diff options
Diffstat (limited to 'recipes-kernel/linux/files')
18 files changed, 1073 insertions, 0 deletions
diff --git a/recipes-kernel/linux/files/0001-net-fib-fib6_add-fix-potential-NULL-pointer-derefere.patch b/recipes-kernel/linux/files/0001-net-fib-fib6_add-fix-potential-NULL-pointer-derefere.patch new file mode 100644 index 0000000..abd4430 --- /dev/null +++ b/recipes-kernel/linux/files/0001-net-fib-fib6_add-fix-potential-NULL-pointer-derefere.patch | |||
@@ -0,0 +1,52 @@ | |||
1 | From c5c56513b779cb082d05f63c606bde9321d395fb Mon Sep 17 00:00:00 2001 | ||
2 | From: Sona Sarmadi <sona.sarmadi@enea.com> | ||
3 | Date: Tue, 22 Apr 2014 13:52:58 +0200 | ||
4 | Subject: [PATCH] net: fib: fib6_add: fix potential NULL pointer dereference | ||
5 | |||
6 | When the kernel is compiled with CONFIG_IPV6_SUBTREES, and we return | ||
7 | with an error in fn = fib6_add_1(), then error codes are encoded into | ||
8 | the return pointer e.g. ERR_PTR(-ENOENT). In such an error case, we | ||
9 | write the error code into err and jump to out, hence enter the if(err) | ||
10 | condition. Now, if CONFIG_IPV6_SUBTREES is enabled, we check for: | ||
11 | if (pn != fn && pn->leaf == rt) | ||
12 | ... | ||
13 | if (pn != fn && !pn->leaf && !(pn->fn_flags & RTN_RTINFO)) | ||
14 | ... | ||
15 | Since pn is NULL and fn is f.e. ERR_PTR(-ENOENT), then pn != fn | ||
16 | evaluates to true and causes a NULL-pointer dereference on further | ||
17 | checks on pn. Fix it, by setting both NULL in error case, so that | ||
18 | pn != fn already evaluates to false and no further dereference | ||
19 | takes place. | ||
20 | |||
21 | This was first correctly implemented in 4a287eba2 ("IPv6 routing, | ||
22 | NLM_F_* flag support: REPLACE and EXCL flags support, warn about | ||
23 | missing CREATE flag"), but the bug got later on introduced by | ||
24 | 188c517a0 ("ipv6: return errno pointers consistently for fib6_add_1()"). | ||
25 | |||
26 | Signed-off-by: Daniel Borkmann <dborkman@redhat.com> | ||
27 | Cc: Lin Ming <mlin@ss.pku.edu.cn> | ||
28 | Cc: Matti Vaittinen <matti.vaittinen@nsn.com> | ||
29 | Cc: Hannes Frederic Sowa <hannes@stressinduktion.org> | ||
30 | Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org> | ||
31 | Acked-by: Matti Vaittinen <matti.vaittinen@nsn.com> | ||
32 | Signed-off-by: David S. Miller <davem@davemloft.net> | ||
33 | Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> | ||
34 | --- | ||
35 | net/ipv6/ip6_fib.c | 1 + | ||
36 | 1 file changed, 1 insertion(+) | ||
37 | |||
38 | diff --git a/net/ipv6/ip6_fib.c b/net/ipv6/ip6_fib.c | ||
39 | index 5fc9c7a..45562f6 100644 | ||
40 | --- a/net/ipv6/ip6_fib.c | ||
41 | +++ b/net/ipv6/ip6_fib.c | ||
42 | @@ -828,6 +828,7 @@ int fib6_add(struct fib6_node *root, struct rt6_info *rt, struct nl_info *info) | ||
43 | |||
44 | if (IS_ERR(fn)) { | ||
45 | err = PTR_ERR(fn); | ||
46 | + fn = NULL; | ||
47 | goto out; | ||
48 | } | ||
49 | |||
50 | -- | ||
51 | 1.7.10.4 | ||
52 | |||
