www.infradead.org Git - users/jedix/linux-maple.git/commit

author	Grant Hernandez <granthernandez@google.com>
	Sat, 13 Jul 2019 08:00:12 +0000 (01:00 -0700)
committer	Brian Maly <brian.maly@oracle.com>
	Wed, 7 Aug 2019 20:56:17 +0000 (16:56 -0400)
commit	da42dc7d2baf99de3a58f8dc3d20143ed36515a1
tree	155227d7bd9a6d0c25eac974d958dab1c3572b4c	tree
parent	5674aeb057d71c521f24c41a02fe212c7586ee96	commit \| diff

Input: gtco - bounds check collection indent level

The GTCO tablet input driver configures itself from an HID report sent
via USB during the initial enumeration process. Some debugging messages
are generated during the parsing. A debugging message indentation
counter is not bounds checked, leading to the ability for a specially
crafted HID report to cause '-' and null bytes be written past the end
of the indentation array. As long as the kernel has CONFIG_DYNAMIC_DEBUG
enabled, this code will not be optimized out. This was discovered
during code review after a previous syzkaller bug was found in this
driver.

Signed-off-by: Grant Hernandez <granthernandez@google.com>
Cc: stable@vger.kernel.org
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
(cherry picked from commit 2a017fd82c5402b3c8df5e3d6e5165d9e6147dc1)

Orabug: 30074413
CVE: CVE-2019-13631

Reviewed-by: Somasundaram Krishnasamy <somasundaram.krishnasamy@oracle.com>
Signed-off-by: Allen Pais <allen.pais@oracle.com>
Signed-off-by: Brian Maly <brian.maly@oracle.com>