diff options
author | Adrian Dudau <adrian.dudau@enea.com> | 2015-11-02 10:57:44 +0100 |
---|---|---|
committer | Adrian Dudau <adrian.dudau@enea.com> | 2015-11-02 11:20:41 +0100 |
commit | a130fba56f34391c7e921b2e2fd2ba174002e6a5 (patch) | |
tree | 5f50afba2f2ff1f9f524e8cb7c24b90b8212cb77 /recipes-kernel/linux/files/HID_CVE_patches/0012-HID-sensor-hub-validate-feature-report-details.patch | |
download | meta-enea-bsp-arm-a130fba56f34391c7e921b2e2fd2ba174002e6a5.tar.gz |
Initial commit
result of splitting up meta-enea
Signed-off-by: Adrian Dudau <adrian.dudau@enea.com>
Diffstat (limited to 'recipes-kernel/linux/files/HID_CVE_patches/0012-HID-sensor-hub-validate-feature-report-details.patch')
-rw-r--r-- | recipes-kernel/linux/files/HID_CVE_patches/0012-HID-sensor-hub-validate-feature-report-details.patch | 37 |
1 files changed, 37 insertions, 0 deletions
diff --git a/recipes-kernel/linux/files/HID_CVE_patches/0012-HID-sensor-hub-validate-feature-report-details.patch b/recipes-kernel/linux/files/HID_CVE_patches/0012-HID-sensor-hub-validate-feature-report-details.patch new file mode 100644 index 0000000..745fa9e --- /dev/null +++ b/recipes-kernel/linux/files/HID_CVE_patches/0012-HID-sensor-hub-validate-feature-report-details.patch | |||
@@ -0,0 +1,37 @@ | |||
1 | From 9e8910257397372633e74b333ef891f20c800ee4 Mon Sep 17 00:00:00 2001 | ||
2 | From: Kees Cook <keescook@chromium.org> | ||
3 | Date: Wed, 28 Aug 2013 22:31:44 +0200 | ||
4 | Subject: [PATCH] HID: sensor-hub: validate feature report details | ||
5 | |||
6 | A HID device could send a malicious feature report that would cause the | ||
7 | sensor-hub HID driver to read past the end of heap allocation, leaking | ||
8 | kernel memory contents to the caller. | ||
9 | |||
10 | CVE-2013-2898 | ||
11 | |||
12 | Signed-off-by: Kees Cook <keescook@chromium.org> | ||
13 | Cc: stable@kernel.org | ||
14 | Reviewed-by: Mika Westerberg <mika.westerberg@linux.intel.com> | ||
15 | Signed-off-by: Jiri Kosina <jkosina@suse.cz> | ||
16 | Signed-off-by: Adrian Dudau <adrian.dudau@enea.com> | ||
17 | --- | ||
18 | drivers/hid/hid-sensor-hub.c | 3 ++- | ||
19 | 1 file changed, 2 insertions(+), 1 deletion(-) | ||
20 | |||
21 | diff --git a/drivers/hid/hid-sensor-hub.c b/drivers/hid/hid-sensor-hub.c | ||
22 | index ffc80cf..6fca30e 100644 | ||
23 | --- a/drivers/hid/hid-sensor-hub.c | ||
24 | +++ b/drivers/hid/hid-sensor-hub.c | ||
25 | @@ -221,7 +221,8 @@ int sensor_hub_get_feature(struct hid_sensor_hub_device *hsdev, u32 report_id, | ||
26 | |||
27 | mutex_lock(&data->mutex); | ||
28 | report = sensor_hub_report(report_id, hsdev->hdev, HID_FEATURE_REPORT); | ||
29 | - if (!report || (field_index >= report->maxfield)) { | ||
30 | + if (!report || (field_index >= report->maxfield) || | ||
31 | + report->field[field_index]->report_count < 1) { | ||
32 | ret = -EINVAL; | ||
33 | goto done_proc; | ||
34 | } | ||
35 | -- | ||
36 | 1.7.9.5 | ||
37 | |||