HID: debug: fix the ring buffer implementation - linux

diff options

author	Vladis Dronov <vdronov@redhat.com>	2019-01-29 11:58:35 +0100
committer	Benjamin Tissoires <benjamin.tissoires@redhat.com>	2019-01-29 12:09:11 +0100
commit	13054abbaa4f1fd4e6f3b4b63439ec033b4c8035 (patch)
tree	e1385b1d1ad52472b30ec37fb46358d4069f16a6 /lib/bug.c
parent	HID: core: simplify active collection tracking (diff)
download	linux-13054abbaa4f1fd4e6f3b4b63439ec033b4c8035.tar.xz linux-13054abbaa4f1fd4e6f3b4b63439ec033b4c8035.zip

HID: debug: fix the ring buffer implementation

Ring buffer implementation in hid_debug_event() and hid_debug_events_read() is strange allowing lost or corrupted data. After commit 717adfdaf147 ("HID: debug: check length before copy_to_user()") it is possible to enter an infinite loop in hid_debug_events_read() by providing 0 as count, this locks up a system. Fix this by rewriting the ring buffer implementation with kfifo and simplify the code. This fixes CVE-2019-3819. v2: fix an execution logic and add a comment v3: use __set_current_state() instead of set_current_state() Link: https://bugzilla.redhat.com/show_bug.cgi?id=1669187 Cc: stable@vger.kernel.org # v4.18+ Fixes: cd667ce24796 ("HID: use debugfs for events/reports dumping") Fixes: 717adfdaf147 ("HID: debug: check length before copy_to_user()") Signed-off-by: Vladis Dronov <vdronov@redhat.com> Reviewed-by: Oleg Nesterov <oleg@redhat.com> Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>

Diffstat (limited to 'lib/bug.c')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: