From cd6338e72336f073342df3b49a4d6cb7fb6cdbee Mon Sep 17 00:00:00 2001

From: Joe Lawrence <joe.lawrence@redhat.com>

Date: Tue, 26 Oct 2021 10:59:31 -0400

Subject: [KPATCH CVE-2021-0512] HID: kpatch fixes for CVE-2021-0512

Kernels:

4.18.0-305.el8

4.18.0-305.3.1.el8_4

4.18.0-305.7.1.el8_4

4.18.0-305.10.2.el8_4

4.18.0-305.12.1.el8_4

4.18.0-305.17.1.el8_4

4.18.0-305.19.1.el8_4

Changes since last build:

arches: x86_64 ppc64le

hid-core.o: changed function: hid_add_field

---------------------------

Kernels:

4.18.0-305.el8

4.18.0-305.3.1.el8_4

4.18.0-305.7.1.el8_4

4.18.0-305.10.2.el8_4

4.18.0-305.12.1.el8_4

4.18.0-305.17.1.el8_4

4.18.0-305.19.1.el8_4

Modifications: none

Kpatch-MR: https://gitlab.com/redhat/prdsc/rhel/src/kpatch/rhel-8/-/merge_requests/5

Approved-by: Artem Savkov (@artem.savkov)

Z-MR: https://gitlab.com/redhat/rhel/src/kernel/rhel-8/-/merge_requests/1350

KT0 test PASS: https://beaker.engineering.redhat.com/jobs/5942710

for kpatch-patch-4_18_0-305-1-6.el8 scratch build:

https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=40615898

commit 8ee375b059ce42c0c38f2593f76077d915eee89e

Author: Benjamin Tissoires <benjamin.tissoires@redhat.com>

Date:   Tue Aug 17 09:26:20 2021 +0200

    HID: make arrays usage and value to be the same

    Bugzilla: https://bugzilla.redhat.com/1974941

    CVE: CVE-2021-0512

    Y-Commit: 87ed552fb937790a5d9439c179bb523cfb0efdc6

    O-Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1974942

    Upstream Status: since v5.12

    Test: me on the hid-tools test suite

    commit ed9be64eefe26d7d8b0b5b9fa3ffdf425d87a01f

    Author: Will McVicker <willmcvicker@google.com>

    Date:   Sat Dec 5 00:48:48 2020 +0000

        HID: make arrays usage and value to be the same

        The HID subsystem allows an "HID report field" to have a different

        number of "values" and "usages" when it is allocated. When a field

        struct is created, the size of the usage array is guaranteed to be at

        least as large as the values array, but it may be larger. This leads to

        a potential out-of-bounds write in

        __hidinput_change_resolution_multipliers() and an out-of-bounds read in

        hidinput_count_leds().

        To fix this, let's make sure that both the usage and value arrays are

        the same size.

        Cc: stable@vger.kernel.org

        Signed-off-by: Will McVicker <willmcvicker@google.com>

        Signed-off-by: Jiri Kosina <jkosina@suse.cz>

    Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>

    Signed-off-by: Julio Faracco <jfaracco@redhat.com>

Signed-off-by: Joe Lawrence <joe.lawrence@redhat.com>

---

 drivers/hid/hid-core.c | 6 +++---

 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c

index d2ecc9c45255..263eca119ff0 100644

--- a/drivers/hid/hid-core.c

+++ b/drivers/hid/hid-core.c

@@ -90,7 +90,7 @@ EXPORT_SYMBOL_GPL(hid_register_report);

  * Register a new field for this report.

  */

-static struct hid_field *hid_register_field(struct hid_report *report, unsigned usages, unsigned values)

+static struct hid_field *hid_register_field(struct hid_report *report, unsigned usages)

 {

 	struct hid_field *field;

@@ -101,7 +101,7 @@ static struct hid_field *hid_register_field(struct hid_report *report, unsigned

 	field = kzalloc((sizeof(struct hid_field) +

 			 usages * sizeof(struct hid_usage) +

-			 values * sizeof(unsigned)), GFP_KERNEL);

+			 usages * sizeof(unsigned)), GFP_KERNEL);

 	if (!field)

 		return NULL;

@@ -300,7 +300,7 @@ static int hid_add_field(struct hid_parser *parser, unsigned report_type, unsign

 	usages = max_t(unsigned, parser->local.usage_index,

 				 parser->global.report_count);

-	field = hid_register_field(report, usages, parser->global.report_count);

+	field = hid_register_field(report, usages);

 	if (!field)

 		return 0;

-- 

2.31.1