1077 lines
35 KiB
Diff
1077 lines
35 KiB
Diff
From aab9cb0a00ecdd937273f3b9649311d81bf4f0cb Mon Sep 17 00:00:00 2001
|
|
From: Kees Cook <keescook@chromium.org>
|
|
Date: Wed, 28 Aug 2013 22:29:55 +0200
|
|
Subject: [PATCH 01/16] HID: validate HID report id size
|
|
|
|
The "Report ID" field of a HID report is used to build indexes of
|
|
reports. The kernel's index of these is limited to 256 entries, so any
|
|
malicious device that sets a Report ID greater than 255 will trigger
|
|
memory corruption on the host:
|
|
|
|
[ 1347.156239] BUG: unable to handle kernel paging request at ffff88094958a878
|
|
[ 1347.156261] IP: [<ffffffff813e4da0>] hid_register_report+0x2a/0x8b
|
|
|
|
CVE-2013-2888
|
|
|
|
Signed-off-by: Kees Cook <keescook@chromium.org>
|
|
Cc: stable@kernel.org
|
|
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
|
|
---
|
|
drivers/hid/hid-core.c | 10 +++++++---
|
|
include/linux/hid.h | 4 +++-
|
|
2 files changed, 10 insertions(+), 4 deletions(-)
|
|
|
|
diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c
|
|
index 36668d1..5ea7d51 100644
|
|
--- a/drivers/hid/hid-core.c
|
|
+++ b/drivers/hid/hid-core.c
|
|
@@ -63,6 +63,8 @@ struct hid_report *hid_register_report(struct hid_device *device, unsigned type,
|
|
struct hid_report_enum *report_enum = device->report_enum + type;
|
|
struct hid_report *report;
|
|
|
|
+ if (id >= HID_MAX_IDS)
|
|
+ return NULL;
|
|
if (report_enum->report_id_hash[id])
|
|
return report_enum->report_id_hash[id];
|
|
|
|
@@ -404,8 +406,10 @@ static int hid_parser_global(struct hid_parser *parser, struct hid_item *item)
|
|
|
|
case HID_GLOBAL_ITEM_TAG_REPORT_ID:
|
|
parser->global.report_id = item_udata(item);
|
|
- if (parser->global.report_id == 0) {
|
|
- hid_err(parser->device, "report_id 0 is invalid\n");
|
|
+ if (parser->global.report_id == 0 ||
|
|
+ parser->global.report_id >= HID_MAX_IDS) {
|
|
+ hid_err(parser->device, "report_id %u is invalid\n",
|
|
+ parser->global.report_id);
|
|
return -1;
|
|
}
|
|
return 0;
|
|
@@ -575,7 +579,7 @@ static void hid_close_report(struct hid_device *device)
|
|
for (i = 0; i < HID_REPORT_TYPES; i++) {
|
|
struct hid_report_enum *report_enum = device->report_enum + i;
|
|
|
|
- for (j = 0; j < 256; j++) {
|
|
+ for (j = 0; j < HID_MAX_IDS; j++) {
|
|
struct hid_report *report = report_enum->report_id_hash[j];
|
|
if (report)
|
|
hid_free_report(report);
|
|
diff --git a/include/linux/hid.h b/include/linux/hid.h
|
|
index 0c48991..ff545cc 100644
|
|
--- a/include/linux/hid.h
|
|
+++ b/include/linux/hid.h
|
|
@@ -393,10 +393,12 @@ struct hid_report {
|
|
struct hid_device *device; /* associated device */
|
|
};
|
|
|
|
+#define HID_MAX_IDS 256
|
|
+
|
|
struct hid_report_enum {
|
|
unsigned numbered;
|
|
struct list_head report_list;
|
|
- struct hid_report *report_id_hash[256];
|
|
+ struct hid_report *report_id_hash[HID_MAX_IDS];
|
|
};
|
|
|
|
#define HID_REPORT_TYPES 3
|
|
--
|
|
1.8.3.1
|
|
|
|
|
|
From ba6d8d44eaeb0ee58082f4b4c95138416e1f58a5 Mon Sep 17 00:00:00 2001
|
|
From: Kees Cook <keescook@chromium.org>
|
|
Date: Wed, 11 Sep 2013 21:56:50 +0200
|
|
Subject: [PATCH 02/16] HID: provide a helper for validating hid reports
|
|
|
|
Many drivers need to validate the characteristics of their HID report
|
|
during initialization to avoid misusing the reports. This adds a common
|
|
helper to perform validation of the report exisitng, the field existing,
|
|
and the expected number of values within the field.
|
|
|
|
Signed-off-by: Kees Cook <keescook@chromium.org>
|
|
Cc: stable@vger.kernel.org
|
|
Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
|
|
---
|
|
drivers/hid/hid-core.c | 58 ++++++++++++++++++++++++++++++++++++++++++++++++++
|
|
include/linux/hid.h | 4 ++++
|
|
2 files changed, 62 insertions(+)
|
|
|
|
diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c
|
|
index 5ea7d51..65ee459 100644
|
|
--- a/drivers/hid/hid-core.c
|
|
+++ b/drivers/hid/hid-core.c
|
|
@@ -759,6 +759,64 @@ int hid_parse_report(struct hid_device *hid, __u8 *start, unsigned size)
|
|
}
|
|
EXPORT_SYMBOL_GPL(hid_parse_report);
|
|
|
|
+static const char * const hid_report_names[] = {
|
|
+ "HID_INPUT_REPORT",
|
|
+ "HID_OUTPUT_REPORT",
|
|
+ "HID_FEATURE_REPORT",
|
|
+};
|
|
+/**
|
|
+ * hid_validate_values - validate existing device report's value indexes
|
|
+ *
|
|
+ * @device: hid device
|
|
+ * @type: which report type to examine
|
|
+ * @id: which report ID to examine (0 for first)
|
|
+ * @field_index: which report field to examine
|
|
+ * @report_counts: expected number of values
|
|
+ *
|
|
+ * Validate the number of values in a given field of a given report, after
|
|
+ * parsing.
|
|
+ */
|
|
+struct hid_report *hid_validate_values(struct hid_device *hid,
|
|
+ unsigned int type, unsigned int id,
|
|
+ unsigned int field_index,
|
|
+ unsigned int report_counts)
|
|
+{
|
|
+ struct hid_report *report;
|
|
+
|
|
+ if (type > HID_FEATURE_REPORT) {
|
|
+ hid_err(hid, "invalid HID report type %u\n", type);
|
|
+ return NULL;
|
|
+ }
|
|
+
|
|
+ if (id >= HID_MAX_IDS) {
|
|
+ hid_err(hid, "invalid HID report id %u\n", id);
|
|
+ return NULL;
|
|
+ }
|
|
+
|
|
+ /*
|
|
+ * Explicitly not using hid_get_report() here since it depends on
|
|
+ * ->numbered being checked, which may not always be the case when
|
|
+ * drivers go to access report values.
