mirrors/linux-stable
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git synced 2024-09-05 18:39:59 +00:00
Code Issues Releases Wiki Activity
No description
716072 commits 104 branches 5082 tags 5.5 GiB
C 97.6%
Assembly 1%
Shell 0.5%
Python 0.3%
Makefile 0.3%
Find a file
Breno Leitao 872f9d8665 HID: hiddev: fix potential Spectre v1 
commit f11274396a upstream.

uref->usage_index can be indirectly controlled by userspace, hence leading
to a potential exploitation of the Spectre variant 1 vulnerability.

This field is used as an array index by the hiddev_ioctl_usage() function,
when 'cmd' is either HIDIOCGCOLLECTIONINDEX, HIDIOCGUSAGES or
HIDIOCSUSAGES.

For cmd == HIDIOCGCOLLECTIONINDEX case, uref->usage_index is compared to
field->maxusage and then used as an index to dereference field->usage
array. The same thing happens to the cmd == HIDIOC{G,S}USAGES cases, where
uref->usage_index is checked against an array maximum value and then it is
used as an index in an array.

This is a summary of the HIDIOCGCOLLECTIONINDEX case, which matches the
traditional Spectre V1 first load:

	copy_from_user(uref, user_arg, sizeof(*uref))
	if (uref->usage_index >= field->maxusage)
		goto inval;
	i = field->usage[uref->usage_index].collection_index;
	return i;

This patch fixes this by sanitizing field uref->usage_index before using it
to index field->usage (HIDIOCGCOLLECTIONINDEX) or field->value in
HIDIOC{G,S}USAGES arrays, thus, avoiding speculation in the first load.

Cc: <stable@vger.kernel.org>
Signed-off-by: Breno Leitao <leitao@debian.org>
v2: Contemplate cmd == HIDIOC{G,S}USAGES case
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2018-11-13 11:15:06 -08:00
arch xen/pvh: don't try to unplug emulated devices 2018-11-13 11:15:02 -08:00
block block, bfq: correctly charge and reset entity service in all cases 2018-11-13 11:14:55 -08:00
certs Replace magic for trusting the secondary keyring with #define 2018-09-09 19:55:54 +02:00
crypto crypto: skcipher - Fix -Wstringop-truncation warnings 2018-10-03 17:00:45 -07:00
Documentation ARM: dts: at91: add new compatibility string for macb on sama5d3 2018-10-18 09:16:22 +02:00
drivers HID: hiddev: fix potential Spectre v1 2018-11-13 11:15:06 -08:00
firmware License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
fs ext4: fix use-after-free race in ext4_remount()'s error path 2018-11-13 11:15:06 -08:00
include UAPI: ndctl: Fix g++-unsupported initialisation in headers 2018-11-13 11:14:57 -08:00
init init: rename and re-order boot_cpu_state_init() 2018-08-15 18:12:48 +02:00
ipc ipc/sem.c: prevent queue.status tearing in semop 2018-09-05 09:26:30 +02:00
kernel signal: Always deliver the kernel's SIGKILL and SIGSTOP to a pid namespace init 2018-11-13 11:15:00 -08:00
lib locking/lockdep: Fix debug_locks off performance problem 2018-11-13 11:14:51 -08:00
mm mremap: properly flush TLB before releasing the page 2018-10-20 09:48:53 +02:00
net net/ipv4: defensive cipso option parsing 2018-11-13 11:15:04 -08:00
samples samples/bpf: Check the error of write() and read() 2018-08-24 13:09:12 +02:00
scripts kconfig: fix the rule of mainmenu_stmt symbol 2018-11-04 14:52:45 +01:00
security Revert "uapi/linux/keyctl.h: don't use C++ reserved keyword as a struct member name" 2018-09-29 03:06:04 -07:00
sound ASoC: intel: skylake: Add missing break in skl_tplg_get_token() 2018-11-13 11:15:05 -08:00
tools cpupower: Fix AMD Family 0x17 msr_pstate size 2018-11-13 11:15:01 -08:00
usr initramfs: fix initramfs rebuilds w/ compression after disabling 2017-11-03 07:39:19 -07:00
virt KVM: arm/arm64: Fix vgic init race 2018-09-26 08:38:04 +02:00
.cocciconfig
.get_maintainer.ignore
.gitattributes .gitattributes: set git diff driver for C source code files 2016-10-07 18:46:30 -07:00
.gitignore kbuild: rpm-pkg: keep spec file until make mrproper 2018-02-13 10:19:46 +01:00
.mailmap .mailmap: Add Maciej W. Rozycki's Imagination e-mail address 2017-11-10 12:16:15 -08:00
COPYING
CREDITS MAINTAINERS: update TPM driver infrastructure changes 2017-11-09 17:58:40 -08:00
Kbuild License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
Kconfig License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
MAINTAINERS dt-bindings: Document mti,mips-cpc binding 2018-03-15 10:54:35 +01:00
Makefile Linux 4.14.80 2018-11-10 07:48:36 -08:00
README README: add a new README file, pointing to the Documentation/ 2016-10-24 08:12:35 -02:00

README 

Linux kernel
============

This file was moved to Documentation/admin-guide/README.rst

Please notice that there are several guides for kernel developers and users.
These guides can be rendered in a number of formats, like HTML and PDF.

In order to build the documentation, use ``make htmldocs`` or
``make pdfdocs``.

There are various text files in the Documentation/ subdirectory,
several of them using the Restructured Text markup notation.
See Documentation/00-INDEX for a list of what is contained in each file.

Please read the Documentation/process/changes.rst file, as it contains the
requirements for building and running the kernel, and information about
the problems which may result by upgrading your kernel.