diff --git a/recipes-kernel/linux/files/Check_correct_namespace_when_spoofing_pid_over_SCM_RIGHTS.patch b/recipes-kernel/linux/files/Check_correct_namespace_when_spoofing_pid_over_SCM_RIGHTS.patch new file mode 100644 index 0000000..79e52c3 --- /dev/null +++ b/recipes-kernel/linux/files/Check_correct_namespace_when_spoofing_pid_over_SCM_RIGHTS.patch | |||
@@ -0,0 +1,13 @@ | |||
1 | diff --git a/net/core/scm.c b/net/core/scm.c | ||
2 | index 03795d0..b4da80b 100644 | ||
3 | --- a/net/core/scm.c | ||
4 | +++ b/net/core/scm.c | ||
5 | @@ -54,7 +54,7 @@ static __inline__ int scm_check_creds(struct ucred *creds) | ||
6 | return -EINVAL; | ||
7 | |||
8 | if ((creds->pid == task_tgid_vnr(current) || | ||
9 | - ns_capable(current->nsproxy->pid_ns->user_ns, CAP_SYS_ADMIN)) && | ||
10 | + ns_capable(task_active_pid_ns(current)->user_ns, CAP_SYS_ADMIN)) && | ||
11 | ((uid_eq(uid, cred->uid) || uid_eq(uid, cred->euid) || | ||
12 | uid_eq(uid, cred->suid)) || nsown_capable(CAP_SETUID)) && | ||
13 | ((gid_eq(gid, cred->gid) || gid_eq(gid, cred->egid) || | ||
diff --git a/recipes-kernel/linux/files/HID_CVE_patches/0001-HID-validate-HID-report-id-size.patch b/recipes-kernel/linux/files/HID_CVE_patches/0001-HID-validate-HID-report-id-size.patch new file mode 100644 index 0000000..faeace9 --- /dev/null +++ b/recipes-kernel/linux/files/HID_CVE_patches/0001-HID-validate-HID-report-id-size.patch | |||
@@ -0,0 +1,80 @@ | |||
1 | From 43622021d2e2b82ea03d883926605bdd0525e1d1 Mon Sep 17 00:00:00 2001 | ||
2 | From: Kees Cook <keescook@chromium.org> | ||
3 | Date: Wed, 28 Aug 2013 22:29:55 +0200 | ||
4 | Subject: [PATCH] HID: validate HID report id size | ||
5 | |||
6 | The "Report ID" field of a HID report is used to build indexes of | ||
7 | reports. The kernel's index of these is limited to 256 entries, so any | ||
8 | malicious device that sets a Report ID greater than 255 will trigger | ||
9 | memory corruption on the host: | ||
10 | |||
11 | [ 1347.156239] BUG: unable to handle kernel paging request at ffff88094958a878 | ||
12 | [ 1347.156261] IP: [<ffffffff813e4da0>] hid_register_report+0x2a/0x8b | ||
13 | |||
14 | CVE-2013-2888 | ||
15 | |||
16 | Signed-off-by: Kees Cook <keescook@chromium.org> | ||
17 | Cc: stable@kernel.org | ||
18 | Signed-off-by: Jiri Kosina <jkosina@suse.cz> | ||
19 | Signed-off-by: Adrian Dudau <adrian.dudau@enea.com> | ||
20 | --- | ||
21 | drivers/hid/hid-core.c | 10 +++++++--- | ||
22 | include/linux/hid.h | 4 +++- | ||
23 | 2 files changed, 10 insertions(+), 4 deletions(-) | ||
24 | |||
25 | diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c | ||
26 | index 36668d1..5ea7d51 100644 | ||
27 | --- a/drivers/hid/hid-core.c | ||
28 | +++ b/drivers/hid/hid-core.c | ||
29 | @@ -63,6 +63,8 @@ struct hid_report *hid_register_report(struct hid_device *device, unsigned type, | ||
30 | struct hid_report_enum *report_enum = device->report_enum + type; | ||
31 | struct hid_report *report; | ||
32 | |||
33 | + if (id >= HID_MAX_IDS) | ||
34 | + return NULL; | ||
