diff options
Diffstat (limited to 'recipes-kernel/linux/files/HID_CVE_patches/0012-HID-sensor-hub-validate-feature-report-details.patch')
-rw-r--r-- | recipes-kernel/linux/files/HID_CVE_patches/0012-HID-sensor-hub-validate-feature-report-details.patch | 37 |
1 files changed, 0 insertions, 37 deletions
diff --git a/recipes-kernel/linux/files/HID_CVE_patches/0012-HID-sensor-hub-validate-feature-report-details.patch b/recipes-kernel/linux/files/HID_CVE_patches/0012-HID-sensor-hub-validate-feature-report-details.patch deleted file mode 100644 index 745fa9e..0000000 --- a/recipes-kernel/linux/files/HID_CVE_patches/0012-HID-sensor-hub-validate-feature-report-details.patch +++ /dev/null | |||
@@ -1,37 +0,0 @@ | |||
1 | From 9e8910257397372633e74b333ef891f20c800ee4 Mon Sep 17 00:00:00 2001 | ||
2 | From: Kees Cook <keescook@chromium.org> | ||
3 | Date: Wed, 28 Aug 2013 22:31:44 +0200 | ||
4 | Subject: [PATCH] HID: sensor-hub: validate feature report details | ||
5 | |||
6 | A HID device could send a malicious feature report that would cause the | ||
7 | sensor-hub HID driver to read past the end of heap allocation, leaking | ||
8 | kernel memory contents to the caller. | ||
9 | |||
10 | CVE-2013-2898 | ||
11 | |||
12 | Signed-off-by: Kees Cook <keescook@chromium.org> | ||
13 | Cc: stable@kernel.org | ||
14 | Reviewed-by: Mika Westerberg <mika.westerberg@linux.intel.com> | ||
15 | Signed-off-by: Jiri Kosina <jkosina@suse.cz> | ||
16 | Signed-off-by: Adrian Dudau <adrian.dudau@enea.com> | ||
17 | --- | ||
18 | drivers/hid/hid-sensor-hub.c | 3 ++- | ||
19 | 1 file changed, 2 insertions(+), 1 deletion(-) | ||
20 | |||
21 | diff --git a/drivers/hid/hid-sensor-hub.c b/drivers/hid/hid-sensor-hub.c | ||
22 | index ffc80cf..6fca30e 100644 | ||
23 | --- a/drivers/hid/hid-sensor-hub.c | ||
24 | +++ b/drivers/hid/hid-sensor-hub.c | ||
25 | @@ -221,7 +221,8 @@ int sensor_hub_get_feature(struct hid_sensor_hub_device *hsdev, u32 report_id, | ||
26 | |||
27 | mutex_lock(&data->mutex); | ||
28 | report = sensor_hub_report(report_id, hsdev->hdev, HID_FEATURE_REPORT); | ||
29 | - if (!report || (field_index >= report->maxfield)) { | ||
30 | + if (!report || (field_index >= report->maxfield) || | ||
31 | + report->field[field_index]->report_count < 1) { | ||
32 | ret = -EINVAL; | ||
33 | goto done_proc; | ||
34 | } | ||
35 | -- | ||
36 | 1.7.9.5 | ||
37 | |||