|
|
+ */
|
|
+ report = hid->report_enum[type].report_id_hash[id];
|
|
+ if (!report) {
|
|
+ hid_err(hid, "missing %s %u\n", hid_report_names[type], id);
|
|
+ return NULL;
|
|
+ }
|
|
+ if (report->maxfield <= field_index) {
|
|
+ hid_err(hid, "not enough fields in %s %u\n",
|
|
+ hid_report_names[type], id);
|
|
+ return NULL;
|
|
+ }
|
|
+ if (report->field[field_index]->report_count < report_counts) {
|
|
+ hid_err(hid, "not enough values in %s %u field %u\n",
|
|
+ hid_report_names[type], id, field_index);
|
|
+ return NULL;
|
|
+ }
|
|
+ return report;
|
|
+}
|
|
+EXPORT_SYMBOL_GPL(hid_validate_values);
|
|
+
|
|
/**
|
|
* hid_open_report - open a driver-specific device report
|
|
*
|
|
diff --git a/include/linux/hid.h b/include/linux/hid.h
|
|
index ff545cc..6e18550 100644
|
|
--- a/include/linux/hid.h
|
|
+++ b/include/linux/hid.h
|
|
@@ -749,6 +749,10 @@ void hid_output_report(struct hid_report *report, __u8 *data);
|
|
struct hid_device *hid_allocate_device(void);
|
|
struct hid_report *hid_register_report(struct hid_device *device, unsigned type, unsigned id);
|
|
int hid_parse_report(struct hid_device *hid, __u8 *start, unsigned size);
|
|
+struct hid_report *hid_validate_values(struct hid_device *hid,
|
|
+ unsigned int type, unsigned int id,
|
|
+ unsigned int field_index,
|
|
+ unsigned int report_counts);
|
|
int hid_open_report(struct hid_device *device);
|
|
int hid_check_keys_pressed(struct hid_device *hid);
|
|
int hid_connect(struct hid_device *hid, unsigned int connect_mask);
|
|
--
|
|
1.8.3.1
|
|
|
|
|
|
From 51bc0244e9e62b25e4f64f7cb87764a0c0692131 Mon Sep 17 00:00:00 2001
|
|
From: Kees Cook <keescook@chromium.org>
|
|
Date: Wed, 11 Sep 2013 21:56:51 +0200
|
|
Subject: [PATCH 03/16] HID: zeroplus: validate output report details
|
|
|
|
The zeroplus HID driver was not checking the size of allocated values
|
|
in fields it used. A HID device could send a malicious output report
|
|
that would cause the driver to write beyond the output report allocation
|
|
during initialization, causing a heap overflow:
|
|
|
|
[ 1442.728680] usb 1-1: New USB device found, idVendor=0c12, idProduct=0005
|
|
...
|
|
[ 1466.243173] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten
|
|
|
|
CVE-2013-2889
|
|
|
|
Signed-off-by: Kees Cook <keescook@chromium.org>
|
|
Cc: stable@vger.kernel.org
|
|
Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
|
|
---
|
|
drivers/hid/hid-zpff.c | 18 +++++-------------
|
|
1 file changed, 5 insertions(+), 13 deletions(-)
|
|
|
|
diff --git a/drivers/hid/hid-zpff.c b/drivers/hid/hid-zpff.c
|
|
index 6ec28a3..a29756c 100644
|
|
--- a/drivers/hid/hid-zpff.c
|
|
+++ b/drivers/hid/hid-zpff.c
|
|
@@ -68,21 +68,13 @@ static int zpff_init(struct hid_device *hid)
|
|
struct hid_report *report;
|
|
struct hid_input *hidinput = list_entry(hid->inputs.next,
|
|
struct hid_input, list);
|
|
- struct list_head *report_list =
|
|
- &hid->report_enum[HID_OUTPUT_REPORT].report_list;
|
|
struct input_dev *dev = hidinput->input;
|
|
- int error;
|
|
+ int i, error;
|
|
|
|
- if (list_empty(report_list)) {
|
|
- hid_err(hid, "no output report found\n");
|
|
- return -ENODEV;
|
|
- }
|
|
-
|
|
- report = list_entry(report_list->next, struct hid_report, list);
|
|
-
|
|
- if (report->maxfield < 4) {
|
|
- hid_err(hid, "not enough fields in report\n");
|
|
- return -ENODEV;
|
|
+ for (i = 0; i < 4; i++) {
|
|
+ report = hid_validate_values(hid, HID_OUTPUT_REPORT, 0, i, 1);
|
|
+ if (!report)
|
|
+ return -ENODEV;
|
|
}
|
|
|
|
zpff = kzalloc(sizeof(struct zpff_device), GFP_KERNEL);
|
|
--
|
|
1.8.3.1
|
|
|
|
|
|
From 5b029acf571f94193ff8a757340fd37a7f88ae0b Mon Sep 17 00:00:00 2001
|
|
From: Kees Cook <keescook@chromium.org>
|
|
Date: Wed, 11 Sep 2013 21:56:53 +0200
|
|
Subject: [PATCH 05/16] HID: steelseries: validate output report details
|
|
|
|
A HID device could send a malicious output report that would cause the
|
|
steelseries HID driver to write beyond the output report allocation
|
|
during initialization, causing a heap overflow:
|
|
|
|
[ 167.981534] usb 1-1: New USB device found, idVendor=1038, idProduct=1410
|
|
...
