diff options
author | Tudor Florea <tudor.florea@enea.com> | 2016-02-18 15:33:33 +0100 |
---|---|---|
committer | Adrian Dudau <adrian.dudau@enea.com> | 2016-02-22 15:05:50 +0100 |
commit | 4fa4c5f1b92fd0293319a011bb5bf5bca089bd5f (patch) | |
tree | 6a898651d9180b8a5189b92e507a9c237e6a9083 /recipes-kernel/linux/files/HID_CVE_patches/0003-HID-zeroplus-validate-output-report-details.patch | |
parent | 98215b7665c965316eec60348bdbdf6f1b3cbdcf (diff) | |
download | meta-enea-bsp-arm-4fa4c5f1b92fd0293319a011bb5bf5bca089bd5f.tar.gz |
recipes-kernel: remve unsupported targets
Signed-off-by: Tudor Florea <tudor.florea@enea.com>
Signed-off-by: Adrian Dudau <adrian.dudau@enea.com>
Diffstat (limited to 'recipes-kernel/linux/files/HID_CVE_patches/0003-HID-zeroplus-validate-output-report-details.patch')
-rw-r--r-- | recipes-kernel/linux/files/HID_CVE_patches/0003-HID-zeroplus-validate-output-report-details.patch | 59 |
1 files changed, 0 insertions, 59 deletions
diff --git a/recipes-kernel/linux/files/HID_CVE_patches/0003-HID-zeroplus-validate-output-report-details.patch b/recipes-kernel/linux/files/HID_CVE_patches/0003-HID-zeroplus-validate-output-report-details.patch deleted file mode 100644 index a2641cf..0000000 --- a/recipes-kernel/linux/files/HID_CVE_patches/0003-HID-zeroplus-validate-output-report-details.patch +++ /dev/null | |||
@@ -1,59 +0,0 @@ | |||
1 | From 78214e81a1bf43740ce89bb5efda78eac2f8ef83 Mon Sep 17 00:00:00 2001 | ||
2 | From: Kees Cook <keescook@chromium.org> | ||
3 | Date: Wed, 11 Sep 2013 21:56:51 +0200 | ||
4 | Subject: [PATCH] HID: zeroplus: validate output report details | ||
5 | |||
6 | The zeroplus HID driver was not checking the size of allocated values | ||
7 | in fields it used. A HID device could send a malicious output report | ||
8 | that would cause the driver to write beyond the output report allocation | ||
9 | during initialization, causing a heap overflow: | ||
10 | |||
11 | [ 1442.728680] usb 1-1: New USB device found, idVendor=0c12, idProduct=0005 | ||
12 | ... | ||
13 | [ 1466.243173] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten | ||
14 | |||
15 | CVE-2013-2889 | ||
16 | |||
17 | Signed-off-by: Kees Cook <keescook@chromium.org> | ||
18 | Cc: stable@vger.kernel.org | ||
19 | Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com> | ||
20 | Signed-off-by: Jiri Kosina <jkosina@suse.cz> | ||
21 | Signed-off-by: Adrian Dudau <adrian.dudau@enea.com> | ||
22 | --- | ||
23 | drivers/hid/hid-zpff.c | 18 +++++------------- | ||
24 | 1 file changed, 5 insertions(+), 13 deletions(-) | ||
25 | |||
26 | diff --git a/drivers/hid/hid-zpff.c b/drivers/hid/hid-zpff.c | ||
27 | index 6ec28a3..a29756c 100644 | ||
28 | --- a/drivers/hid/hid-zpff.c | ||
29 | +++ b/drivers/hid/hid-zpff.c | ||
30 | @@ -68,21 +68,13 @@ static int zpff_init(struct hid_device *hid) | ||
31 | struct hid_report *report; | ||
32 | struct hid_input *hidinput = list_entry(hid->inputs.next, | ||
33 | struct hid_input, list); | ||
34 | - struct list_head *report_list = | ||
35 | - &hid->report_enum[HID_OUTPUT_REPORT].report_list; | ||
36 | struct input_dev *dev = hidinput->input; | ||
37 | - int error; | ||
38 | + int i, error; | ||
39 | |||
40 | - if (list_empty(report_list)) { | ||
41 | - hid_err(hid, "no output report found\n"); | ||
42 | - return -ENODEV; | ||
43 | - } | ||
44 | - | ||
45 | - report = list_entry(report_list->next, struct hid_report, list); | ||
46 | - | ||
47 | - if (report->maxfield < 4) { | ||
48 | - hid_err(hid, "not enough fields in report\n"); | ||
49 | - return -ENODEV; | ||
50 | + for (i = 0; i < 4; i++) { | ||
51 | + report = hid_validate_values(hid, HID_OUTPUT_REPORT, 0, i, 1); | ||
52 | + if (!report) | ||
53 | + return -ENODEV; | ||
54 | } | ||
55 | |||
56 | zpff = kzalloc(sizeof(struct zpff_device), GFP_KERNEL); | ||
57 | -- | ||
58 | 1.7.9.5 | ||
59 | |||