Add patch for HID i2c from Seth Forshee (rhbz 1188439)

This commit is contained in:
Josh Boyer 2015-02-23 15:08:16 -05:00
parent 8b51d0f5ea
commit a36e7653df
2 changed files with 48 additions and 0 deletions

View File

@ -0,0 +1,39 @@
From: Seth Forshee <seth.forshee () canonical ! com>
Date: Fri, 20 Feb 2015 17:45:11 -0500
Subject: [PATCH] HID: i2c-hid: Limit reads to wMaxInputLength bytes for input
events
d1c7e29e8d27 (HID: i2c-hid: prevent buffer overflow in early IRQ)
changed hid_get_input() to read ihid->bufsize bytes, which can be
more than wMaxInputLength. This is the case with the Dell XPS 13
9343, and it is causing events to be missed. In some cases the
missed events are releases, which can cause the cursor to jump or
freeze, among other problems. Limit the number of bytes read to
min(wMaxInputLength, ihid->bufsize) to prevent such problems.
Fixes: d1c7e29e8d27 "HID: i2c-hid: prevent buffer overflow in early IRQ"
Cc: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Signed-off-by: Seth Forshee <seth.forshee@canonical.com>
---
drivers/hid/i2c-hid/i2c-hid.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/drivers/hid/i2c-hid/i2c-hid.c b/drivers/hid/i2c-hid/i2c-hid.c
index d43e967e7533..5e72fc2428f0 100644
--- a/drivers/hid/i2c-hid/i2c-hid.c
+++ b/drivers/hid/i2c-hid/i2c-hid.c
@@ -370,7 +370,10 @@ static int i2c_hid_hwreset(struct i2c_client *client)
static void i2c_hid_get_input(struct i2c_hid *ihid)
{
int ret, ret_size;
- int size = ihid->bufsize;
+ int size = le16_to_cpu(ihid->hdesc.wMaxInputLength);
+
+ if (size > ihid->bufsize)
+ size = ihid->bufsize;
ret = i2c_master_recv(ihid->client, ihid->inbuf, size);
if (ret != size) {
--
2.1.0

View File

@ -619,6 +619,9 @@ Patch26137: fifo-nv04-remove-the-loop-from-the-interrupt-handler.patch
#CVE-2015-0275 rhbz 1193907 1195178 #CVE-2015-0275 rhbz 1193907 1195178
Patch26138: ext4-Allocate-entire-range-in-zero-range.patch Patch26138: ext4-Allocate-entire-range-in-zero-range.patch
#rhbz 1188439
Patch26139: HID-i2c-hid-Limit-reads-to-wMaxInputLength-bytes-for.patch
# git clone ssh://git.fedorahosted.org/git/kernel-arm64.git, git diff master...devel # git clone ssh://git.fedorahosted.org/git/kernel-arm64.git, git diff master...devel
Patch30000: kernel-arm64.patch Patch30000: kernel-arm64.patch
Patch30001: kernel-arm64-fix-psci-when-pg.patch Patch30001: kernel-arm64-fix-psci-when-pg.patch
@ -1345,6 +1348,9 @@ ApplyPatch fifo-nv04-remove-the-loop-from-the-interrupt-handler.patch
#CVE-2015-0275 rhbz 1193907 1195178 #CVE-2015-0275 rhbz 1193907 1195178
ApplyPatch ext4-Allocate-entire-range-in-zero-range.patch ApplyPatch ext4-Allocate-entire-range-in-zero-range.patch
#rhbz 1188439
ApplyPatch HID-i2c-hid-Limit-reads-to-wMaxInputLength-bytes-for.patch
%if 0%{?aarch64patches} %if 0%{?aarch64patches}
ApplyPatch kernel-arm64.patch ApplyPatch kernel-arm64.patch
%ifnarch aarch64 # this is stupid, but i want to notice before secondary koji does. %ifnarch aarch64 # this is stupid, but i want to notice before secondary koji does.
@ -2203,6 +2209,9 @@ fi
# #
# #
%changelog %changelog
* Mon Feb 23 2015 Josh Boyer <jwboyer@fedoraproject.org>
- Add patch for HID i2c from Seth Forshee (rhbz 1188439)
* Mon Feb 23 2015 Josh Boyer <jwboyer@fedoraproject.org> - 4.0.0-0.rc1.git0.1 * Mon Feb 23 2015 Josh Boyer <jwboyer@fedoraproject.org> - 4.0.0-0.rc1.git0.1
- Linux v4.0-rc1 - Linux v4.0-rc1
- CVE-2015-0275 ext4: fallocate zero range page size > block size BUG (rhbz 1193907 1195178) - CVE-2015-0275 ext4: fallocate zero range page size > block size BUG (rhbz 1193907 1195178)