|
|
[ 182.050547] BUG kmalloc-256 (Tainted: G W ): Redzone overwritten
|
|
|
|
CVE-2013-2891
|
|
|
|
Signed-off-by: Kees Cook <keescook@chromium.org>
|
|
Cc: stable@vger.kernel.org
|
|
Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
|
|
---
|
|
drivers/hid/hid-steelseries.c | 5 +++++
|
|
1 file changed, 5 insertions(+)
|
|
|
|
diff --git a/drivers/hid/hid-steelseries.c b/drivers/hid/hid-steelseries.c
|
|
index d164911..29f328f 100644
|
|
--- a/drivers/hid/hid-steelseries.c
|
|
+++ b/drivers/hid/hid-steelseries.c
|
|
@@ -249,6 +249,11 @@ static int steelseries_srws1_probe(struct hid_device *hdev,
|
|
goto err_free;
|
|
}
|
|
|
|
+ if (!hid_validate_values(hdev, HID_OUTPUT_REPORT, 0, 0, 16)) {
|
|
+ ret = -ENODEV;
|
|
+ goto err_free;
|
|
+ }
|
|
+
|
|
ret = hid_hw_start(hdev, HID_CONNECT_DEFAULT);
|
|
if (ret) {
|
|
hid_err(hdev, "hw start failed\n");
|
|
--
|
|
1.8.3.1
|
|
|
|
|
|
From e846e9b33d65246ed807156a114c65cdfece0d12 Mon Sep 17 00:00:00 2001
|
|
From: Kees Cook <keescook@chromium.org>
|
|
Date: Wed, 11 Sep 2013 21:56:54 +0200
|
|
Subject: [PATCH 06/16] HID: LG: validate HID output report details
|
|
|
|
A HID device could send a malicious output report that would cause the
|
|
lg, lg3, and lg4 HID drivers to write beyond the output report allocation
|
|
during an event, causing a heap overflow:
|
|
|
|
[ 325.245240] usb 1-1: New USB device found, idVendor=046d, idProduct=c287
|
|
...
|
|
[ 414.518960] BUG kmalloc-4096 (Not tainted): Redzone overwritten
|
|
|
|
Additionally, while lg2 did correctly validate the report details, it was
|
|
cleaned up and shortened.
|
|
|
|
CVE-2013-2893
|
|
|
|
Signed-off-by: Kees Cook <keescook@chromium.org>
|
|
Cc: stable@vger.kernel.org
|
|
Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
|
|
---
|
|
drivers/hid/hid-lg2ff.c | 19 +++----------------
|
|
drivers/hid/hid-lg3ff.c | 29 ++++++-----------------------
|
|
drivers/hid/hid-lg4ff.c | 20 +-------------------
|
|
drivers/hid/hid-lgff.c | 17 ++---------------
|
|
4 files changed, 12 insertions(+), 73 deletions(-)
|
|
|
|
diff --git a/drivers/hid/hid-lg2ff.c b/drivers/hid/hid-lg2ff.c
|
|
index b3cd150..1a42eaa 100644
|
|
--- a/drivers/hid/hid-lg2ff.c
|
|
+++ b/drivers/hid/hid-lg2ff.c
|
|
@@ -64,26 +64,13 @@ int lg2ff_init(struct hid_device *hid)
|
|
struct hid_report *report;
|
|
struct hid_input *hidinput = list_entry(hid->inputs.next,
|
|
struct hid_input, list);
|
|
- struct list_head *report_list =
|
|
- &hid->report_enum[HID_OUTPUT_REPORT].report_list;
|
|
struct input_dev *dev = hidinput->input;
|
|
int error;
|
|
|
|
- if (list_empty(report_list)) {
|
|
- hid_err(hid, "no output report found\n");
|
|
+ /* Check that the report looks ok */
|
|
+ report = hid_validate_values(hid, HID_OUTPUT_REPORT, 0, 0, 7);
|
|
+ if (!report)
|
|
return -ENODEV;
|
|
- }
|
|
-
|
|
- report = list_entry(report_list->next, struct hid_report, list);
|
|
-
|
|
- if (report->maxfield < 1) {
|
|
- hid_err(hid, "output report is empty\n");
|
|
- return -ENODEV;
|
|
- }
|
|
- if (report->field[0]->report_count < 7) {
|
|
- hid_err(hid, "not enough values in the field\n");
|
|
- return -ENODEV;
|
|
- }
|
|
|
|
lg2ff = kmalloc(sizeof(struct lg2ff_device), GFP_KERNEL);
|
|
if (!lg2ff)
|
|
diff --git a/drivers/hid/hid-lg3ff.c b/drivers/hid/hid-lg3ff.c
|
|
index e52f181..8c2da18 100644
|
|
--- a/drivers/hid/hid-lg3ff.c
|
|
+++ b/drivers/hid/hid-lg3ff.c
|
|
@@ -66,10 +66,11 @@ static int hid_lg3ff_play(struct input_dev *dev, void *data,
|
|
int x, y;
|
|
|
|
/*
|
|
- * Maxusage should always be 63 (maximum fields)
|
|
- * likely a better way to ensure this data is clean
|
|
+ * Available values in the field should always be 63, but we only use up to
|
|
+ * 35. Instead, clear the entire area, however big it is.
|
|
*/
|
|
- memset(report->field[0]->value, 0, sizeof(__s32)*report->field[0]->maxusage);
|
|
+ memset(report->field[0]->value, 0,
|
|
+ sizeof(__s32) * report->field[0]->report_count);
|
|
|
|
switch (effect->type) {
|
|
case FF_CONSTANT:
|
|
@@ -129,32 +130,14 @@ static const signed short ff3_joystick_ac[] = {
|
|
int lg3ff_init(struct hid_device *hid)
|
|
{
|
|
struct hid_input *hidinput = list_entry(hid->inputs.next, struct hid_input, list);
|
|
- struct list_head *report_list = &hid->report_enum[HID_OUTPUT_REPORT].report_list;
|
|
struct input_dev *dev = hidinput->input;
|
|
- struct hid_report *report;
|
|
- struct hid_field *field;
|
|
const signed short *ff_bits = ff3_joystick_ac;
|
|
int error;
|
|
int i;
|
|
|
|
- /* Find the report to use */
|
|
- if (list_empty(report_list)) {
|
|
- hid_err(hid, "No output report found\n");
|
|
- return -1;
|
|
- }
|
|
-
|
|
/* Check that the report looks ok */
|
|
- report = list_entry(report_list->next, struct hid_report, list);
|
|
- if (!report) {
|
|
- hid_err(hid, "NULL output report\n");
|
|
- return -1;
|
|
- }
|
|
-
|
|
- field = report->field[0];
|
|
- if (!field) {
|
|
- hid_err(hid, "NULL field\n");
|
|
- return -1;
|
|
- }
|
|
+ if (!hid_validate_values(hid, HID_OUTPUT_REPORT, 0, 0, 35))
|
|
+ return -ENODEV;
|
|
|
