1 files changed, 0 insertions, 59 deletions
diff --git a/recipes-kernel/linux/files/HID_CVE_patches/0003-HID-zeroplus-validate-output-report-details.patch b/recipes-kernel/linux/files/HID_CVE_patches/0003-HID-zeroplus-validate-output-report-details.patch
deleted file mode 100644
index a2641cf..0000000
--- a/recipes-kernel/linux/files/HID_CVE_patches/0003-HID-zeroplus-validate-output-report-details.patch
+++ /dev/null
@@ -1,59 +0,0 @@
-From 78214e81a1bf43740ce89bb5efda78eac2f8ef83 Mon Sep 17 00:00:00 2001
-From: Kees Cook <keescook@chromium.org>
-Date: Wed, 11 Sep 2013 21:56:51 +0200
-Subject: [PATCH] HID: zeroplus: validate output report details
-The zeroplus HID driver was not checking the size of allocated values
-in fields it used. A HID device could send a malicious output report
-that would cause the driver to write beyond the output report allocation
-during initialization, causing a heap overflow:
-[ 1442.728680] usb 1-1: New USB device found, idVendor=0c12, idProduct=0005
-...
-[ 1466.243173] BUG kmalloc-192 (Tainted: G        W   ): Redzone overwritten
-CVE-2013-2889
-Signed-off-by: Kees Cook <keescook@chromium.org>
-Cc: stable@vger.kernel.org
-Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
-Signed-off-by: Jiri Kosina <jkosina@suse.cz>
-Signed-off-by: Adrian Dudau <adrian.dudau@enea.com>
---
- drivers/hid/hid-zpff.c |   18 +++++-------------
- 1 file changed, 5 insertions(+), 13 deletions(-)
-diff --git a/drivers/hid/hid-zpff.c b/drivers/hid/hid-zpff.c
-index 6ec28a3..a29756c 100644
--- a/drivers/hid/hid-zpff.c
-+++ b/drivers/hid/hid-zpff.c
-@@ -68,21 +68,13 @@ static int zpff_init(struct hid_device *hid)
-        struct hid_report *report;
-        struct hid_input *hidinput = list_entry(hid->inputs.next,
-                                                struct hid_input, list);
-       struct list_head *report_list =
-                       &hid->report_enum[HID_OUTPUT_REPORT].report_list;
-        struct input_dev *dev = hidinput->input;
-       int error;
-+       int i, error;
- 
-       if (list_empty(report_list)) {
-               hid_err(hid, "no output report found\n");
-               return -ENODEV;
-       }
-
-       report = list_entry(report_list->next, struct hid_report, list);
-
-       if (report->maxfield < 4) {
-               hid_err(hid, "not enough fields in report\n");
-               return -ENODEV;
-+       for (i = 0; i < 4; i++) {
-+               report = hid_validate_values(hid, HID_OUTPUT_REPORT, 0, i, 1);
-+               if (!report)
-+                       return -ENODEV;
-        }
- 
-        zpff = kzalloc(sizeof(struct zpff_device), GFP_KERNEL);
-- 
-1.7.9.5

diff --git a/recipes-kernel/linux/files/HID_CVE_patches/0003-HID-zeroplus-validate-output-report-details.patch b/recipes-kernel/linux/files/HID_CVE_patches/0003-HID-zeroplus-validate-output-report-details.patch deleted file mode 100644 index a2641cf..0000000 --- a/recipes-kernel/linux/files/HID_CVE_patches/0003-HID-zeroplus-validate-output-report-details.patch +++ /dev/null
@@ -1,59 +0,0 @@
1	From 78214e81a1bf43740ce89bb5efda78eac2f8ef83 Mon Sep 17 00:00:00 2001
2	From: Kees Cook <keescook@chromium.org>
3	Date: Wed, 11 Sep 2013 21:56:51 +0200
4	Subject: [PATCH] HID: zeroplus: validate output report details
5
6	The zeroplus HID driver was not checking the size of allocated values
7	in fields it used. A HID device could send a malicious output report
8	that would cause the driver to write beyond the output report allocation
9	during initialization, causing a heap overflow:
10
11	[ 1442.728680] usb 1-1: New USB device found, idVendor=0c12, idProduct=0005
12	...
13	[ 1466.243173] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten
14
15	CVE-2013-2889
16
17	Signed-off-by: Kees Cook <keescook@chromium.org>
18	Cc: stable@vger.kernel.org
19	Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
20	Signed-off-by: Jiri Kosina <jkosina@suse.cz>
21	Signed-off-by: Adrian Dudau <adrian.dudau@enea.com>
22	---
23	drivers/hid/hid-zpff.c \| 18 +++++-------------
24	1 file changed, 5 insertions(+), 13 deletions(-)
25
26	diff --git a/drivers/hid/hid-zpff.c b/drivers/hid/hid-zpff.c
27	index 6ec28a3..a29756c 100644
28	--- a/drivers/hid/hid-zpff.c
29	+++ b/drivers/hid/hid-zpff.c
30	@@ -68,21 +68,13 @@ static int zpff_init(struct hid_device *hid)
31	struct hid_report *report;
32	struct hid_input *hidinput = list_entry(hid->inputs.next,
33	struct hid_input, list);
34	- struct list_head *report_list =
35	- &hid->report_enum[HID_OUTPUT_REPORT].report_list;
36	struct input_dev *dev = hidinput->input;
37	- int error;
38	+ int i, error;
39
40	- if (list_empty(report_list)) {
41	- hid_err(hid, "no output report found\n");
42	- return -ENODEV;
43	- }
44	-
45	- report = list_entry(report_list->next, struct hid_report, list);
46	-
47	- if (report->maxfield < 4) {
48	- hid_err(hid, "not enough fields in report\n");
49	- return -ENODEV;
50	+ for (i = 0; i < 4; i++) {
51	+ report = hid_validate_values(hid, HID_OUTPUT_REPORT, 0, i, 1);
52	+ if (!report)
53	+ return -ENODEV;
54	}
55
56	zpff = kzalloc(sizeof(struct zpff_device), GFP_KERNEL);
57	--
58	1.7.9.5
59