diff --git a/HID-i2c-hid-Limit-reads-to-wMaxInputLength-bytes-for.patch b/HID-i2c-hid-Limit-reads-to-wMaxInputLength-bytes-for.patch new file mode 100644 index 000000000..0df8a04ae --- /dev/null +++ b/HID-i2c-hid-Limit-reads-to-wMaxInputLength-bytes-for.patch @@ -0,0 +1,39 @@ +From: Seth Forshee +Date: Fri, 20 Feb 2015 17:45:11 -0500 +Subject: [PATCH] HID: i2c-hid: Limit reads to wMaxInputLength bytes for input + events + +d1c7e29e8d27 (HID: i2c-hid: prevent buffer overflow in early IRQ) +changed hid_get_input() to read ihid->bufsize bytes, which can be +more than wMaxInputLength. This is the case with the Dell XPS 13 +9343, and it is causing events to be missed. In some cases the +missed events are releases, which can cause the cursor to jump or +freeze, among other problems. Limit the number of bytes read to +min(wMaxInputLength, ihid->bufsize) to prevent such problems. + +Fixes: d1c7e29e8d27 "HID: i2c-hid: prevent buffer overflow in early IRQ" +Cc: Benjamin Tissoires +Signed-off-by: Seth Forshee +--- + drivers/hid/i2c-hid/i2c-hid.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/hid/i2c-hid/i2c-hid.c b/drivers/hid/i2c-hid/i2c-hid.c +index 80e33e0abc52..6d7c9c580ceb 100644 +--- a/drivers/hid/i2c-hid/i2c-hid.c ++++ b/drivers/hid/i2c-hid/i2c-hid.c +@@ -370,7 +370,10 @@ static int i2c_hid_hwreset(struct i2c_client *client) + static void i2c_hid_get_input(struct i2c_hid *ihid) + { + int ret, ret_size; +- int size = ihid->bufsize; ++ int size = le16_to_cpu(ihid->hdesc.wMaxInputLength); ++ ++ if (size > ihid->bufsize) ++ size = ihid->bufsize; + + ret = i2c_master_recv(ihid->client, ihid->inbuf, size); + if (ret != size) { +-- +2.1.0 + diff --git a/kernel.spec b/kernel.spec index 3b76c18bf..853aa13c0 100644 --- a/kernel.spec +++ b/kernel.spec @@ -767,6 +767,9 @@ Patch26136: vhost-scsi-potential-memory-corruption.patch #CVE-2015-0275 rhbz 1193907 1195178 Patch26138: ext4-Allocate-entire-range-in-zero-range.patch +#rhbz 1188439 +Patch26139: HID-i2c-hid-Limit-reads-to-wMaxInputLength-bytes-for.patch + # END OF PATCH DEFINITIONS %endif @@ -1497,6 +1500,9 @@ ApplyPatch vhost-scsi-potential-memory-corruption.patch #CVE-2015-0275 rhbz 1193907 1195178 ApplyPatch ext4-Allocate-entire-range-in-zero-range.patch +#rhbz 1188439 +ApplyPatch HID-i2c-hid-Limit-reads-to-wMaxInputLength-bytes-for.patch + %if 0%{?aarch64patches} ApplyPatch kernel-arm64.patch %ifnarch aarch64 # this is stupid, but i want to notice before secondary koji does. @@ -2316,6 +2322,7 @@ fi # || || %changelog * Mon Feb 23 2015 Josh Boyer +- Add patch for HID i2c from Seth Forshee (rhbz 1188439) - CVE-2015-0275 ext4: fallocate zero range page size > block size BUG (rhbz 1193907 1195178) * Mon Feb 16 2015 Josh Boyer