|
/* Assume single fixed device G940 */
|
|
for (i = 0; ff_bits[i] >= 0; i++)
|
|
diff --git a/drivers/hid/hid-lg4ff.c b/drivers/hid/hid-lg4ff.c
|
|
index 0ddae2a..8782fe1 100644
|
|
--- a/drivers/hid/hid-lg4ff.c
|
|
+++ b/drivers/hid/hid-lg4ff.c
|
|
@@ -484,34 +484,16 @@ static enum led_brightness lg4ff_led_get_brightness(struct led_classdev *led_cde
|
|
int lg4ff_init(struct hid_device *hid)
|
|
{
|
|
struct hid_input *hidinput = list_entry(hid->inputs.next, struct hid_input, list);
|
|
- struct list_head *report_list = &hid->report_enum[HID_OUTPUT_REPORT].report_list;
|
|
struct input_dev *dev = hidinput->input;
|
|
- struct hid_report *report;
|
|
- struct hid_field *field;
|
|
struct lg4ff_device_entry *entry;
|
|
struct lg_drv_data *drv_data;
|
|
struct usb_device_descriptor *udesc;
|
|
int error, i, j;
|
|
__u16 bcdDevice, rev_maj, rev_min;
|
|
|
|
- /* Find the report to use */
|
|
- if (list_empty(report_list)) {
|
|
- hid_err(hid, "No output report found\n");
|
|
- return -1;
|
|
- }
|
|
-
|
|
/* Check that the report looks ok */
|
|
- report = list_entry(report_list->next, struct hid_report, list);
|
|
- if (!report) {
|
|
- hid_err(hid, "NULL output report\n");
|
|
+ if (!hid_validate_values(hid, HID_OUTPUT_REPORT, 0, 0, 7))
|
|
return -1;
|
|
- }
|
|
-
|
|
- field = report->field[0];
|
|
- if (!field) {
|
|
- hid_err(hid, "NULL field\n");
|
|
- return -1;
|
|
- }
|
|
|
|
/* Check what wheel has been connected */
|
|
for (i = 0; i < ARRAY_SIZE(lg4ff_devices); i++) {
|
|
diff --git a/drivers/hid/hid-lgff.c b/drivers/hid/hid-lgff.c
|
|
index d7ea8c8..e1394af 100644
|
|
--- a/drivers/hid/hid-lgff.c
|
|
+++ b/drivers/hid/hid-lgff.c
|
|
@@ -128,27 +128,14 @@ static void hid_lgff_set_autocenter(struct input_dev *dev, u16 magnitude)
|
|
int lgff_init(struct hid_device* hid)
|
|
{
|
|
struct hid_input *hidinput = list_entry(hid->inputs.next, struct hid_input, list);
|
|
- struct list_head *report_list = &hid->report_enum[HID_OUTPUT_REPORT].report_list;
|
|
struct input_dev *dev = hidinput->input;
|
|
- struct hid_report *report;
|
|
- struct hid_field *field;
|
|
const signed short *ff_bits = ff_joystick;
|
|
int error;
|
|
int i;
|
|
|
|
- /* Find the report to use */
|
|
- if (list_empty(report_list)) {
|
|
- hid_err(hid, "No output report found\n");
|
|
- return -1;
|
|
- }
|
|
-
|
|
/* Check that the report looks ok */
|
|
- report = list_entry(report_list->next, struct hid_report, list);
|
|
- field = report->field[0];
|
|
- if (!field) {
|
|
- hid_err(hid, "NULL field\n");
|
|
- return -1;
|
|
- }
|
|
+ if (!hid_validate_values(hid, HID_OUTPUT_REPORT, 0, 0, 7))
|
|
+ return -ENODEV;
|
|
|
|
for (i = 0; i < ARRAY_SIZE(devices); i++) {
|
|
if (dev->id.vendor == devices[i].idVendor &&
|
|
--
|
|
1.8.3.1
|
|
|
|
|
|
From 0317e971d90e3e2e312074386a2349b2ef48d1d0 Mon Sep 17 00:00:00 2001
|
|
From: Kees Cook <keescook@chromium.org>
|
|
Date: Wed, 11 Sep 2013 21:56:55 +0200
|
|
Subject: [PATCH 07/16] HID: lenovo-tpkbd: validate output report details
|
|
|
|
From: Kees Cook <keescook@chromium.org>
|
|
|
|
A HID device could send a malicious output report that would cause the
|
|
lenovo-tpkbd HID driver to write just beyond the output report allocation
|
|
during initialization, causing a heap overflow:
|
|
|
|
[ 76.109807] usb 1-1: New USB device found, idVendor=17ef, idProduct=6009
|
|
...
|
|
[ 80.462540] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten
|
|
|
|
CVE-2013-2894
|
|
|
|
Signed-off-by: Kees Cook <keescook@chromium.org>
|
|
Cc: stable@vger.kernel.org
|
|
Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
|
|
---
|
|
drivers/hid/hid-lenovo-tpkbd.c | 10 +++++++++-
|
|
1 file changed, 9 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/drivers/hid/hid-lenovo-tpkbd.c b/drivers/hid/hid-lenovo-tpkbd.c
|
|
index 07837f5..762d988 100644
|
|
--- a/drivers/hid/hid-lenovo-tpkbd.c
|
|
+++ b/drivers/hid/hid-lenovo-tpkbd.c
|
|
@@ -339,7 +339,15 @@ static int tpkbd_probe_tp(struct hid_device *hdev)
|
|
struct tpkbd_data_pointer *data_pointer;
|
|
size_t name_sz = strlen(dev_name(dev)) + 16;
|
|
char *name_mute, *name_micmute;
|
|
- int ret;
|
|
+ int i, ret;
|
|
+
|
|
+ /* Validate required reports. */
|
|
+ for (i = 0; i < 4; i++) {
|
|
+ if (!hid_validate_values(hdev, HID_FEATURE_REPORT, 4, i, 1))
|
|
+ return -ENODEV;
|
|
+ }
|
|
+ if (!hid_validate_values(hdev, HID_OUTPUT_REPORT, 3, 0, 2))
|
|
+ return -ENODEV;
|
|
|
|
if (sysfs_create_group(&hdev->dev.kobj,
|
|
&tpkbd_attr_group_pointer)) {
|
|
--
|
|
1.8.3.1
|
|
|
|
|
|
From 978474c73af6764f1c2c5409585221e6d438b16c Mon Sep 17 00:00:00 2001
|
|
From: Kees Cook <keescook@chromium.org>
|
|
Date: Wed, 11 Sep 2013 21:56:56 +0200
|
|
Subject: [PATCH 08/16] HID: logitech-dj: validate output report details
|
|
|
|
A HID device could send a malicious output report that would cause the
|
|
logitech-dj HID driver to leak kernel memory contents to the device, or
|
|
trigger a NULL dereference during initialization:
|
|
|
|
[ 304.424553] usb 1-1: New USB device found, idVendor=046d, idProduct=c52b
|
|
...
