diff options
Diffstat (limited to 'meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2020-0465/0001-HID-core-Correctly-handle-ReportSize-being-zero.patch')
-rw-r--r-- | meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2020-0465/0001-HID-core-Correctly-handle-ReportSize-being-zero.patch | 65 |
1 files changed, 65 insertions, 0 deletions
diff --git a/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2020-0465/0001-HID-core-Correctly-handle-ReportSize-being-zero.patch b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2020-0465/0001-HID-core-Correctly-handle-ReportSize-being-zero.patch new file mode 100644 index 000000000..d6550383b --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2020-0465/0001-HID-core-Correctly-handle-ReportSize-being-zero.patch @@ -0,0 +1,65 @@ +From 667514df10a08e4a65cb88f5fd5ffeccd027c4af Mon Sep 17 00:00:00 2001 +From: Marc Zyngier <maz@kernel.org> +Date: Sat, 29 Aug 2020 12:26:01 +0100 +Subject: [PATCH] HID: core: Correctly handle ReportSize being zero + +commit bce1305c0ece3dc549663605e567655dd701752c upstream. + +It appears that a ReportSize value of zero is legal, even if a bit +non-sensical. Most of the HID code seems to handle that gracefully, +except when computing the total size in bytes. When fed as input to +memset, this leads to some funky outcomes. + +Detect the corner case and correctly compute the size. + +Cc: stable@vger.kernel.org +Signed-off-by: Marc Zyngier <maz@kernel.org> +Signed-off-by: Benjamin Tissoires <benjamin.tissoires@gmail.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + drivers/hid/hid-core.c | 15 +++++++++++++-- + 1 file changed, 13 insertions(+), 2 deletions(-) + +diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c +index 359616e3efbb..d2ecc9c45255 100644 +--- a/drivers/hid/hid-core.c ++++ b/drivers/hid/hid-core.c +@@ -1597,6 +1597,17 @@ static void hid_output_field(const struct hid_device *hid, + } + } + ++/* ++ * Compute the size of a report. ++ */ ++static size_t hid_compute_report_size(struct hid_report *report) ++{ ++ if (report->size) ++ return ((report->size - 1) >> 3) + 1; ++ ++ return 0; ++} ++ + /* + * Create a report. 'data' has to be allocated using + * hid_alloc_report_buf() so that it has proper size. +@@ -1609,7 +1620,7 @@ void hid_output_report(struct hid_report *report, __u8 *data) + if (report->id > 0) + *data++ = report->id; + +- memset(data, 0, ((report->size - 1) >> 3) + 1); ++ memset(data, 0, hid_compute_report_size(report)); + for (n = 0; n < report->maxfield; n++) + hid_output_field(report->device, report->field[n], data); + } +@@ -1739,7 +1750,7 @@ int hid_report_raw_event(struct hid_device *hid, int type, u8 *data, u32 size, + csize--; + } + +- rsize = ((report->size - 1) >> 3) + 1; ++ rsize = hid_compute_report_size(report); + + if (report_enum->numbered && rsize >= HID_MAX_BUFFER_SIZE) + rsize = HID_MAX_BUFFER_SIZE - 1; +-- +2.17.1 + |