[linux] 01/02: HID: corsair: fix DMA buffers on stack (CVE-2017-5547)

[debian-kernel at lists.debian.org]

This is an automated email from the git hooks/post-receive script.

carnil pushed a commit to branch sid
in repository linux.

commit c74f7d65fe63ab2b76378106fde67f5ae194fe05
Author: Salvatore Bonaccorso <carnil at debian.org>
Date:   Mon Jan 23 20:56:11 2017 +0100

    HID: corsair: fix DMA buffers on stack (CVE-2017-5547)
---
 debian/changelog                                   |   1 +
 .../all/HID-corsair-fix-DMA-buffers-on-stack.patch | 144 +++++++++++++++++++++
 debian/patches/series                              |   1 +
 3 files changed, 146 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index c48c2ce..4d07bb1 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -352,6 +352,7 @@ linux (4.9.5-1) UNRELEASED; urgency=medium
 
   [ Salvatore Bonaccorso ]
   * tmpfs: clear S_ISGID when setting posix ACLs (CVE-2017-5551)
+  * HID: corsair: fix DMA buffers on stack (CVE-2017-5547)
 
   [ Roger Shimizu ]
   * [armel] Add DT support of Buffalo Linkstation Live v3 (LS-CHL)
diff --git a/debian/patches/bugfix/all/HID-corsair-fix-DMA-buffers-on-stack.patch b/debian/patches/bugfix/all/HID-corsair-fix-DMA-buffers-on-stack.patch
new file mode 100644
index 0000000..a2240bd
--- /dev/null
+++ b/debian/patches/bugfix/all/HID-corsair-fix-DMA-buffers-on-stack.patch
@@ -0,0 +1,144 @@
+From: Johan Hovold <johan at kernel.org>
+Date: Thu, 12 Jan 2017 18:17:42 +0100
+Subject: HID: corsair: fix DMA buffers on stack
+Origin: https://git.kernel.org/linus/6d104af38b570d37aa32a5803b04c354f8ed513d
+
+Not all platforms support DMA to the stack, and specifically since v4.9
+this is no longer supported on x86 with VMAP_STACK either.
+
+Note that the macro-mode buffer was larger than necessary.
+
+Fixes: 6f78193ee9ea ("HID: corsair: Add Corsair Vengeance K90 driver")
+Cc: stable <stable at vger.kernel.org>
+Signed-off-by: Johan Hovold <johan at kernel.org>
+Signed-off-by: Jiri Kosina <jkosina at suse.cz>
+---
+ drivers/hid/hid-corsair.c | 54 ++++++++++++++++++++++++++++++++++++-----------
+ 1 file changed, 42 insertions(+), 12 deletions(-)
+
+diff --git a/drivers/hid/hid-corsair.c b/drivers/hid/hid-corsair.c
+index 717704e..5971907 100644
+--- a/drivers/hid/hid-corsair.c
++++ b/drivers/hid/hid-corsair.c
+@@ -148,7 +148,11 @@ static enum led_brightness k90_backlight_get(struct led_classdev *led_cdev)
+ 	struct usb_interface *usbif = to_usb_interface(dev->parent);
+ 	struct usb_device *usbdev = interface_to_usbdev(usbif);
+ 	int brightness;
+-	char data[8];
++	char *data;
++
++	data = kmalloc(8, GFP_KERNEL);
++	if (!data)
++		return -ENOMEM;
+ 
+ 	ret = usb_control_msg(usbdev, usb_rcvctrlpipe(usbdev, 0),
+ 			      K90_REQUEST_STATUS,
+@@ -158,16 +162,22 @@ static enum led_brightness k90_backlight_get(struct led_classdev *led_cdev)
+ 	if (ret < 0) {
+ 		dev_warn(dev, "Failed to get K90 initial state (error %d).\n",
+ 			 ret);
+-		return -EIO;
++		ret = -EIO;
++		goto out;
+ 	}
+ 	brightness = data[4];
+ 	if (brightness < 0 || brightness > 3) {
+ 		dev_warn(dev,