|
|
[ 304.780467] BUG: unable to handle kernel NULL pointer dereference at 0000000000000028
|
|
[ 304.781409] IP: [<ffffffff815d50aa>] logi_dj_recv_send_report.isra.11+0x1a/0x90
|
|
|
|
CVE-2013-2895
|
|
|
|
Signed-off-by: Kees Cook <keescook@chromium.org>
|
|
Cc: stable@vger.kernel.org
|
|
Signed-off-by: Benjamin Tissoires <benjamin.tissoires@gmail.com>
|
|
---
|
|
drivers/hid/hid-logitech-dj.c | 10 ++++++++--
|
|
1 file changed, 8 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/drivers/hid/hid-logitech-dj.c b/drivers/hid/hid-logitech-dj.c
|
|
index cd33084..a2469b5 100644
|
|
--- a/drivers/hid/hid-logitech-dj.c
|
|
+++ b/drivers/hid/hid-logitech-dj.c
|
|
@@ -461,7 +461,7 @@ static int logi_dj_recv_send_report(struct dj_receiver_dev *djrcv_dev,
|
|
struct hid_report *report;
|
|
struct hid_report_enum *output_report_enum;
|
|
u8 *data = (u8 *)(&dj_report->device_index);
|
|
- int i;
|
|
+ unsigned int i;
|
|
|
|
output_report_enum = &hdev->report_enum[HID_OUTPUT_REPORT];
|
|
report = output_report_enum->report_id_hash[REPORT_ID_DJ_SHORT];
|
|
@@ -471,7 +471,7 @@ static int logi_dj_recv_send_report(struct dj_receiver_dev *djrcv_dev,
|
|
return -ENODEV;
|
|
}
|
|
|
|
- for (i = 0; i < report->field[0]->report_count; i++)
|
|
+ for (i = 0; i < DJREPORT_SHORT_LENGTH - 1; i++)
|
|
report->field[0]->value[i] = data[i];
|
|
|
|
hid_hw_request(hdev, report, HID_REQ_SET_REPORT);
|
|
@@ -783,6 +783,12 @@ static int logi_dj_probe(struct hid_device *hdev,
|
|
goto hid_parse_fail;
|
|
}
|
|
|
|
+ if (!hid_validate_values(hdev, HID_OUTPUT_REPORT, REPORT_ID_DJ_SHORT,
|
|
+ 0, DJREPORT_SHORT_LENGTH - 1)) {
|
|
+ retval = -ENODEV;
|
|
+ goto hid_parse_fail;
|
|
+ }
|
|
+
|
|
/* Starts the usb device and connects to upper interfaces hiddev and
|
|
* hidraw */
|
|
retval = hid_hw_start(hdev, HID_CONNECT_DEFAULT);
|
|
--
|
|
1.8.3.1
|
|
|
|
|
|
From 9445e3a28eb6365c54dae729d184c4c3b6b43d60 Mon Sep 17 00:00:00 2001
|
|
From: Benjamin Tissoires <benjamin.tissoires@redhat.com>
|
|
Date: Wed, 11 Sep 2013 21:56:57 +0200
|
|
Subject: [PATCH 09/16] HID: validate feature and input report details
|
|
|
|
When dealing with usage_index, be sure to properly use unsigned instead of
|
|
int to avoid overflows.
|
|
|
|
When working on report fields, always validate that their report_counts are
|
|
in bounds.
|
|
Without this, a HID device could report a malicious feature report that
|
|
could trick the driver into a heap overflow:
|
|
|
|
[ 634.885003] usb 1-1: New USB device found, idVendor=0596, idProduct=0500
|
|
...
|
|
[ 676.469629] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten
|
|
|
|
CVE-2013-2897
|
|
|
|
Cc: stable@vger.kernel.org
|
|
Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
|
|
---
|
|
drivers/hid/hid-core.c | 16 +++++++---------
|
|
drivers/hid/hid-input.c | 11 ++++++++++-
|
|
2 files changed, 17 insertions(+), 10 deletions(-)
|
|
|
|
diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c
|
|
index 65ee459..08500bc 100644
|
|
--- a/drivers/hid/hid-core.c
|
|
+++ b/drivers/hid/hid-core.c
|
|
@@ -94,7 +94,6 @@ EXPORT_SYMBOL_GPL(hid_register_report);
|
|
static struct hid_field *hid_register_field(struct hid_report *report, unsigned usages, unsigned values)
|
|
{
|
|
struct hid_field *field;
|
|
- int i;
|
|
|
|
if (report->maxfield == HID_MAX_FIELDS) {
|
|
hid_err(report->device, "too many fields in report\n");
|
|
@@ -113,9 +112,6 @@ static struct hid_field *hid_register_field(struct hid_report *report, unsigned
|
|
field->value = (s32 *)(field->usage + usages);
|
|
field->report = report;
|
|
|
|
- for (i = 0; i < usages; i++)
|
|
- field->usage[i].usage_index = i;
|
|
-
|
|
return field;
|
|
}
|
|
|
|
@@ -226,9 +222,9 @@ static int hid_add_field(struct hid_parser *parser, unsigned report_type, unsign
|
|
{
|
|
struct hid_report *report;
|
|
struct hid_field *field;
|
|
- int usages;
|
|
+ unsigned usages;
|
|
unsigned offset;
|
|
- int i;
|
|
+ unsigned i;
|
|
|
|
report = hid_register_report(parser->device, report_type, parser->global.report_id);
|
|
if (!report) {
|
|
@@ -255,7 +251,8 @@ static int hid_add_field(struct hid_parser *parser, unsigned report_type, unsign
|
|
if (!parser->local.usage_index) /* Ignore padding fields */
|
|
return 0;
|
|
|
|
- usages = max_t(int, parser->local.usage_index, parser->global.report_count);
|
|
+ usages = max_t(unsigned, parser->local.usage_index,
|
|
+ parser->global.report_count);
|
|
|
|
field = hid_register_field(report, usages, parser->global.report_count);
|
|
if (!field)
|
|
@@ -266,13 +263,14 @@ static int hid_add_field(struct hid_parser *parser, unsigned report_type, unsign
|
|
field->application = hid_lookup_collection(parser, HID_COLLECTION_APPLICATION);
|
|
|
|
for (i = 0; i < usages; i++) {
|
|
- int j = i;
|
|
+ unsigned j = i;
|
|
/* Duplicate the last usage we parsed if we have excess values */
|
|
if (i >= parser->local.usage_index)
|
|
j = parser->local.usage_index - 1;
|
|
field->usage[i].hid = parser->local.usage[j];
|
|
field->usage[i].collection_index =
|
|
parser->local.collection_index[j];
|
|
+ field->usage[i].usage_index = i;
|
|
}
|
|
|
|
field->maxusage = usages;
|
|
@@ -1290,7 +1288,7 @@ int hid_report_raw_event(struct hid_device *hid, int type, u8 *data, int size,
|
|
goto out;
|
|
}
|
|
|
|
- if (hid->claimed != HID_CLAIMED_HIDRAW) {
|
|
