diff options
author | Adrian Dudau <adrian.dudau@enea.com> | 2015-11-02 10:57:44 +0100 |
---|---|---|
committer | Adrian Dudau <adrian.dudau@enea.com> | 2015-11-02 11:20:41 +0100 |
commit | a130fba56f34391c7e921b2e2fd2ba174002e6a5 (patch) | |
tree | 5f50afba2f2ff1f9f524e8cb7c24b90b8212cb77 /recipes-kernel/linux/files/HID_CVE_patches/0009-HID-logitech-dj-validate-output-report-details.patch | |
download | meta-enea-bsp-arm-a130fba56f34391c7e921b2e2fd2ba174002e6a5.tar.gz |
Initial commit
result of splitting up meta-enea
Signed-off-by: Adrian Dudau <adrian.dudau@enea.com>
Diffstat (limited to 'recipes-kernel/linux/files/HID_CVE_patches/0009-HID-logitech-dj-validate-output-report-details.patch')
-rw-r--r-- | recipes-kernel/linux/files/HID_CVE_patches/0009-HID-logitech-dj-validate-output-report-details.patch | 63 |
1 files changed, 63 insertions, 0 deletions
diff --git a/recipes-kernel/linux/files/HID_CVE_patches/0009-HID-logitech-dj-validate-output-report-details.patch b/recipes-kernel/linux/files/HID_CVE_patches/0009-HID-logitech-dj-validate-output-report-details.patch new file mode 100644 index 0000000..a249c54 --- /dev/null +++ b/recipes-kernel/linux/files/HID_CVE_patches/0009-HID-logitech-dj-validate-output-report-details.patch | |||
@@ -0,0 +1,63 @@ | |||
1 | From 297502abb32e225fb23801fcdb0e4f6f8e17099a Mon Sep 17 00:00:00 2001 | ||
2 | From: Kees Cook <keescook@chromium.org> | ||
3 | Date: Wed, 11 Sep 2013 21:56:56 +0200 | ||
4 | Subject: [PATCH] HID: logitech-dj: validate output report details | ||
5 | |||
6 | A HID device could send a malicious output report that would cause the | ||
7 | logitech-dj HID driver to leak kernel memory contents to the device, or | ||
8 | trigger a NULL dereference during initialization: | ||
9 | |||
10 | [ 304.424553] usb 1-1: New USB device found, idVendor=046d, idProduct=c52b | ||
11 | ... | ||
12 | [ 304.780467] BUG: unable to handle kernel NULL pointer dereference at 0000000000000028 | ||
13 | [ 304.781409] IP: [<ffffffff815d50aa>] logi_dj_recv_send_report.isra.11+0x1a/0x90 | ||
14 | |||
15 | CVE-2013-2895 | ||
16 | |||
17 | Signed-off-by: Kees Cook <keescook@chromium.org> | ||
18 | Cc: stable@vger.kernel.org | ||
19 | Signed-off-by: Benjamin Tissoires <benjamin.tissoires@gmail.com> | ||
20 | Signed-off-by: Jiri Kosina <jkosina@suse.cz> | ||
21 | Signed-off-by: Adrian Dudau <adrian.dudau@enea.com> | ||
22 | --- | ||
23 | drivers/hid/hid-logitech-dj.c | 10 ++++++++-- | ||
24 | 1 file changed, 8 insertions(+), 2 deletions(-) | ||
25 | |||
26 | diff --git a/drivers/hid/hid-logitech-dj.c b/drivers/hid/hid-logitech-dj.c | ||
27 | index 7800b14..2e53024 100644 | ||
28 | --- a/drivers/hid/hid-logitech-dj.c | ||
29 | +++ b/drivers/hid/hid-logitech-dj.c | ||
30 | @@ -461,7 +461,7 @@ static int logi_dj_recv_send_report(struct dj_receiver_dev *djrcv_dev, | ||
31 | struct hid_report *report; | ||
32 | struct hid_report_enum *output_report_enum; | ||
33 | u8 *data = (u8 *)(&dj_report->device_index); | ||
34 | - int i; | ||
35 | + unsigned int i; | ||
36 | |||
37 | output_report_enum = &hdev->report_enum[HID_OUTPUT_REPORT]; | ||
38 | report = output_report_enum->report_id_hash[REPORT_ID_DJ_SHORT]; | ||
39 | @@ -471,7 +471,7 @@ static int logi_dj_recv_send_report(struct dj_receiver_dev *djrcv_dev, | ||
40 | return -ENODEV; | ||
41 | } | ||
42 | |||
43 | - for (i = 0; i < report->field[0]->report_count; i++) | ||
44 | + for (i = 0; i < DJREPORT_SHORT_LENGTH - 1; i++) | ||
45 | report->field[0]->value[i] = data[i]; | ||
46 | |||
47 | hid_hw_request(hdev, report, HID_REQ_SET_REPORT); | ||
48 | @@ -791,6 +791,12 @@ static int logi_dj_probe(struct hid_device *hdev, | ||
49 | goto hid_parse_fail; | ||
50 | } | ||
51 | |||
52 | + if (!hid_validate_values(hdev, HID_OUTPUT_REPORT, REPORT_ID_DJ_SHORT, | ||
53 | + 0, DJREPORT_SHORT_LENGTH - 1)) { | ||
54 | + retval = -ENODEV; | ||
55 | + goto hid_parse_fail; | ||
56 | + } | ||
57 | + | ||
58 | /* Starts the usb device and connects to upper interfaces hiddev and | ||
59 | * hidraw */ | ||
60 | retval = hid_hw_start(hdev, HID_CONNECT_DEFAULT); | ||
61 | -- | ||
62 | 1.7.9.5 | ||
63 | |||