review.tizen.org Git - platform/kernel/linux-rpi.git/commit

author	Vladis Dronov <vdronov@redhat.com>
	Tue, 29 Jan 2019 10:58:35 +0000 (11:58 +0100)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Tue, 12 Feb 2019 18:47:24 +0000 (19:47 +0100)
commit	c70374ce418e7ae9276d3dc26aed0301e4da5e35
tree	ee2c93a577fecba20bcda4640cd56dd4dc64f277	tree \| snapshot
parent	6ccc9e1128e50e518ecdf9e1b120c735e40de25a	commit \| diff

HID: debug: fix the ring buffer implementation

commit 13054abbaa4f1fd4e6f3b4b63439ec033b4c8035 upstream.

Ring buffer implementation in hid_debug_event() and hid_debug_events_read()
is strange allowing lost or corrupted data. After commit 717adfdaf147
("HID: debug: check length before copy_to_user()") it is possible to enter
an infinite loop in hid_debug_events_read() by providing 0 as count, this
locks up a system. Fix this by rewriting the ring buffer implementation
with kfifo and simplify the code.

This fixes CVE-2019-3819.

v2: fix an execution logic and add a comment
v3: use __set_current_state() instead of set_current_state()

Link: https://bugzilla.redhat.com/show_bug.cgi?id=1669187
Cc: stable@vger.kernel.org # v4.18+
Fixes: cd667ce24796 ("HID: use debugfs for events/reports dumping")
Fixes: 717adfdaf147 ("HID: debug: check length before copy_to_user()")
Signed-off-by: Vladis Dronov <vdronov@redhat.com>
Reviewed-by: Oleg Nesterov <oleg@redhat.com>
Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

drivers/hid/hid-debug.c		diff \| blob \| history
include/linux/hid-debug.h		diff \| blob \| history