+ if (hid->claimed != HID_CLAIMED_HIDRAW && report->maxfield) {
|
|
for (a = 0; a < report->maxfield; a++)
|
|
hid_input_field(hid, report->field[a], cdata, interrupt);
|
|
hdrv = hid->driver;
|
|
diff --git a/drivers/hid/hid-input.c b/drivers/hid/hid-input.c
|
|
index 7480799..3ac2138 100644
|
|
--- a/drivers/hid/hid-input.c
|
|
+++ b/drivers/hid/hid-input.c
|
|
@@ -477,6 +477,10 @@ static void hidinput_configure_usage(struct hid_input *hidinput, struct hid_fiel
|
|
if (field->flags & HID_MAIN_ITEM_CONSTANT)
|
|
goto ignore;
|
|
|
|
+ /* Ignore if report count is out of bounds. */
|
|
+ if (field->report_count < 1)
|
|
+ goto ignore;
|
|
+
|
|
/* only LED usages are supported in output fields */
|
|
if (field->report_type == HID_OUTPUT_REPORT &&
|
|
(usage->hid & HID_USAGE_PAGE) != HID_UP_LED) {
|
|
@@ -1160,7 +1164,11 @@ static void report_features(struct hid_device *hid)
|
|
|
|
rep_enum = &hid->report_enum[HID_FEATURE_REPORT];
|
|
list_for_each_entry(rep, &rep_enum->report_list, list)
|
|
- for (i = 0; i < rep->maxfield; i++)
|
|
+ for (i = 0; i < rep->maxfield; i++) {
|
|
+ /* Ignore if report count is out of bounds. */
|
|
+ if (rep->field[i]->report_count < 1)
|
|
+ continue;
|
|
+
|
|
for (j = 0; j < rep->field[i]->maxusage; j++) {
|
|
/* Verify if Battery Strength feature is available */
|
|
hidinput_setup_battery(hid, HID_FEATURE_REPORT, rep->field[i]);
|
|
@@ -1169,6 +1177,7 @@ static void report_features(struct hid_device *hid)
|
|
drv->feature_mapping(hid, rep->field[i],
|
|
rep->field[i]->usage + j);
|
|
}
|
|
+ }
|
|
}
|
|
|
|
static struct hid_input *hidinput_allocate(struct hid_device *hid)
|
|
--
|
|
1.8.3.1
|
|
|
|
|
|
From cc8d6c5e14fbffc3349dcd35c21fa46f1143070d Mon Sep 17 00:00:00 2001
|
|
From: Benjamin Tissoires <benjamin.tissoires@redhat.com>
|
|
Date: Wed, 11 Sep 2013 21:56:58 +0200
|
|
Subject: [PATCH 10/16] HID: multitouch: validate indexes details
|
|
|
|
When working on report indexes, always validate that they are in bounds.
|
|
Without this, a HID device could report a malicious feature report that
|
|
could trick the driver into a heap overflow:
|
|
|
|
[ 634.885003] usb 1-1: New USB device found, idVendor=0596, idProduct=0500
|
|
...
|
|
[ 676.469629] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten
|
|
|
|
Note that we need to change the indexes from s8 to s16 as they can
|
|
be between -1 and 255.
|
|
|
|
CVE-2013-2897
|
|
|
|
Cc: stable@vger.kernel.org
|
|
Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
|
|
---
|
|
drivers/hid/hid-multitouch.c | 26 ++++++++++++++------------
|
|
1 file changed, 14 insertions(+), 12 deletions(-)
|
|
|
|
diff --git a/drivers/hid/hid-multitouch.c b/drivers/hid/hid-multitouch.c
|
|
index cb0e361..2d3677c 100644
|
|
--- a/drivers/hid/hid-multitouch.c
|
|
+++ b/drivers/hid/hid-multitouch.c
|
|
@@ -101,9 +101,9 @@ struct mt_device {
|
|
unsigned last_slot_field; /* the last field of a slot */
|
|
unsigned mt_report_id; /* the report ID of the multitouch device */
|
|
unsigned pen_report_id; /* the report ID of the pen device */
|
|
- __s8 inputmode; /* InputMode HID feature, -1 if non-existent */
|
|
- __s8 inputmode_index; /* InputMode HID feature index in the report */
|
|
- __s8 maxcontact_report_id; /* Maximum Contact Number HID feature,
|
|
+ __s16 inputmode; /* InputMode HID feature, -1 if non-existent */
|
|
+ __s16 inputmode_index; /* InputMode HID feature index in the report */
|
|
+ __s16 maxcontact_report_id; /* Maximum Contact Number HID feature,
|
|
-1 if non-existent */
|
|
__u8 num_received; /* how many contacts we received */
|
|
__u8 num_expected; /* expected last contact index */
|
|
@@ -317,20 +317,18 @@ static void mt_feature_mapping(struct hid_device *hdev,
|
|
struct hid_field *field, struct hid_usage *usage)
|
|
{
|
|
struct mt_device *td = hid_get_drvdata(hdev);
|
|
- int i;
|
|
|
|
switch (usage->hid) {
|
|
case HID_DG_INPUTMODE:
|
|
- td->inputmode = field->report->id;
|
|
- td->inputmode_index = 0; /* has to be updated below */
|
|
-
|
|
- for (i=0; i < field->maxusage; i++) {
|
|
- if (field->usage[i].hid == usage->hid) {
|
|
- td->inputmode_index = i;
|
|
- break;
|
|
- }
|
|
+ /* Ignore if value index is out of bounds. */
|
|
+ if (usage->usage_index >= field->report_count) {
|
|
+ dev_err(&hdev->dev, "HID_DG_INPUTMODE out of range\n");
|
|
+ break;
|
|
}
|
|
|
|
+ td->inputmode = field->report->id;
|
|
+ td->inputmode_index = usage->usage_index;
|
|
+
|
|
break;
|
|
case HID_DG_CONTACTMAX:
|
|
td->maxcontact_report_id = field->report->id;
|
|
@@ -536,6 +534,10 @@ static int mt_touch_input_mapping(struct hid_device *hdev, struct hid_input *hi,
|
|
mt_store_field(usage, td, hi);
|
|
return 1;
|
|
case HID_DG_CONTACTCOUNT:
|
|
+ /* Ignore if indexes are out of bounds. */
|
|
+ if (field->index >= field->report->maxfield ||
|
|
+ usage->usage_index >= field->report_count)
|
|
+ return 1;
|
|
td->cc_index = field->index;
|
|
td->cc_value_index = usage->usage_index;
|
|
return 1;
|
|
--
|
|
1.8.3.1
|
|
|
|
|
|
From 01b52229ddc746c56b2a7756eed46b1f98673bea Mon Sep 17 00:00:00 2001
|
|
From: Benjamin Tissoires <benjamin.tissoires@redhat.com>
|
|
Date: Wed, 11 Sep 2013 21:56:59 +0200
|
|
Subject: [PATCH 11/16] HID: lenovo-tpkbd: fix leak if tpkbd_probe_tp fails
|
|
|
|
If tpkbd_probe_tp() bails out, the probe() function return an error,
|
|
but hid_hw_stop() is never called.
