| From 717adfdaf14704fd3ec7fa2c04520c0723247eac Mon Sep 17 00:00:00 2001 |
| From: Daniel Rosenberg <drosen@google.com> |
| Date: Mon, 2 Jul 2018 16:59:37 -0700 |
| Subject: HID: debug: check length before copy_to_user() |
| |
| From: Daniel Rosenberg <drosen@google.com> |
| |
| commit 717adfdaf14704fd3ec7fa2c04520c0723247eac upstream. |
| |
| If our length is greater than the size of the buffer, we |
| overflow the buffer |
| |
| Cc: stable@vger.kernel.org |
| Signed-off-by: Daniel Rosenberg <drosen@google.com> |
| Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com> |
| Signed-off-by: Jiri Kosina <jkosina@suse.cz> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| |
| --- |
| drivers/hid/hid-debug.c | 8 +++++++- |
| 1 file changed, 7 insertions(+), 1 deletion(-) |
| |
| --- a/drivers/hid/hid-debug.c |
| +++ b/drivers/hid/hid-debug.c |
| @@ -1152,6 +1152,8 @@ copy_rest: |
| goto out; |
| if (list->tail > list->head) { |
| len = list->tail - list->head; |
| + if (len > count) |
| + len = count; |
| |
| if (copy_to_user(buffer + ret, &list->hid_debug_buf[list->head], len)) { |
| ret = -EFAULT; |
| @@ -1161,6 +1163,8 @@ copy_rest: |
| list->head += len; |
| } else { |
| len = HID_DEBUG_BUFSIZE - list->head; |
| + if (len > count) |
| + len = count; |
| |
| if (copy_to_user(buffer, &list->hid_debug_buf[list->head], len)) { |
| ret = -EFAULT; |
| @@ -1168,7 +1172,9 @@ copy_rest: |
| } |
| list->head = 0; |
| ret += len; |
| - goto copy_rest; |
| + count -= len; |
| + if (count > 0) |
| + goto copy_rest; |
| } |
| |
| } |