summaryrefslogtreecommitdiff
path: root/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2020-0465/0001-HID-core-Correctly-handle-ReportSize-being-zero.patch
diff options
context:
space:
mode:
Diffstat (limited to 'meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2020-0465/0001-HID-core-Correctly-handle-ReportSize-being-zero.patch')
-rw-r--r--meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2020-0465/0001-HID-core-Correctly-handle-ReportSize-being-zero.patch65
1 files changed, 65 insertions, 0 deletions
diff --git a/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2020-0465/0001-HID-core-Correctly-handle-ReportSize-being-zero.patch b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2020-0465/0001-HID-core-Correctly-handle-ReportSize-being-zero.patch
new file mode 100644
index 000000000..d6550383b
--- /dev/null
+++ b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2020-0465/0001-HID-core-Correctly-handle-ReportSize-being-zero.patch
@@ -0,0 +1,65 @@
+From 667514df10a08e4a65cb88f5fd5ffeccd027c4af Mon Sep 17 00:00:00 2001
+From: Marc Zyngier <maz@kernel.org>
+Date: Sat, 29 Aug 2020 12:26:01 +0100
+Subject: [PATCH] HID: core: Correctly handle ReportSize being zero
+
+commit bce1305c0ece3dc549663605e567655dd701752c upstream.
+
+It appears that a ReportSize value of zero is legal, even if a bit
+non-sensical. Most of the HID code seems to handle that gracefully,
+except when computing the total size in bytes. When fed as input to
+memset, this leads to some funky outcomes.
+
+Detect the corner case and correctly compute the size.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Marc Zyngier <maz@kernel.org>
+Signed-off-by: Benjamin Tissoires <benjamin.tissoires@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/hid/hid-core.c | 15 +++++++++++++--
+ 1 file changed, 13 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c
+index 359616e3efbb..d2ecc9c45255 100644
+--- a/drivers/hid/hid-core.c
++++ b/drivers/hid/hid-core.c
+@@ -1597,6 +1597,17 @@ static void hid_output_field(const struct hid_device *hid,
+ }
+ }
+
++/*
++ * Compute the size of a report.
++ */
++static size_t hid_compute_report_size(struct hid_report *report)
++{
++ if (report->size)
++ return ((report->size - 1) >> 3) + 1;
++
++ return 0;
++}
++
+ /*
+ * Create a report. 'data' has to be allocated using
+ * hid_alloc_report_buf() so that it has proper size.
+@@ -1609,7 +1620,7 @@ void hid_output_report(struct hid_report *report, __u8 *data)
+ if (report->id > 0)
+ *data++ = report->id;
+
+- memset(data, 0, ((report->size - 1) >> 3) + 1);
++ memset(data, 0, hid_compute_report_size(report));
+ for (n = 0; n < report->maxfield; n++)
+ hid_output_field(report->device, report->field[n], data);
+ }
+@@ -1739,7 +1750,7 @@ int hid_report_raw_event(struct hid_device *hid, int type, u8 *data, u32 size,
+ csize--;
+ }
+
+- rsize = ((report->size - 1) >> 3) + 1;
++ rsize = hid_compute_report_size(report);
+
+ if (report_enum->numbered && rsize >= HID_MAX_BUFFER_SIZE)
+ rsize = HID_MAX_BUFFER_SIZE - 1;
+--
+2.17.1
+
generated by cgit v1.2.3 (git 2.39.0) at 2024-06-11 05:43:03 +0300