diff options
Diffstat (limited to 'recipes-kernel/linux/files/HID_CVE_patches/0010-HID-ntrig-validate-feature-report-details.patch')
-rw-r--r-- | recipes-kernel/linux/files/HID_CVE_patches/0010-HID-ntrig-validate-feature-report-details.patch | 41 |
1 files changed, 0 insertions, 41 deletions
diff --git a/recipes-kernel/linux/files/HID_CVE_patches/0010-HID-ntrig-validate-feature-report-details.patch b/recipes-kernel/linux/files/HID_CVE_patches/0010-HID-ntrig-validate-feature-report-details.patch deleted file mode 100644 index b243fc6..0000000 --- a/recipes-kernel/linux/files/HID_CVE_patches/0010-HID-ntrig-validate-feature-report-details.patch +++ /dev/null | |||
@@ -1,41 +0,0 @@ | |||
1 | From 875b4e3763dbc941f15143dd1a18d10bb0be303b Mon Sep 17 00:00:00 2001 | ||
2 | From: Kees Cook <keescook@chromium.org> | ||
3 | Date: Wed, 28 Aug 2013 22:31:28 +0200 | ||
4 | Subject: [PATCH] HID: ntrig: validate feature report details | ||
5 | |||
6 | A HID device could send a malicious feature report that would cause the | ||
7 | ntrig HID driver to trigger a NULL dereference during initialization: | ||
8 | |||
9 | [57383.031190] usb 3-1: New USB device found, idVendor=1b96, idProduct=0001 | ||
10 | ... | ||
11 | [57383.315193] BUG: unable to handle kernel NULL pointer dereference at 0000000000000030 | ||
12 | [57383.315308] IP: [<ffffffffa08102de>] ntrig_probe+0x25e/0x420 [hid_ntrig] | ||
13 | |||
14 | CVE-2013-2896 | ||
15 | |||
16 | Signed-off-by: Kees Cook <keescook@chromium.org> | ||
17 | Cc: stable@kernel.org | ||
18 | Signed-off-by: Rafi Rubin <rafi@seas.upenn.edu> | ||
19 | Signed-off-by: Jiri Kosina <jkosina@suse.cz> | ||
20 | Signed-off-by: Adrian Dudau <adrian.dudau@enea.com> | ||
21 | --- | ||
22 | drivers/hid/hid-ntrig.c | 3 ++- | ||
23 | 1 file changed, 2 insertions(+), 1 deletion(-) | ||
24 | |||
25 | diff --git a/drivers/hid/hid-ntrig.c b/drivers/hid/hid-ntrig.c | ||
26 | index 98d1fdf..600f207 100644 | ||
27 | --- a/drivers/hid/hid-ntrig.c | ||
28 | +++ b/drivers/hid/hid-ntrig.c | ||
29 | @@ -115,7 +115,8 @@ static inline int ntrig_get_mode(struct hid_device *hdev) | ||
30 | struct hid_report *report = hdev->report_enum[HID_FEATURE_REPORT]. | ||
31 | report_id_hash[0x0d]; | ||
32 | |||
33 | - if (!report) | ||
34 | + if (!report || report->maxfield < 1 || | ||
35 | + report->field[0]->report_count < 1) | ||
36 | return -EINVAL; | ||
37 | |||
38 | hid_hw_request(hdev, report, HID_REQ_GET_REPORT); | ||
39 | -- | ||
40 | 1.7.9.5 | ||
41 | |||