Received: by 2002:ac0:a5a7:0:0:0:0:0 with SMTP id m36-v6csp2005535imm;
        Tue, 10 Jul 2018 11:27:19 -0700 (PDT)
X-Google-Smtp-Source: AAOMgpeeKzljV+3wTCn89uLcv3tLh4JXiSpBODuERFVf02Xn7lRGzxgd6xE+JHLljgonGB9AH2IN
X-Received: by 2002:a63:68c1:: with SMTP id d184-v6mr23633129pgc.239.1531247239238;
        Tue, 10 Jul 2018 11:27:19 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1531247239; cv=none;
        d=google.com; s=arc-20160816;
        b=szDBYk0oCggsNlkxpzb38x4K8Hn4gDuUhwgciL8wGN+kjWMAWkxDn+NgrSAlA0/eMj
         iuql1UE7G2uMF0OcqEa+xfNGfY9JMYiEC6S9Jb8SdI4CVxDOoKtb+9NXKHc4B1Ea/yZB
         JQwR9RjZfvnSjai3gmJBxnGD//dOrwxeBZ1m/zhGjA9nVW5mhMn1Z3PMwP7+O9hM2DGy
         oo4dRwzPO9Th97sFPrBaGmVOaOMG4UxsRRL3/jf3N9VnzgzCghthY1uqb53FEUfiEz2Z
         TT7bgOVFhu7AKFDL8hXFMqWX4H96MiYMJrPso6+kUksRFsEh9J7tqSY6+93TFqVDoTGq
         SN4A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:mime-version:user-agent:references
         :in-reply-to:message-id:date:subject:cc:to:from
         :arc-authentication-results;
        bh=fZT2DbsvS3mTmJ024Td8HKYWlVcfZgfvMhDr4JZzSt8=;
        b=dVRSzFiCN8DPogjUUxAVdeoWaLXBEGdxXMxIHJn9jvQtJ/dGwPcu4bjNggxkRC5lrB
         b13sMt53QSFHD5CyGMl/+gUTV9rDgN1jBWpQJweecAZTiPXSowCyf27a0XZ2eIVZMqWK
         wFYQUjuDERSVVmI7ZC6SXJfoxaZ3zej5jK0+/vXEL6dk09FP72BO+ehmBtNzOM+N7jA5
         ghjbB/YwoTfo4FPlqvVroRk1ct7ZFb8mrrJOXwWvdsB0MyjDpSnUIyiHXp0GJbCYqnqg
         zolkE27F6C6SSDZmCWqDd4XoDywc8RpNj18PO5Fq81GMjsueKgwgjor+TrknRQoyvbiw
         rG7A==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id j19-v6si2469173pgg.313.2018.07.10.11.27.03;
        Tue, 10 Jul 2018 11:27:19 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1732706AbeGJS0O (ORCPT <rfc822;414256we@gmail.com> + 99 others);
        Tue, 10 Jul 2018 14:26:14 -0400
Received: from mail.linuxfoundation.org ([140.211.169.12]:43658 "EHLO
        mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1732699AbeGJS0N (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 10 Jul 2018 14:26:13 -0400
Received: from localhost (LFbn-1-12247-202.w90-92.abo.wanadoo.fr [90.92.61.202])
        by mail.linuxfoundation.org (Postfix) with ESMTPSA id E4406E7D;
        Tue, 10 Jul 2018 18:26:02 +0000 (UTC)
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Daniel Rosenberg <drosen@google.com>,
        Benjamin Tissoires <benjamin.tissoires@redhat.com>,
        Jiri Kosina <jkosina@suse.cz>
Subject: [PATCH 3.18 15/23] HID: debug: check length before copy_to_user()
Date:   Tue, 10 Jul 2018 20:24:48 +0200
Message-Id: <20180710182309.536961789@linuxfoundation.org>
X-Mailer: git-send-email 2.18.0
In-Reply-To: <20180710182308.877332304@linuxfoundation.org>
References: <20180710182308.877332304@linuxfoundation.org>
User-Agent: quilt/0.65
X-stable: review
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

3.18-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Daniel Rosenberg <drosen@google.com>

commit 717adfdaf14704fd3ec7fa2c04520c0723247eac upstream.

If our length is greater than the size of the buffer, we
overflow the buffer

Cc: stable@vger.kernel.org
Signed-off-by: Daniel Rosenberg <drosen@google.com>
Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/hid/hid-debug.c |    8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

--- a/drivers/hid/hid-debug.c
+++ b/drivers/hid/hid-debug.c
@@ -1150,6 +1150,8 @@ copy_rest:
 			goto out;
 		if (list->tail > list->head) {
 			len = list->tail - list->head;
+			if (len > count)
+				len = count;
 
 			if (copy_to_user(buffer + ret, &list->hid_debug_buf[list->head], len)) {
 				ret = -EFAULT;
@@ -1159,6 +1161,8 @@ copy_rest:
 			list->head += len;
 		} else {
 			len = HID_DEBUG_BUFSIZE - list->head;
+			if (len > count)
+				len = count;
 
 			if (copy_to_user(buffer, &list->hid_debug_buf[list->head], len)) {
 				ret = -EFAULT;
@@ -1166,7 +1170,9 @@ copy_rest:
 			}
 			list->head = 0;
 			ret += len;
-			goto copy_rest;
+			count -= len;
+			if (count > 0)
+				goto copy_rest;
 		}
 
 	}