diff options
author | Adrian Dudau <adrian.dudau@enea.com> | 2015-11-02 10:57:44 +0100 |
---|---|---|
committer | Adrian Dudau <adrian.dudau@enea.com> | 2015-11-02 11:20:41 +0100 |
commit | a130fba56f34391c7e921b2e2fd2ba174002e6a5 (patch) | |
tree | 5f50afba2f2ff1f9f524e8cb7c24b90b8212cb77 /recipes-kernel/linux/files/HID_CVE_patches/0013-HID-picolcd_core-validate-output-report-details.patch | |
download | meta-enea-bsp-arm-a130fba56f34391c7e921b2e2fd2ba174002e6a5.tar.gz |
Initial commit
result of splitting up meta-enea
Signed-off-by: Adrian Dudau <adrian.dudau@enea.com>
Diffstat (limited to 'recipes-kernel/linux/files/HID_CVE_patches/0013-HID-picolcd_core-validate-output-report-details.patch')
-rw-r--r-- | recipes-kernel/linux/files/HID_CVE_patches/0013-HID-picolcd_core-validate-output-report-details.patch | 49 |
1 files changed, 49 insertions, 0 deletions
diff --git a/recipes-kernel/linux/files/HID_CVE_patches/0013-HID-picolcd_core-validate-output-report-details.patch b/recipes-kernel/linux/files/HID_CVE_patches/0013-HID-picolcd_core-validate-output-report-details.patch new file mode 100644 index 0000000..7abf193 --- /dev/null +++ b/recipes-kernel/linux/files/HID_CVE_patches/0013-HID-picolcd_core-validate-output-report-details.patch | |||
@@ -0,0 +1,49 @@ | |||
1 | From 1e87a2456b0227ca4ab881e19a11bb99d164e792 Mon Sep 17 00:00:00 2001 | ||
2 | From: Kees Cook <keescook@chromium.org> | ||
3 | Date: Wed, 28 Aug 2013 22:31:52 +0200 | ||
4 | Subject: [PATCH] HID: picolcd_core: validate output report details | ||
5 | MIME-Version: 1.0 | ||
6 | Content-Type: text/plain; charset=UTF-8 | ||
7 | Content-Transfer-Encoding: 8bit | ||
8 | |||
9 | A HID device could send a malicious output report that would cause the | ||
10 | picolcd HID driver to trigger a NULL dereference during attr file writing. | ||
11 | |||
12 | [jkosina@suse.cz: changed | ||
13 | |||
14 | report->maxfield < 1 | ||
15 | |||
16 | to | ||
17 | |||
18 | report->maxfield != 1 | ||
19 | |||
20 | as suggested by Bruno]. | ||
21 | |||
22 | CVE-2013-2899 | ||
23 | |||
24 | Signed-off-by: Kees Cook <keescook@chromium.org> | ||
25 | Cc: stable@kernel.org | ||
26 | Reviewed-by: Bruno Prémont <bonbons@linux-vserver.org> | ||
27 | Acked-by: Bruno Prémont <bonbons@linux-vserver.org> | ||
28 | Signed-off-by: Jiri Kosina <jkosina@suse.cz> | ||
29 | Signed-off-by: Adrian Dudau <adrian.dudau@enea.com> | ||
30 | --- | ||
31 | drivers/hid/hid-picolcd_core.c | 2 +- | ||
32 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
33 | |||
34 | diff --git a/drivers/hid/hid-picolcd_core.c b/drivers/hid/hid-picolcd_core.c | ||
35 | index b48092d..acbb0210 100644 | ||
36 | --- a/drivers/hid/hid-picolcd_core.c | ||
37 | +++ b/drivers/hid/hid-picolcd_core.c | ||
38 | @@ -290,7 +290,7 @@ static ssize_t picolcd_operation_mode_store(struct device *dev, | ||
39 | buf += 10; | ||
40 | cnt -= 10; | ||
41 | } | ||
42 | - if (!report) | ||
43 | + if (!report || report->maxfield != 1) | ||
44 | return -EINVAL; | ||
45 | |||
46 | while (cnt > 0 && (buf[cnt-1] == '\n' || buf[cnt-1] == '\r')) | ||
47 | -- | ||
48 | 1.7.9.5 | ||
49 | |||