From 8cb769111fb2e083302d61f6973a9e06cf3d6bab Mon Sep 17 00:00:00 2001
From: Romain Perier <romain.perier@gmail.com>
Date: Sat, 27 Jul 2019 13:15:59 +0200
Subject: [PATCH] Input: gtco - bounds check collection indent level
 (CVE-2019-13631)

---
 debian/changelog                              |  3 +-
 ...bounds-check-collection-indent-level.patch | 82 +++++++++++++++++++
 debian/patches/series                         |  1 +
 3 files changed, 85 insertions(+), 1 deletion(-)
 create mode 100644 debian/patches/bugfix/all/input-gtco-bounds-check-collection-indent-level.patch

diff --git a/debian/changelog b/debian/changelog
index b289ac870..66dc514de 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -7,8 +7,9 @@ linux (4.19.37-5+deb10u2) UNRELEASED; urgency=medium
     (CVE-2019-12984)
   * binder: fix race between munmap() and direct reclaim (CVE-2019-1999)
   * scsi: libsas: fix a race condition when smp task timeout (CVE-2018-20836)
+  * Input: gtco - bounds check collection indent level (CVE-2019-13631)
 
- -- Romain Perier <romain.perier@opensource.viveris.fr>  Mon, 22 Jul 2019 14:00:00 +0200
+ -- Romain Perier <romain.perier@gmail.com>  Mon, 22 Jul 2019 14:00:00 +0200
 
 linux (4.19.37-5+deb10u1) buster-security; urgency=high
 
diff --git a/debian/patches/bugfix/all/input-gtco-bounds-check-collection-indent-level.patch b/debian/patches/bugfix/all/input-gtco-bounds-check-collection-indent-level.patch
new file mode 100644
index 000000000..e44fcff9d
--- /dev/null
+++ b/debian/patches/bugfix/all/input-gtco-bounds-check-collection-indent-level.patch
@@ -0,0 +1,82 @@
+From: Grant Hernandez <granthernandez@google.com>
+Date: Sat, 13 Jul 2019 01:00:12 -0700
+Subject: Input: gtco - bounds check collection indent level
+Origin: https://git.kernel.org/linus/kernel/git/stable/linux.git/patch/?id=d657077eda7b5572d86f2f618391bb016b5d9a64
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-13631
+
+commit 2a017fd82c5402b3c8df5e3d6e5165d9e6147dc1 upstream.
+
+The GTCO tablet input driver configures itself from an HID report sent
+via USB during the initial enumeration process. Some debugging messages
+are generated during the parsing. A debugging message indentation
+counter is not bounds checked, leading to the ability for a specially
+crafted HID report to cause '-' and null bytes be written past the end
+of the indentation array. As long as the kernel has CONFIG_DYNAMIC_DEBUG
+enabled, this code will not be optimized out.  This was discovered
+during code review after a previous syzkaller bug was found in this
+driver.
+
+Signed-off-by: Grant Hernandez <granthernandez@google.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/input/tablet/gtco.c | 20 +++++++++++++++++---
+ 1 file changed, 17 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/input/tablet/gtco.c b/drivers/input/tablet/gtco.c
+index 4b8b9d7aa75e..35031228a6d0 100644
+--- a/drivers/input/tablet/gtco.c
++++ b/drivers/input/tablet/gtco.c
+@@ -78,6 +78,7 @@ Scott Hill shill@gtcocalcomp.com
+ 
+ /* Max size of a single report */
+ #define REPORT_MAX_SIZE       10
++#define MAX_COLLECTION_LEVELS  10
+ 
+ 
+ /* Bitmask whether pen is in range */
+@@ -223,8 +224,7 @@ static void parse_hid_report_descriptor(struct gtco *device, char * report,
+ 	char  maintype = 'x';
+ 	char  globtype[12];
+ 	int   indent = 0;
+-	char  indentstr[10] = "";
+-
++	char  indentstr[MAX_COLLECTION_LEVELS + 1] = { 0 };
+ 
+ 	dev_dbg(ddev, "======>>>>>>PARSE<<<<<<======\n");
+ 
+@@ -350,6 +350,13 @@ static void parse_hid_report_descriptor(struct gtco *device, char * report,
+ 			case TAG_MAIN_COL_START:
+ 				maintype = 'S';
+ 
++				if (indent == MAX_COLLECTION_LEVELS) {
++					dev_err(ddev, "Collection level %d would exceed limit of %d\n",
++						indent + 1,
++						MAX_COLLECTION_LEVELS);
++					break;
++				}
++
+ 				if (data == 0) {
+ 					dev_dbg(ddev, "======>>>>>> Physical\n");
+ 					strcpy(globtype, "Physical");
+@@ -369,8 +376,15 @@ static void parse_hid_report_descriptor(struct gtco *device, char * report,
+ 				break;
+ 
+ 			case TAG_MAIN_COL_END:
+-				dev_dbg(ddev, "<<<<<<======\n");
+ 				maintype = 'E';
++
++				if (indent == 0) {
++					dev_err(ddev, "Collection level already at zero\n");
++					break;
++				}
++
++				dev_dbg(ddev, "<<<<<<======\n");
++
+ 				indent--;
+ 				for (x = 0; x < indent; x++)
+ 					indentstr[x] = '-';
+-- 
+cgit 1.2-0.3.lf.el7
+
diff --git a/debian/patches/series b/debian/patches/series
index f904bd1f3..f2a416b16 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -234,6 +234,7 @@ bugfix/powerpc/powerpc-mm-64s-hash-Reallocate-context-ids-on-fork.patch
 bugfix/all/nfc-Ensure-presence-of-required-attributes-in-the-deactivate_target.patch
 bugfix/all/binder-fix-race-between-munmap-and-direct-reclaim.patch
 bugfix/all/scsi-libsas-fix-a-race-condition-when-smp-task-timeout.patch
+bugfix/all/input-gtco-bounds-check-collection-indent-level.patch
 
 # Fix exported symbol versions
 bugfix/all/module-disable-matching-missing-version-crc.patch