diff options
Diffstat (limited to 'recipes-kernel/linux/files/HID_CVE_patches/0006-HID-pantherlord-validate-output-report-details.patch')
-rw-r--r-- | recipes-kernel/linux/files/HID_CVE_patches/0006-HID-pantherlord-validate-output-report-details.patch | 47 |
1 files changed, 0 insertions, 47 deletions
diff --git a/recipes-kernel/linux/files/HID_CVE_patches/0006-HID-pantherlord-validate-output-report-details.patch b/recipes-kernel/linux/files/HID_CVE_patches/0006-HID-pantherlord-validate-output-report-details.patch deleted file mode 100644 index 15cf09b..0000000 --- a/recipes-kernel/linux/files/HID_CVE_patches/0006-HID-pantherlord-validate-output-report-details.patch +++ /dev/null | |||
@@ -1,47 +0,0 @@ | |||
1 | From 412f30105ec6735224535791eed5cdc02888ecb4 Mon Sep 17 00:00:00 2001 | ||
2 | From: Kees Cook <keescook@chromium.org> | ||
3 | Date: Wed, 28 Aug 2013 22:30:49 +0200 | ||
4 | Subject: [PATCH] HID: pantherlord: validate output report details | ||
5 | |||
6 | A HID device could send a malicious output report that would cause the | ||
7 | pantherlord HID driver to write beyond the output report allocation | ||
8 | during initialization, causing a heap overflow: | ||
9 | |||
10 | [ 310.939483] usb 1-1: New USB device found, idVendor=0e8f, idProduct=0003 | ||
11 | ... | ||
12 | [ 315.980774] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten | ||
13 | |||
14 | CVE-2013-2892 | ||
15 | |||
16 | Signed-off-by: Kees Cook <keescook@chromium.org> | ||
17 | Cc: stable@kernel.org | ||
18 | Signed-off-by: Jiri Kosina <jkosina@suse.cz> | ||
19 | Signed-off-by: Adrian Dudau <adrian.dudau@enea.com> | ||
20 | --- | ||
21 | drivers/hid/hid-pl.c | 10 ++++++++-- | ||
22 | 1 file changed, 8 insertions(+), 2 deletions(-) | ||
23 | |||
24 | diff --git a/drivers/hid/hid-pl.c b/drivers/hid/hid-pl.c | ||
25 | index d29112f..2dcd7d9 100644 | ||
26 | --- a/drivers/hid/hid-pl.c | ||
27 | +++ b/drivers/hid/hid-pl.c | ||
28 | @@ -132,8 +132,14 @@ static int plff_init(struct hid_device *hid) | ||
29 | strong = &report->field[0]->value[2]; | ||
30 | weak = &report->field[0]->value[3]; | ||
31 | debug("detected single-field device"); | ||
32 | - } else if (report->maxfield >= 4 && report->field[0]->maxusage == 1 && | ||
33 | - report->field[0]->usage[0].hid == (HID_UP_LED | 0x43)) { | ||
34 | + } else if (report->field[0]->maxusage == 1 && | ||
35 | + report->field[0]->usage[0].hid == | ||
36 | + (HID_UP_LED | 0x43) && | ||
37 | + report->maxfield >= 4 && | ||
38 | + report->field[0]->report_count >= 1 && | ||
39 | + report->field[1]->report_count >= 1 && | ||
40 | + report->field[2]->report_count >= 1 && | ||
41 | + report->field[3]->report_count >= 1) { | ||
42 | report->field[0]->value[0] = 0x00; | ||
43 | report->field[1]->value[0] = 0x00; | ||
44 | strong = &report->field[2]->value[0]; | ||
45 | -- | ||
46 | 1.7.9.5 | ||
47 | |||