rpms/kernel
3
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Fix CVE-2019-13631 (rhbz 1731000 1731001)

Browse source
This commit is contained in:
Jeremy Cline 2019-07-18 10:00:16 -04:00
commit a8a6833aef
2 changed files with 82 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

76
Input-gtco-bounds-check-collection-indent-level.patch Normal file
View file

@ -0,0 +1,76 @@
From c9fcba15565f3db7232489366c87c298c4198b0a Mon Sep 17 00:00:00 2001
From: Grant Hernandez <granthernandez@google.com>
Date: Thu, 11 Jul 2019 15:22:32 -0700
Subject: [PATCH] Input: gtco - bounds check collection indent level
The GTCO tablet input driver configures itself from an HID report sent
via USB during the initial enumeration process. Some debugging messages
are generated during the parsing. A debugging message indentation
counter is not bounds checked, leading to the ability for a specially
crafted HID report to cause '-' and null bytes be written past the end
of the indentation array. As long as the kernel has CONFIG_DYNAMIC_DEBUG
enabled, this code will not be optimized out. This was discovered
during code review after a previous syzkaller bug was found in this
driver.
Cc: stable@vger.kernel.org
Signed-off-by: Grant Hernandez <granthernandez@google.com>
---
drivers/input/tablet/gtco.c | 19 ++++++++++++++++---
1 file changed, 16 insertions(+), 3 deletions(-)
diff --git a/drivers/input/tablet/gtco.c b/drivers/input/tablet/gtco.c
index 4b8b9d7aa75e..9771052ed027 100644
--- a/drivers/input/tablet/gtco.c
+++ b/drivers/input/tablet/gtco.c
@@ -78,6 +78,7 @@ Scott Hill shill@gtcocalcomp.com
/* Max size of a single report */
#define REPORT_MAX_SIZE 10
+#define MAX_COLLECTION_LEVELS 10
/* Bitmask whether pen is in range */
@@ -223,8 +224,7 @@ static void parse_hid_report_descriptor(struct gtco *device, char * report,
char maintype = 'x';
char globtype[12];
int indent = 0;
- char indentstr[10] = "";
-
+ char indentstr[MAX_COLLECTION_LEVELS+1] = {0};
dev_dbg(ddev, "======>>>>>>PARSE<<<<<<======\n");
@@ -350,6 +350,12 @@ static void parse_hid_report_descriptor(struct gtco *device, char * report,
case TAG_MAIN_COL_START:
maintype = 'S';
+ if (indent == MAX_COLLECTION_LEVELS) {
+ dev_err(ddev, "Collection level %d would exceed limit of %d\n",
+ indent+1, MAX_COLLECTION_LEVELS);
+ break;
+ }
+
if (data == 0) {
dev_dbg(ddev, "======>>>>>> Physical\n");
strcpy(globtype, "Physical");
@@ -369,8 +375,15 @@ static void parse_hid_report_descriptor(struct gtco *device, char * report,
break;
case TAG_MAIN_COL_END:
- dev_dbg(ddev, "<<<<<<======\n");
maintype = 'E';
+
+ if (indent == 0) {
+ dev_err(ddev, "Collection level already at zero\n");
+ break;
+ }
+
+ dev_dbg(ddev, "<<<<<<======\n");
+
indent--;
for (x = 0; x < indent; x++)
indentstr[x] = '-';
--
2.21.0

6
kernel.spec
View file

@ -629,6 +629,9 @@ Patch546: netfilter-ctnetlink-Fix-regression-in-conntrack-entry.patch
# https://patchwork.kernel.org/patch/11029027/
Patch547: iwlwifi-mvm-disable-TX-AMSDU-on-older-NICs.patch
# CVE-2019-13631 rhbz 1731000 1731001
Patch548: Input-gtco-bounds-check-collection-indent-level.patch
# END OF PATCH DEFINITIONS
%endif
@ -1867,6 +1870,9 @@ fi
#
#
%changelog
* Thu Jul 18 2019 Jeremy Cline <jcline@redhat.com>
- Fix CVE-2019-13631 (rhbz 1731000 1731001)
* Mon Jul 15 2019 Jeremy Cline <jcline@redhat.com> - 5.1.18-200
- Linux v5.1.18