diff options
Diffstat (limited to 'recipes-kernel/linux/files/HID_CVE_patches/0002-HID-provide-a-helper-for-validating-hid-reports.patch')
-rw-r--r-- | recipes-kernel/linux/files/HID_CVE_patches/0002-HID-provide-a-helper-for-validating-hid-reports.patch | 107 |
1 files changed, 0 insertions, 107 deletions
diff --git a/recipes-kernel/linux/files/HID_CVE_patches/0002-HID-provide-a-helper-for-validating-hid-reports.patch b/recipes-kernel/linux/files/HID_CVE_patches/0002-HID-provide-a-helper-for-validating-hid-reports.patch deleted file mode 100644 index 860d710..0000000 --- a/recipes-kernel/linux/files/HID_CVE_patches/0002-HID-provide-a-helper-for-validating-hid-reports.patch +++ /dev/null | |||
@@ -1,107 +0,0 @@ | |||
1 | From 331415ff16a12147d57d5c953f3a961b7ede348b Mon Sep 17 00:00:00 2001 | ||
2 | From: Kees Cook <keescook@chromium.org> | ||
3 | Date: Wed, 11 Sep 2013 21:56:50 +0200 | ||
4 | Subject: [PATCH] HID: provide a helper for validating hid reports | ||
5 | |||
6 | Many drivers need to validate the characteristics of their HID report | ||
7 | during initialization to avoid misusing the reports. This adds a common | ||
8 | helper to perform validation of the report exisitng, the field existing, | ||
9 | and the expected number of values within the field. | ||
10 | |||
11 | Signed-off-by: Kees Cook <keescook@chromium.org> | ||
12 | Cc: stable@vger.kernel.org | ||
13 | Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com> | ||
14 | Signed-off-by: Jiri Kosina <jkosina@suse.cz> | ||
15 | Signed-off-by: Adrian Dudau <adrian.dudau@enea.com> | ||
16 | --- | ||
17 | drivers/hid/hid-core.c | 58 ++++++++++++++++++++++++++++++++++++++++++++++++ | ||
18 | include/linux/hid.h | 4 ++++ | ||
19 | 2 files changed, 62 insertions(+) | ||
20 | |||
21 | diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c | ||
22 | index ae88a97..be52c06 100644 | ||
23 | --- a/drivers/hid/hid-core.c | ||
24 | +++ b/drivers/hid/hid-core.c | ||
25 | @@ -801,6 +801,64 @@ int hid_parse_report(struct hid_device *hid, __u8 *start, unsigned size) | ||
26 | } | ||
27 | EXPORT_SYMBOL_GPL(hid_parse_report); | ||
28 | |||
29 | +static const char * const hid_report_names[] = { | ||
30 | + "HID_INPUT_REPORT", | ||
31 | + "HID_OUTPUT_REPORT", | ||
32 | + "HID_FEATURE_REPORT", | ||
33 | +}; | ||
34 | +/** | ||
35 | + * hid_validate_values - validate existing device report's value indexes | ||
36 | + * | ||
37 | + * @device: hid device | ||
38 | + * @type: which report type to examine | ||
39 | + * @id: which report ID to examine (0 for first) | ||
40 | + * @field_index: which report field to examine | ||
41 | + * @report_counts: expected number of values | ||
42 | + * | ||
43 | + * Validate the number of values in a given field of a given report, after | ||
44 | + * parsing. | ||
45 | + */ | ||
46 | +struct hid_report *hid_validate_values(struct hid_device *hid, | ||
47 | + unsigned int type, unsigned int id, | ||
48 | + unsigned int field_index, | ||
49 | + unsigned int report_counts) | ||
50 | +{ | ||
51 | + struct hid_report *report; | ||
52 | + | ||
53 | + if (type > HID_FEATURE_REPORT) { | ||
54 | + hid_err(hid, "invalid HID report type %u\n", type); | ||
55 | + return NULL; | ||
56 | + } | ||
57 | + | ||
58 | + if (id >= HID_MAX_IDS) { | ||
59 | + hid_err(hid, "invalid HID report id %u\n", id); | ||
60 | + return NULL; | ||
61 | + } | ||
62 | + | ||
63 | + /* | ||
64 | + * Explicitly not using hid_get_report() here since it depends on | ||
65 | + * ->numbered being checked, which may not always be the case when | ||
66 | + * drivers go to access report values. | ||
67 | + */ | ||
68 | + report = hid->report_enum[type].report_id_hash[id]; | ||
69 | + if (!report) { | ||
70 | + hid_err(hid, "missing %s %u\n", hid_report_names[type], id); | ||
71 | + return NULL; | ||
72 | + } | ||
73 | + if (report->maxfield <= field_index) { | ||
74 | + hid_err(hid, "not enough fields in %s %u\n", | ||
75 | + hid_report_names[type], id); | ||
76 | + return NULL; | ||
77 | + } | ||
78 | + if (report->field[field_index]->report_count < report_counts) { | ||
79 | + hid_err(hid, "not enough values in %s %u field %u\n", | ||
80 | + hid_report_names[type], id, field_index); | ||
81 | + return NULL; | ||
82 | + } | ||
83 | + return report; | ||
84 | +} | ||
85 | +EXPORT_SYMBOL_GPL(hid_validate_values); | ||
86 | + | ||
87 | /** | ||
88 | * hid_open_report - open a driver-specific device report | ||
89 | * | ||
90 | diff --git a/include/linux/hid.h b/include/linux/hid.h | ||
91 | index ee1ffc5..31b9d29 100644 | ||
92 | --- a/include/linux/hid.h | ||
93 | +++ b/include/linux/hid.h | ||
94 | @@ -756,6 +756,10 @@ u8 *hid_alloc_report_buf(struct hid_report *report, gfp_t flags); | ||
95 | struct hid_device *hid_allocate_device(void); | ||
96 | struct hid_report *hid_register_report(struct hid_device *device, unsigned type, unsigned id); | ||
97 | int hid_parse_report(struct hid_device *hid, __u8 *start, unsigned size); | ||
98 | +struct hid_report *hid_validate_values(struct hid_device *hid, | ||
99 | + unsigned int type, unsigned int id, | ||
100 | + unsigned int field_index, | ||
101 | + unsigned int report_counts); | ||
102 | int hid_open_report(struct hid_device *device); | ||
103 | int hid_check_keys_pressed(struct hid_device *hid); | ||
104 | int hid_connect(struct hid_device *hid, unsigned int connect_mask); | ||
105 | -- | ||
106 | 1.7.9.5 | ||
107 | |||