRIGGER=y # CONFIG_IKCONFIG is not set # CONFIG_IMA_APPRAISE is not set -CONFIG_IMA_DEFAULT_HASH_SHA1=y -# CONFIG_IMA_DEFAULT_HASH_SHA256 is not set +# CONFIG_IMA_DEFAULT_HASH_SHA1 is not set +CONFIG_IMA_DEFAULT_HASH_SHA256=y CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY=y CONFIG_IMA_LSM_RULES=y CONFIG_IMA_MEASURE_PCR_IDX=10 diff --git a/kernel-aarch64.config b/kernel-aarch64.config index 9964d6d8a..51e461f6e 100644 --- a/kernel-aarch64.config +++ b/kernel-aarch64.config @@ -2367,8 +2367,8 @@ CONFIG_IIO_TRIGGERED_BUFFER=m CONFIG_IIO_TRIGGER=y # CONFIG_IKCONFIG is not set # CONFIG_IMA_APPRAISE is not set -CONFIG_IMA_DEFAULT_HASH_SHA1=y -# CONFIG_IMA_DEFAULT_HASH_SHA256 is not set +# CONFIG_IMA_DEFAULT_HASH_SHA1 is not set +CONFIG_IMA_DEFAULT_HASH_SHA256=y CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY=y CONFIG_IMA_LSM_RULES=y CONFIG_IMA_MEASURE_PCR_IDX=10 diff --git a/kernel-armv7hl-debug.config b/kernel-armv7hl-debug.config index d0d81b8ad..48a70ba1f 100644 --- a/kernel-armv7hl-debug.config +++ b/kernel-armv7hl-debug.config @@ -2426,8 +2426,8 @@ CONFIG_IIO_TRIGGERED_BUFFER=m CONFIG_IIO_TRIGGER=y # CONFIG_IKCONFIG is not set # CONFIG_IMA_APPRAISE is not set -CONFIG_IMA_DEFAULT_HASH_SHA1=y -# CONFIG_IMA_DEFAULT_HASH_SHA256 is not set +# CONFIG_IMA_DEFAULT_HASH_SHA1 is not set +CONFIG_IMA_DEFAULT_HASH_SHA256=y CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY=y CONFIG_IMA_LSM_RULES=y CONFIG_IMA_MEASURE_PCR_IDX=10 diff --git a/kernel-armv7hl-lpae-debug.config b/kernel-armv7hl-lpae-debug.config index 1350ca8c1..4576ca723 100644 --- a/kernel-armv7hl-lpae-debug.config +++ b/kernel-armv7hl-lpae-debug.config @@ -2340,8 +2340,8 @@ CONFIG_IIO_TRIGGERED_BUFFER=m CONFIG_IIO_TRIGGER=y # CONFIG_IKCONFIG is not set # CONFIG_IMA_APPRAISE is not set -CONFIG_IMA_DEFAULT_HASH_SHA1=y -# CONFIG_IMA_DEFAULT_HASH_SHA256 is not set +# CONFIG_IMA_DEFAULT_HASH_SHA1 is not set +CONFIG_IMA_DEFAULT_HASH_SHA256=y CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY=y CONFIG_IMA_LSM_RULES=y CONFIG_IMA_MEASURE_PCR_IDX=10 diff --git a/kernel-armv7hl-lpae.config b/kernel-armv7hl-lpae.config index 72ec631ba..9d0457154 100644 --- a/kernel-armv7hl-lpae.config +++ b/kernel-armv7hl-lpae.config @@ -2325,8 +2325,8 @@ CONFIG_IIO_TRIGGERED_BUFFER=m CONFIG_IIO_TRIGGER=y # CONFIG_IKCONFIG is not set # CONFIG_IMA_APPRAISE is not set -CONFIG_IMA_DEFAULT_HASH_SHA1=y -# CONFIG_IMA_DEFAULT_HASH_SHA256 is not set +# CONFIG_IMA_DEFAULT_HASH_SHA1 is not set +CONFIG_IMA_DEFAULT_HASH_SHA256=y CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY=y CONFIG_IMA_LSM_RULES=y CONFIG_IMA_MEASURE_PCR_IDX=10 diff --git a/kernel-armv7hl.config b/kernel-armv7hl.config index 8d2811ab0..388b1e254 100644 --- a/kernel-armv7hl.config +++ b/kernel-armv7hl.config @@ -2411,8 +2411,8 @@ CONFIG_IIO_TRIGGERED_BUFFER=m CONFIG_IIO_TRIGGER=y # CONFIG_IKCONFIG is not set # CONFIG_IMA_APPRAISE is not set -CONFIG_IMA_DEFAULT_HASH_SHA1=y -# CONFIG_IMA_DEFAULT_HASH_SHA256 is not set +# CONFIG_IMA_DEFAULT_HASH_SHA1 is not set +CONFIG_IMA_DEFAULT_HASH_SHA256=y CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY=y CONFIG_IMA_LSM_RULES=y CONFIG_IMA_MEASURE_PCR_IDX=10 diff --git a/kernel-i686-debug.config b/kernel-i686-debug.config index f89797c5d..2ce656236 100644 --- a/kernel-i686-debug.config +++ b/kernel-i686-debug.config @@ -2148,8 +2148,8 @@ CONFIG_IIO_TRIGGER=y # CONFIG_IKCONFIG is not set # CONFIG_IMA_APPRAISE is not set # CONFIG_IMA_ARCH_POLICY is not set -CONFIG_IMA_DEFAULT_HASH_SHA1=y -# CONFIG_IMA_DEFAULT_HASH_SHA256 is not set +# CONFIG_IMA_DEFAULT_HASH_SHA1 is not set +CONFIG_IMA_DEFAULT_HASH_SHA256=y CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY=y CONFIG_IMA_LSM_RULES=y CONFIG_IMA_MEASURE_PCR_IDX=10 diff --git a/kernel-i686.config b/kernel-i686.config index fe4a05435..4aaff465d 100644 --- a/kernel-i686.config +++ b/kernel-i686.config @@ -2131,8 +2131,8 @@ CONFIG_IIO_TRIGGER=y # CONFIG_IKCONFIG is not set # CONFIG_IMA_APPRAISE is not set # CONFIG_IMA_ARCH_POLICY is not set -CONFIG_IMA_DEFAULT_HASH_SHA1=y -# CONFIG_IMA_DEFAULT_HASH_SHA256 is not set +# CONFIG_IMA_DEFAULT_HASH_SHA1 is not set +CONFIG_IMA_DEFAULT_HASH_SHA256=y CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY=y CONFIG_IMA_LSM_RULES=y CONFIG_IMA_MEASURE_PCR_IDX=10 diff --git a/kernel-ppc64le-debug.config b/kernel-ppc64le-debug.config index c9abec928..fa9fe3fec 100644 --- a/kernel-ppc64le-debug.config +++ b/kernel-ppc64le-debug.config @@ -1957,8 +1957,8 @@ CONFIG_IIO_TRIGGERED_BUFFER=m CONFIG_IIO_TRIGGER=y # CONFIG_IKCONFIG is not set # CONFIG_IMA_APPRAISE is not set -CONFIG_IMA_DEFAULT_HASH_SHA1=y -# CONFIG_IMA_DEFAULT_HASH_SHA256 is not set +# CONFIG_IMA_DEFAULT_HASH_SHA1 is not set +CONFIG_IMA_DEFAULT_HASH_SHA256=y # CONFIG_IMA is not set CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY=y CONFIG_IMA_LSM_RULES=y diff --git a/kernel-ppc64le.config b/kernel-ppc64le.config index 4884618b4..8863f4c01 100644 --- a/kernel-ppc64le.config +++ b/kernel-ppc64le.config @@ -1940,8 +1940,8 @@ CONFIG_IIO_TRIGGERED_BUFFER=m CONFIG_IIO_TRIGGER=y # CONFIG_IKCONFIG is not set # CONFIG_IMA_APPRAISE is not set -CONFIG_IMA_DEFAULT_HASH_SHA1=y -# CONFIG_IMA_DEFAULT_HASH_SHA256 is not set +# CONFIG_IMA_DEFAULT_HASH_SHA1 is not set +CONFIG_IMA_DEFAULT_HASH_SHA256=y # CONFIG_IMA is not set CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY=y CONFIG_IMA_LSM_RULES=y diff --git a/kernel-s390x-debug.config b/kernel-s390x-debug.config index 41f884a15..5fa14d4af 100644 --- a/kernel-s390x-debug.config +++ b/kernel-s390x-debug.config @@ -1937,8 +1937,8 @@ CONFIG_IIO_TRIGGERED_BUFFER=m CONFIG_IIO_TRIGGER=y # CONFIG_IKCONFIG is not set # CONFIG_IMA_APPRAISE is not set -CONFIG_IMA_DEFAULT_HASH_SHA1=y -# CONFIG_IMA_DEFAULT_HASH_SHA256 is not set +# CONFIG_IMA_DEFAULT_HASH_SHA1 is not set +CONFIG_IMA_DEFAULT_HASH_SHA256=y CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY=y CONFIG_IMA_LSM_RULES=y CONFIG_IMA_MEASURE_PCR_IDX=10 diff --git a/kernel-s390x.config b/kernel-s390x.config index 3d07d6ec4..23b666043 100644 --- a/kernel-s390x.config +++ b/kernel-s390x.config @@ -1920,8 +1920,8 @@ CONFIG_IIO_TRIGGERED_BUFFER=m CONFIG_IIO_TRIGGER=y # CONFIG_IKCONFIG is not set # CONFIG_IMA_APPRAISE is not set -CONFIG_IMA_DEFAULT_HASH_SHA1=y -# CONFIG_IMA_DEFAULT_HASH_SHA256 is not set +# CONFIG_IMA_DEFAULT_HASH_SHA1 is not set +CONFIG_IMA_DEFAULT_HASH_SHA256=y CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY=y CONFIG_IMA_LSM_RULES=y CONFIG_IMA_MEASURE_PCR_IDX=10 diff --git a/kernel-x86_64-debug.config b/kernel-x86_64-debug.config index ec5e71147..d0fc05bb0 100644 --- a/kernel-x86_64-debug.config +++ b/kernel-x86_64-debug.config @@ -2193,8 +2193,8 @@ CONFIG_IIO_TRIGGER=y # CONFIG_IKCONFIG is not set # CONFIG_IMA_APPRAISE is not set # CONFIG_IMA_ARCH_POLICY is not set -CONFIG_IMA_DEFAULT_HASH_SHA1=y -# CONFIG_IMA_DEFAULT_HASH_SHA256 is not set +# CONFIG_IMA_DEFAULT_HASH_SHA1 is not set +CONFIG_IMA_DEFAULT_HASH_SHA256=y CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY=y CONFIG_IMA_LSM_RULES=y CONFIG_IMA_MEASURE_PCR_IDX=10 diff --git a/kernel-x86_64.config b/kernel-x86_64.config index c45a4ecc6..0be460e83 100644 --- a/kernel-x86_64.config +++ b/kernel-x86_64.config @@ -2176,8 +2176,8 @@ CONFIG_IIO_TRIGGER=y # CONFIG_IKCONFIG is not set # CONFIG_IMA_APPRAISE is not set # CONFIG_IMA_ARCH_POLICY is not set -CONFIG_IMA_DEFAULT_HASH_SHA1=y -# CONFIG_IMA_DEFAULT_HASH_SHA256 is not set +# CONFIG_IMA_DEFAULT_HASH_SHA1 is not set +CONFIG_IMA_DEFAULT_HASH_SHA256=y CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY=y CONFIG_IMA_LSM_RULES=y CONFIG_IMA_MEASURE_PCR_IDX=10 diff --git a/kernel.spec b/kernel.spec index ed53e9f39..5d48ee954 100644 --- a/kernel.spec +++ b/kernel.spec @@ -648,6 +648,9 @@ Patch546: netfilter-ctnetlink-Fix-regression-in-conntrack-entry.patch # https://patchwork.kernel.org/patch/11029027/ Patch547: iwlwifi-mvm-disable-TX-AMSDU-on-older-NICs.patch +# CVE-2019-13631 rhbz 1731000 1731001 +Patch548: Input-gtco-bounds-check-collection-indent-level.patch + # END OF PATCH DEFINITIONS %endif @@ -1889,6 +1892,9 @@ fi # # %changelog +* Thu Jul 18 2019 Jeremy Cline <jcline@redhat.com> +- Fix CVE-2019-13631 (rhbz 1731000 1731001) + * Mon Jul 15 2019 Jeremy Cline <jcline@redhat.com> - 5.1.18-300 - Linux v5.1.18 |