|
|
|
|
fixes:
|
|
https://bugzilla.redhat.com/show_bug.cgi?id=1003998
|
|
|
|
Cc: stable@vger.kernel.org
|
|
Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
|
|
---
|
|
drivers/hid/hid-lenovo-tpkbd.c | 15 ++++++++++-----
|
|
1 file changed, 10 insertions(+), 5 deletions(-)
|
|
|
|
diff --git a/drivers/hid/hid-lenovo-tpkbd.c b/drivers/hid/hid-lenovo-tpkbd.c
|
|
index 762d988..31cf29a 100644
|
|
--- a/drivers/hid/hid-lenovo-tpkbd.c
|
|
+++ b/drivers/hid/hid-lenovo-tpkbd.c
|
|
@@ -414,22 +414,27 @@ static int tpkbd_probe(struct hid_device *hdev,
|
|
ret = hid_parse(hdev);
|
|
if (ret) {
|
|
hid_err(hdev, "hid_parse failed\n");
|
|
- goto err_free;
|
|
+ goto err;
|
|
}
|
|
|
|
ret = hid_hw_start(hdev, HID_CONNECT_DEFAULT);
|
|
if (ret) {
|
|
hid_err(hdev, "hid_hw_start failed\n");
|
|
- goto err_free;
|
|
+ goto err;
|
|
}
|
|
|
|
uhdev = (struct usbhid_device *) hdev->driver_data;
|
|
|
|
- if (uhdev->ifnum == 1)
|
|
- return tpkbd_probe_tp(hdev);
|
|
+ if (uhdev->ifnum == 1) {
|
|
+ ret = tpkbd_probe_tp(hdev);
|
|
+ if (ret)
|
|
+ goto err_hid;
|
|
+ }
|
|
|
|
return 0;
|
|
-err_free:
|
|
+err_hid:
|
|
+ hid_hw_stop(hdev);
|
|
+err:
|
|
return ret;
|
|
}
|
|
|
|
--
|
|
1.8.3.1
|
|
|
|
|
|
From b2438ded3cdd8d6d6af77d9bce38d2d8f353a790 Mon Sep 17 00:00:00 2001
|
|
From: Kees Cook <keescook@chromium.org>
|
|
Date: Wed, 28 Aug 2013 22:32:01 +0200
|
|
Subject: [PATCH 12/16] HID: check for NULL field when setting values
|
|
|
|
Defensively check that the field to be worked on is not NULL.
|
|
|
|
Signed-off-by: Kees Cook <keescook@chromium.org>
|
|
Cc: stable@kernel.org
|
|
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
|
|
---
|
|
drivers/hid/hid-core.c | 7 ++++++-
|
|
1 file changed, 6 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c
|
|
index 08500bc..e331cb1 100644
|
|
--- a/drivers/hid/hid-core.c
|
|
+++ b/drivers/hid/hid-core.c
|
|
@@ -1212,7 +1212,12 @@ EXPORT_SYMBOL_GPL(hid_output_report);
|
|
|
|
int hid_set_field(struct hid_field *field, unsigned offset, __s32 value)
|
|
{
|
|
- unsigned size = field->report_size;
|
|
+ unsigned size;
|
|
+
|
|
+ if (!field)
|
|
+ return -1;
|
|
+
|
|
+ size = field->report_size;
|
|
|
|
hid_dump_input(field->report->device, field->usage + offset, value);
|
|
|
|
--
|
|
1.8.3.1
|
|
|
|
|
|
From d0502783cdafcdb0a677492c43a373748d900d50 Mon Sep 17 00:00:00 2001
|
|
From: Kees Cook <keescook@chromium.org>
|
|
Date: Wed, 28 Aug 2013 22:30:49 +0200
|
|
Subject: [PATCH 13/16] HID: pantherlord: validate output report details
|
|
|
|
A HID device could send a malicious output report that would cause the
|
|
pantherlord HID driver to write beyond the output report allocation
|
|
during initialization, causing a heap overflow:
|
|
|
|
[ 310.939483] usb 1-1: New USB device found, idVendor=0e8f, idProduct=0003
|
|
...
|
|
[ 315.980774] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten
|
|
|
|
CVE-2013-2892
|
|
|
|
Signed-off-by: Kees Cook <keescook@chromium.org>
|
|
Cc: stable@kernel.org
|
|
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
|
|
---
|
|
drivers/hid/hid-pl.c | 10 ++++++++--
|
|
1 file changed, 8 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/drivers/hid/hid-pl.c b/drivers/hid/hid-pl.c
|
|
index d29112f..2dcd7d9 100644
|
|
--- a/drivers/hid/hid-pl.c
|
|
+++ b/drivers/hid/hid-pl.c
|
|
@@ -132,8 +132,14 @@ static int plff_init(struct hid_device *hid)
|
|
strong = &report->field[0]->value[2];
|
|
weak = &report->field[0]->value[3];
|
|
debug("detected single-field device");
|
|
- } else if (report->maxfield >= 4 && report->field[0]->maxusage == 1 &&
|
|
- report->field[0]->usage[0].hid == (HID_UP_LED | 0x43)) {
|
|
+ } else if (report->field[0]->maxusage == 1 &&
|
|
+ report->field[0]->usage[0].hid ==
|
|
+ (HID_UP_LED | 0x43) &&
|
|
+ report->maxfield >= 4 &&
|
|
+ report->field[0]->report_count >= 1 &&
|
|
+ report->field[1]->report_count >= 1 &&
|
|
+ report->field[2]->report_count >= 1 &&
|
|
+ report->field[3]->report_count >= 1) {
|
|
report->field[0]->value[0] = 0x00;
|
|
report->field[1]->value[0] = 0x00;
|
|
strong = &report->field[2]->value[0];
|
|
--
|
|
1.8.3.1
|
|
|
|
|
|
From dc4db3b624cc7bf6972817615af88e250a8526cc Mon Sep 17 00:00:00 2001
|
|
From: Kees Cook <keescook@chromium.org>
|
|
Date: Wed, 28 Aug 2013 22:31:28 +0200
|
|
Subject: [PATCH 14/16] HID: ntrig: validate feature report details
|
|
|
|
A HID device could send a malicious feature report that would cause the
|
|
ntrig HID driver to trigger a NULL dereference during initialization:
|
|
|
|
[57383.031190] usb 3-1: New USB device found, idVendor=1b96, idProduct=0001
|
|
...
