diff options
| author | Jeremy Cline <jeremy@jcline.org> | 2017-11-29 13:16:14 -0500 |
|---|---|---|
| committer | Jeremy Cline <jeremy@jcline.org> | 2017-11-29 13:16:14 -0500 |
| commit | cf68d0e49acfb0fe65181501549a41aee3961874 (patch) | |
| tree | 051cabbdc9889f625516b974a97de23d0a3645cb | |
| parent | 3f119951a08c8c0a49f68ba2e465c0dcc9f6b4b3 (diff) | |
| download | kernel-cf68d0e49acfb0fe65181501549a41aee3961874.tar.gz kernel-cf68d0e49acfb0fe65181501549a41aee3961874.tar.xz kernel-cf68d0e49acfb0fe65181501549a41aee3961874.zip | |
Fix null pointer dereference when a USB device detached (rhbz 1462175)
| -rw-r--r-- | HID-rmi-Check-that-a-device-is-a-RMI-device-before-c.patch | 54 | ||||
| -rw-r--r-- | kernel.spec | 6 |
2 files changed, 60 insertions, 0 deletions
diff --git a/HID-rmi-Check-that-a-device-is-a-RMI-device-before-c.patch b/HID-rmi-Check-that-a-device-is-a-RMI-device-before-c.patch new file mode 100644 index 000000000..d6a8e6a52 --- /dev/null +++ b/HID-rmi-Check-that-a-device-is-a-RMI-device-before-c.patch @@ -0,0 +1,54 @@ +From ef14a4bf0910d06c7e202552914028d4956809cb Mon Sep 17 00:00:00 2001 +From: Andrew Duggan <aduggan@synaptics.com> +Date: Tue, 17 Oct 2017 18:37:36 -0700 +Subject: [PATCH] HID: rmi: Check that a device is a RMI device before calling + RMI functions + +The hid-rmi driver may handle non rmi devices on composite USB devices. +Callbacks need to make sure that the current device is a RMI device before +calling RMI specific functions. Most callbacks already have this check, but +this patch adds checks to the remaining callbacks. + +Reported-by: Hendrik Langer <hendrik.langer@gmx.de> +Tested-by: Hendrik Langer <hendrik.langer@gmx.de> +Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com> +Signed-off-by: Andrew Duggan <aduggan@synaptics.com> +Signed-off-by: Jiri Kosina <jkosina@suse.cz> +--- + drivers/hid/hid-rmi.c | 13 ++++++++++--- + 1 file changed, 10 insertions(+), 3 deletions(-) + +diff --git a/drivers/hid/hid-rmi.c b/drivers/hid/hid-rmi.c +index ef241d66562e..0f43c4292685 100644 +--- a/drivers/hid/hid-rmi.c ++++ b/drivers/hid/hid-rmi.c +@@ -368,6 +368,11 @@ static int rmi_check_sanity(struct hid_device *hdev, u8 *data, int size) + static int rmi_raw_event(struct hid_device *hdev, + struct hid_report *report, u8 *data, int size) + { ++ struct rmi_data *hdata = hid_get_drvdata(hdev); ++ ++ if (!(hdata->device_flags & RMI_DEVICE)) ++ return 0; ++ + size = rmi_check_sanity(hdev, data, size); + if (size < 2) + return 0; +@@ -713,9 +718,11 @@ static void rmi_remove(struct hid_device *hdev) + { + struct rmi_data *hdata = hid_get_drvdata(hdev); + +- clear_bit(RMI_STARTED, &hdata->flags); +- cancel_work_sync(&hdata->reset_work); +- rmi_unregister_transport_device(&hdata->xport); ++ if (hdata->device_flags & RMI_DEVICE) { ++ clear_bit(RMI_STARTED, &hdata->flags); ++ cancel_work_sync(&hdata->reset_work); ++ rmi_unregister_transport_device(&hdata->xport); ++ } + + hid_hw_stop(hdev); + } +-- +2.14.3 + diff --git a/kernel.spec b/kernel.spec index 4e075e524..00fa78b50 100644 --- a/kernel.spec +++ b/kernel.spec @@ -723,6 +723,9 @@ Patch639: CVE-2017-16538.patch # rhbz 1507931 Patch640: qxl_cursor_fix.patch +# rhbz 1462175 +Patch641: HID-rmi-Check-that-a-device-is-a-RMI-device-before-c.patch + # END OF PATCH DEFINITIONS %endif @@ -2277,6 +2280,9 @@ fi # # %changelog +* Wed Nov 29 2017 Jeremy Cline <jeremy@jcline.org> +- Fix USB null pointer dereference on ThinkPad X1 (rhbz 1462175) + * Mon Nov 27 2017 Jeremy Cline <jeremy@jcline.org> - 4.13.16-300 - Linux v4.13.16 - Fix CVE-2017-16649 (rhbz 1516267 1516274) |