+ 			 "Read invalid backlight brightness: %02hhx.\n",
+ 			 data[4]);
+-		return -EIO;
++		ret = -EIO;
++		goto out;
+ 	}
+-	return brightness;
++	ret = brightness;
++out:
++	kfree(data);
++
++	return ret;
+ }
+ 
+ static enum led_brightness k90_record_led_get(struct led_classdev *led_cdev)
+@@ -253,7 +263,11 @@ static ssize_t k90_show_macro_mode(struct device *dev,
+ 	struct usb_interface *usbif = to_usb_interface(dev->parent);
+ 	struct usb_device *usbdev = interface_to_usbdev(usbif);
+ 	const char *macro_mode;
+-	char data[8];
++	char *data;
++
++	data = kmalloc(2, GFP_KERNEL);
++	if (!data)
++		return -ENOMEM;
+ 
+ 	ret = usb_control_msg(usbdev, usb_rcvctrlpipe(usbdev, 0),
+ 			      K90_REQUEST_GET_MODE,
+@@ -263,7 +277,8 @@ static ssize_t k90_show_macro_mode(struct device *dev,
+ 	if (ret < 0) {
+ 		dev_warn(dev, "Failed to get K90 initial mode (error %d).\n",
+ 			 ret);
+-		return -EIO;
++		ret = -EIO;
++		goto out;
+ 	}
+ 
+ 	switch (data[0]) {
+@@ -277,10 +292,15 @@ static ssize_t k90_show_macro_mode(struct device *dev,
+ 	default:
+ 		dev_warn(dev, "K90 in unknown mode: %02hhx.\n",
+ 			 data[0]);
+-		return -EIO;
++		ret = -EIO;
++		goto out;
+ 	}
+ 
+-	return snprintf(buf, PAGE_SIZE, "%s\n", macro_mode);
++	ret = snprintf(buf, PAGE_SIZE, "%s\n", macro_mode);
++out:
++	kfree(data);
++
++	return ret;
+ }
+ 
+ static ssize_t k90_store_macro_mode(struct device *dev,
+@@ -320,7 +340,11 @@ static ssize_t k90_show_current_profile(struct device *dev,
+ 	struct usb_interface *usbif = to_usb_interface(dev->parent);
+ 	struct usb_device *usbdev = interface_to_usbdev(usbif);
+ 	int current_profile;
+-	char data[8];
++	char *data;
++
++	data = kmalloc(8, GFP_KERNEL);
++	if (!data)
++		return -ENOMEM;
+ 
+ 	ret = usb_control_msg(usbdev, usb_rcvctrlpipe(usbdev, 0),
+ 			      K90_REQUEST_STATUS,
+@@ -330,16 +354,22 @@ static ssize_t k90_show_current_profile(struct device *dev,
+ 	if (ret < 0) {
+ 		dev_warn(dev, "Failed to get K90 initial state (error %d).\n",
+ 			 ret);
+-		return -EIO;
++		ret = -EIO;
++		goto out;
+ 	}
+ 	current_profile = data[7];
+ 	if (current_profile < 1 || current_profile > 3) {
+ 		dev_warn(dev, "Read invalid current profile: %02hhx.\n",
+ 			 data[7]);
+-		return -EIO;
++		ret = -EIO;
++		goto out;
+ 	}
+ 
+-	return snprintf(buf, PAGE_SIZE, "%d\n", current_profile);
++	ret = snprintf(buf, PAGE_SIZE, "%d\n", current_profile);
++out:
++	kfree(data);
++
++	return ret;
+ }
+ 
+ static ssize_t k90_store_current_profile(struct device *dev,
+-- 
+2.1.4
+
diff --git a/debian/patches/series b/debian/patches/series
index d23c024..12a3016 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -97,6 +97,7 @@ features/all/securelevel/arm64-add-kernel-config-option-to-set-securelevel-wh.pa
 # Security fixes
 debian/i386-686-pae-pci-set-pci-nobios-by-default.patch
 bugfix/all/tmpfs-clear-S_ISGID-when-setting-posix-ACLs.patch
+bugfix/all/HID-corsair-fix-DMA-buffers-on-stack.patch
 
 # Fix exported symbol versions
 bugfix/ia64/revert-ia64-move-exports-to-definitions.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git