diff options
Diffstat (limited to 'recipes-kernel/linux/files/HID_CVE_patches/0006-HID-pantherlord-validate-output-report-details.patch')
| -rw-r--r-- | recipes-kernel/linux/files/HID_CVE_patches/0006-HID-pantherlord-validate-output-report-details.patch | 47 |
1 files changed, 0 insertions, 47 deletions
diff --git a/recipes-kernel/linux/files/HID_CVE_patches/0006-HID-pantherlord-validate-output-report-details.patch b/recipes-kernel/linux/files/HID_CVE_patches/0006-HID-pantherlord-validate-output-report-details.patch deleted file mode 100644 index 15cf09b..0000000 --- a/recipes-kernel/linux/files/HID_CVE_patches/0006-HID-pantherlord-validate-output-report-details.patch +++ /dev/null | |||
| @@ -1,47 +0,0 @@ | |||
| 1 | From 412f30105ec6735224535791eed5cdc02888ecb4 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Kees Cook <keescook@chromium.org> | ||
| 3 | Date: Wed, 28 Aug 2013 22:30:49 +0200 | ||
| 4 | Subject: [PATCH] HID: pantherlord: validate output report details | ||
| 5 | |||
| 6 | A HID device could send a malicious output report that would cause the | ||
| 7 | pantherlord HID driver to write beyond the output report allocation | ||
| 8 | during initialization, causing a heap overflow: | ||
| 9 | |||
| 10 | [ 310.939483] usb 1-1: New USB device found, idVendor=0e8f, idProduct=0003 | ||
| 11 | ... | ||
| 12 | [ 315.980774] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten | ||
| 13 | |||
| 14 | CVE-2013-2892 | ||
| 15 | |||
| 16 | Signed-off-by: Kees Cook <keescook@chromium.org> | ||
| 17 | Cc: stable@kernel.org | ||
| 18 | Signed-off-by: Jiri Kosina <jkosina@suse.cz> | ||
| 19 | Signed-off-by: Adrian Dudau <adrian.dudau@enea.com> | ||
| 20 | --- | ||
| 21 | drivers/hid/hid-pl.c | 10 ++++++++-- | ||
| 22 | 1 file changed, 8 insertions(+), 2 deletions(-) | ||
| 23 | |||
| 24 | diff --git a/drivers/hid/hid-pl.c b/drivers/hid/hid-pl.c | ||
| 25 | index d29112f..2dcd7d9 100644 | ||
| 26 | --- a/drivers/hid/hid-pl.c | ||
| 27 | +++ b/drivers/hid/hid-pl.c | ||
| 28 | @@ -132,8 +132,14 @@ static int plff_init(struct hid_device *hid) | ||
| 29 | strong = &report->field[0]->value[2]; | ||
| 30 | weak = &report->field[0]->value[3]; | ||
| 31 | debug("detected single-field device"); | ||
| 32 | - } else if (report->maxfield >= 4 && report->field[0]->maxusage == 1 && | ||
| 33 | - report->field[0]->usage[0].hid == (HID_UP_LED | 0x43)) { | ||
| 34 | + } else if (report->field[0]->maxusage == 1 && | ||
| 35 | + report->field[0]->usage[0].hid == | ||
| 36 | + (HID_UP_LED | 0x43) && | ||
| 37 | + report->maxfield >= 4 && | ||
| 38 | + report->field[0]->report_count >= 1 && | ||
| 39 | + report->field[1]->report_count >= 1 && | ||
| 40 | + report->field[2]->report_count >= 1 && | ||
| 41 | + report->field[3]->report_count >= 1) { | ||
| 42 | report->field[0]->value[0] = 0x00; | ||
| 43 | report->field[1]->value[0] = 0x00; | ||
| 44 | strong = &report->field[2]->value[0]; | ||
| 45 | -- | ||
| 46 | 1.7.9.5 | ||
| 47 | |||