diff options
author | Tudor Florea <tudor.florea@enea.com> | 2016-02-18 15:33:33 +0100 |
---|---|---|
committer | Adrian Dudau <adrian.dudau@enea.com> | 2016-02-22 15:05:50 +0100 |
commit | 4fa4c5f1b92fd0293319a011bb5bf5bca089bd5f (patch) | |
tree | 6a898651d9180b8a5189b92e507a9c237e6a9083 /recipes-kernel/linux/files/HID_CVE_patches/0001-HID-validate-HID-report-id-size.patch | |
parent | 98215b7665c965316eec60348bdbdf6f1b3cbdcf (diff) | |
download | meta-enea-bsp-arm-4fa4c5f1b92fd0293319a011bb5bf5bca089bd5f.tar.gz |
recipes-kernel: remve unsupported targets
Signed-off-by: Tudor Florea <tudor.florea@enea.com>
Signed-off-by: Adrian Dudau <adrian.dudau@enea.com>
Diffstat (limited to 'recipes-kernel/linux/files/HID_CVE_patches/0001-HID-validate-HID-report-id-size.patch')
-rw-r--r-- | recipes-kernel/linux/files/HID_CVE_patches/0001-HID-validate-HID-report-id-size.patch | 80 |
1 files changed, 0 insertions, 80 deletions
diff --git a/recipes-kernel/linux/files/HID_CVE_patches/0001-HID-validate-HID-report-id-size.patch b/recipes-kernel/linux/files/HID_CVE_patches/0001-HID-validate-HID-report-id-size.patch deleted file mode 100644 index faeace9..0000000 --- a/recipes-kernel/linux/files/HID_CVE_patches/0001-HID-validate-HID-report-id-size.patch +++ /dev/null | |||
@@ -1,80 +0,0 @@ | |||
1 | From 43622021d2e2b82ea03d883926605bdd0525e1d1 Mon Sep 17 00:00:00 2001 | ||
2 | From: Kees Cook <keescook@chromium.org> | ||
3 | Date: Wed, 28 Aug 2013 22:29:55 +0200 | ||
4 | Subject: [PATCH] HID: validate HID report id size | ||
5 | |||
6 | The "Report ID" field of a HID report is used to build indexes of | ||
7 | reports. The kernel's index of these is limited to 256 entries, so any | ||
8 | malicious device that sets a Report ID greater than 255 will trigger | ||
9 | memory corruption on the host: | ||
10 | |||
11 | [ 1347.156239] BUG: unable to handle kernel paging request at ffff88094958a878 | ||
12 | [ 1347.156261] IP: [<ffffffff813e4da0>] hid_register_report+0x2a/0x8b | ||
13 | |||
14 | CVE-2013-2888 | ||
15 | |||
16 | Signed-off-by: Kees Cook <keescook@chromium.org> | ||
17 | Cc: stable@kernel.org | ||
18 | Signed-off-by: Jiri Kosina <jkosina@suse.cz> | ||
19 | Signed-off-by: Adrian Dudau <adrian.dudau@enea.com> | ||
20 | --- | ||
21 | drivers/hid/hid-core.c | 10 +++++++--- | ||
22 | include/linux/hid.h | 4 +++- | ||
23 | 2 files changed, 10 insertions(+), 4 deletions(-) | ||
24 | |||
25 | diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c | ||
26 | index 36668d1..5ea7d51 100644 | ||
27 | --- a/drivers/hid/hid-core.c | ||
28 | +++ b/drivers/hid/hid-core.c | ||
29 | @@ -63,6 +63,8 @@ struct hid_report *hid_register_report(struct hid_device *device, unsigned type, | ||
30 | struct hid_report_enum *report_enum = device->report_enum + type; | ||
31 | struct hid_report *report; | ||
32 | |||
33 | + if (id >= HID_MAX_IDS) | ||
34 | + return NULL; | ||
35 | if (report_enum->report_id_hash[id]) | ||
36 | return report_enum->report_id_hash[id]; | ||
37 | |||
38 | @@ -404,8 +406,10 @@ static int hid_parser_global(struct hid_parser *parser, struct hid_item *item) | ||
39 | |||
40 | case HID_GLOBAL_ITEM_TAG_REPORT_ID: | ||
41 | parser->global.report_id = item_udata(item); | ||
42 | - if (parser->global.report_id == 0) { | ||
43 | - hid_err(parser->device, "report_id 0 is invalid\n"); | ||
44 | + if (parser->global.report_id == 0 || | ||
45 | + parser->global.report_id >= HID_MAX_IDS) { | ||
46 | + hid_err(parser->device, "report_id %u is invalid\n", | ||
47 | + parser->global.report_id); | ||
48 | return -1; | ||
49 | } | ||
50 | return 0; | ||
51 | @@ -575,7 +579,7 @@ static void hid_close_report(struct hid_device *device) | ||
52 | for (i = 0; i < HID_REPORT_TYPES; i++) { | ||
53 | struct hid_report_enum *report_enum = device->report_enum + i; | ||
54 | |||
55 | - for (j = 0; j < 256; j++) { | ||
56 | + for (j = 0; j < HID_MAX_IDS; j++) { | ||
57 | struct hid_report *report = report_enum->report_id_hash[j]; | ||
58 | if (report) | ||
59 | hid_free_report(report); | ||
60 | diff --git a/include/linux/hid.h b/include/linux/hid.h | ||
61 | index 0c48991..ff545cc 100644 | ||
62 | --- a/include/linux/hid.h | ||
63 | +++ b/include/linux/hid.h | ||
64 | @@ -393,10 +393,12 @@ struct hid_report { | ||
65 | struct hid_device *device; /* associated device */ | ||
66 | }; | ||
67 | |||
68 | +#define HID_MAX_IDS 256 | ||
69 | + | ||
70 | struct hid_report_enum { | ||
71 | unsigned numbered; | ||
72 | struct list_head report_list; | ||
73 | - struct hid_report *report_id_hash[256]; | ||
74 | + struct hid_report *report_id_hash[HID_MAX_IDS]; | ||
75 | }; | ||
76 | |||
77 | #define HID_REPORT_TYPES 3 | ||
78 | -- | ||
79 | 1.7.9.5 | ||
80 | |||