|
|
[57383.315193] BUG: unable to handle kernel NULL pointer dereference at 0000000000000030
|
|
[57383.315308] IP: [<ffffffffa08102de>] ntrig_probe+0x25e/0x420 [hid_ntrig]
|
|
|
|
CVE-2013-2896
|
|
|
|
Signed-off-by: Kees Cook <keescook@chromium.org>
|
|
Cc: stable@kernel.org
|
|
Signed-off-by: Rafi Rubin <rafi@seas.upenn.edu>
|
|
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
|
|
---
|
|
drivers/hid/hid-ntrig.c | 3 ++-
|
|
1 file changed, 2 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/drivers/hid/hid-ntrig.c b/drivers/hid/hid-ntrig.c
|
|
index ef95102..5482156 100644
|
|
--- a/drivers/hid/hid-ntrig.c
|
|
+++ b/drivers/hid/hid-ntrig.c
|
|
@@ -115,7 +115,8 @@ static inline int ntrig_get_mode(struct hid_device *hdev)
|
|
struct hid_report *report = hdev->report_enum[HID_FEATURE_REPORT].
|
|
report_id_hash[0x0d];
|
|
|
|
- if (!report)
|
|
+ if (!report || report->maxfield < 1 ||
|
|
+ report->field[0]->report_count < 1)
|
|
return -EINVAL;
|
|
|
|
hid_hw_request(hdev, report, HID_REQ_GET_REPORT);
|
|
--
|
|
1.8.3.1
|
|
|
|
|
|
From 34490675479f16680a60726632ad2e808eab54bd Mon Sep 17 00:00:00 2001
|
|
From: Kees Cook <keescook@chromium.org>
|
|
Date: Wed, 28 Aug 2013 22:31:44 +0200
|
|
Subject: [PATCH 15/16] HID: sensor-hub: validate feature report details
|
|
|
|
A HID device could send a malicious feature report that would cause the
|
|
sensor-hub HID driver to read past the end of heap allocation, leaking
|
|
kernel memory contents to the caller.
|
|
|
|
CVE-2013-2898
|
|
|
|
Signed-off-by: Kees Cook <keescook@chromium.org>
|
|
Cc: stable@kernel.org
|
|
Reviewed-by: Mika Westerberg <mika.westerberg@linux.intel.com>
|
|
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
|
|
---
|
|
drivers/hid/hid-sensor-hub.c | 3 ++-
|
|
1 file changed, 2 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/drivers/hid/hid-sensor-hub.c b/drivers/hid/hid-sensor-hub.c
|
|
index ca749810..aa34755 100644
|
|
--- a/drivers/hid/hid-sensor-hub.c
|
|
+++ b/drivers/hid/hid-sensor-hub.c
|
|
@@ -221,7 +221,8 @@ int sensor_hub_get_feature(struct hid_sensor_hub_device *hsdev, u32 report_id,
|
|
|
|
mutex_lock(&data->mutex);
|
|
report = sensor_hub_report(report_id, hsdev->hdev, HID_FEATURE_REPORT);
|
|
- if (!report || (field_index >= report->maxfield)) {
|
|
+ if (!report || (field_index >= report->maxfield) ||
|
|
+ report->field[field_index]->report_count < 1) {
|
|
ret = -EINVAL;
|
|
goto done_proc;
|
|
}
|
|
--
|
|
1.8.3.1
|
|
|
|
|
|
From a0155e41d3a7a9bd901368271d86ee1bb28d100f Mon Sep 17 00:00:00 2001
|
|
From: Kees Cook <keescook@chromium.org>
|
|
Date: Wed, 28 Aug 2013 22:31:52 +0200
|
|
Subject: [PATCH 16/16] HID: picolcd_core: validate output report details
|
|
MIME-Version: 1.0
|
|
Content-Type: text/plain; charset=UTF-8
|
|
Content-Transfer-Encoding: 8bit
|
|
|
|
A HID device could send a malicious output report that would cause the
|
|
picolcd HID driver to trigger a NULL dereference during attr file writing.
|
|
|
|
[jkosina@suse.cz: changed
|
|
|
|
report->maxfield < 1
|
|
|
|
to
|
|
|
|
report->maxfield != 1
|
|
|
|
as suggested by Bruno].
|
|
|
|
CVE-2013-2899
|
|
|
|
Signed-off-by: Kees Cook <keescook@chromium.org>
|
|
Cc: stable@kernel.org
|
|
Reviewed-by: Bruno Prémont <bonbons@linux-vserver.org>
|
|
Acked-by: Bruno Prémont <bonbons@linux-vserver.org>
|
|
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
|
|
---
|
|
drivers/hid/hid-picolcd_core.c | 2 +-
|
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
|
|
diff --git a/drivers/hid/hid-picolcd_core.c b/drivers/hid/hid-picolcd_core.c
|
|
index b48092d..acbb0210 100644
|
|
--- a/drivers/hid/hid-picolcd_core.c
|
|
+++ b/drivers/hid/hid-picolcd_core.c
|
|
@@ -290,7 +290,7 @@ static ssize_t picolcd_operation_mode_store(struct device *dev,
|
|
buf += 10;
|
|
cnt -= 10;
|
|
}
|
|
- if (!report)
|
|
+ if (!report || report->maxfield != 1)
|
|
return -EINVAL;
|
|
|
|
while (cnt > 0 && (buf[cnt-1] == '\n' || buf[cnt-1] == '\r'))
|
|
--
|
|
1.8.3.1
|
|
|