diff --git a/HID-picolcd-sanity-check-report-size-in-raw_event-ca.patch b/HID-picolcd-sanity-check-report-size-in-raw_event-ca.patch new file mode 100644 index 000000000..456d91c9c --- /dev/null +++ b/HID-picolcd-sanity-check-report-size-in-raw_event-ca.patch @@ -0,0 +1,41 @@ +From 844817e47eef14141cf59b8d5ac08dd11c0a9189 Mon Sep 17 00:00:00 2001 +From: Jiri Kosina +Date: Wed, 27 Aug 2014 09:13:15 +0200 +Subject: [PATCH] HID: picolcd: sanity check report size in raw_event() + callback + +The report passed to us from transport driver could potentially be +arbitrarily large, therefore we better sanity-check it so that raw_data +that we hold in picolcd_pending structure are always kept within proper +bounds. + +Bugzilla: 1141410 +Upstream-status: 3.17 and CC'd to stable + +Cc: stable@vger.kernel.org +Reported-by: Steven Vittitoe +Signed-off-by: Jiri Kosina +--- + drivers/hid/hid-picolcd_core.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/hid/hid-picolcd_core.c b/drivers/hid/hid-picolcd_core.c +index acbb021065ec..020df3c2e8b4 100644 +--- a/drivers/hid/hid-picolcd_core.c ++++ b/drivers/hid/hid-picolcd_core.c +@@ -350,6 +350,12 @@ static int picolcd_raw_event(struct hid_device *hdev, + if (!data) + return 1; + ++ if (size > 64) { ++ hid_warn(hdev, "invalid size value (%d) for picolcd raw event\n", ++ size); ++ return 0; ++ } ++ + if (report->id == REPORT_KEY_STATE) { + if (data->input_keys) + ret = picolcd_raw_keypad(data, report, raw_data+1, size-1); +-- +2.1.0 + diff --git a/kernel.spec b/kernel.spec index 35efcaf4c..697df1167 100644 --- a/kernel.spec +++ b/kernel.spec @@ -724,6 +724,9 @@ Patch26023: psmouse-Add-support-for-detecting-FocalTech-PS-2-tou.patch #CVE-2014-3181 rhbz 1141179 1141173 Patch26024: HID-magicmouse-sanity-check-report-size-in-raw_event.patch +#CVE-2014-3186 rhbz 1141407 1141410 +Patch26025: HID-picolcd-sanity-check-report-size-in-raw_event-ca.patch + # git clone ssh://git.fedorahosted.org/git/kernel-arm64.git, git diff master...devel Patch30000: kernel-arm64.patch @@ -1416,6 +1419,9 @@ ApplyPatch psmouse-Add-support-for-detecting-FocalTech-PS-2-tou.patch #CVE-2014-3181 rhbz 1141179 1141173 ApplyPatch HID-magicmouse-sanity-check-report-size-in-raw_event.patch +#CVE-2014-3186 rhbz 1141407 1141410 +ApplyPatch HID-picolcd-sanity-check-report-size-in-raw_event-ca.patch + %if 0%{?aarch64patches} ApplyPatch kernel-arm64.patch %ifnarch aarch64 # this is stupid, but i want to notice before secondary koji does. @@ -2234,6 +2240,9 @@ fi # ||----w | # || || %changelog +* Mon Sep 15 2014 Josh Boyer +- CVE-2014-3186 HID: memory corruption via OOB write (rhbz 1141407 1141410) + * Fri Sep 12 2014 Josh Boyer - CVE-2014-3181 HID: OOB write in magicmouse driver (rhbz 1141173 1141179)