35 | if (report_enum->report_id_hash[id]) | ||
36 | return report_enum->report_id_hash[id]; | ||
37 | |||
38 | @@ -404,8 +406,10 @@ static int hid_parser_global(struct hid_parser *parser, struct hid_item *item) | ||
39 | |||
40 | case HID_GLOBAL_ITEM_TAG_REPORT_ID: | ||
41 | parser->global.report_id = item_udata(item); | ||
42 | - if (parser->global.report_id == 0) { | ||
43 | - hid_err(parser->device, "report_id 0 is invalid\n"); | ||
44 | + if (parser->global.report_id == 0 || | ||
45 | + parser->global.report_id >= HID_MAX_IDS) { | ||
46 | + hid_err(parser->device, "report_id %u is invalid\n", | ||
47 | + parser->global.report_id); | ||
48 | return -1; | ||
49 | } | ||
50 | return 0; | ||
51 | @@ -575,7 +579,7 @@ static void hid_close_report(struct hid_device *device) | ||
52 | for (i = 0; i < HID_REPORT_TYPES; i++) { | ||
53 | struct hid_report_enum *report_enum = device->report_enum + i; | ||
54 | |||
55 | - for (j = 0; j < 256; j++) { | ||
56 | + for (j = 0; j < HID_MAX_IDS; j++) { | ||
57 | struct hid_report *report = report_enum->report_id_hash[j]; | ||
58 | if (report) | ||
59 | hid_free_report(report); | ||
60 | diff --git a/include/linux/hid.h b/include/linux/hid.h | ||
61 | index 0c48991..ff545cc 100644 | ||
62 | --- a/include/linux/hid.h | ||
63 | +++ b/include/linux/hid.h | ||
64 | @@ -393,10 +393,12 @@ struct hid_report { | ||
65 | struct hid_device *device; /* associated device */ | ||
66 | }; | ||
67 | |||
68 | +#define HID_MAX_IDS 256 | ||
69 | + | ||
70 | struct hid_report_enum { | ||
71 | unsigned numbered; | ||
72 | struct list_head report_list; | ||
73 | - struct hid_report *report_id_hash[256]; | ||
74 | + struct hid_report *report_id_hash[HID_MAX_IDS]; | ||
75 | }; | ||
76 | |||
77 | #define HID_REPORT_TYPES 3 | ||
78 | -- | ||
79 | 1.7.9.5 | ||
80 | |||
diff --git a/recipes-kernel/linux/files/HID_CVE_patches/0002-HID-provide-a-helper-for-validating-hid-reports.patch b/recipes-kernel/linux/files/HID_CVE_patches/0002-HID-provide-a-helper-for-validating-hid-reports.patch new file mode 100644 index 0000000..860d710 --- /dev/null +++ b/recipes-kernel/linux/files/HID_CVE_patches/0002-HID-provide-a-helper-for-validating-hid-reports.patch | |||
@@ -0,0 +1,107 @@ | |||
1 | From 331415ff16a12147d57d5c953f3a961b7ede348b Mon Sep 17 00:00:00 2001 | ||
2 | From: Kees Cook <keescook@chromium.org> | ||
3 | Date: Wed, 11 Sep 2013 21:56:50 +0200 | ||
4 | Subject: [PATCH] HID: provide a helper for validating hid reports | ||
5 | |||
6 | Many drivers need to validate the characteristics of their HID report | ||
7 | during initialization to avoid misusing the reports. This adds a common | ||
8 | helper to perform validation of the report exisitng, the field existing, | ||
9 | and the expected number of values within the field. | ||
10 | |||
11 | Signed-off-by: Kees Cook <keescook@chromium.org> | ||
12 | Cc: stable@vger.kernel.org | ||
13 | Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com> | ||
14 | Signed-off-by: Jiri Kosina <jkosina@suse.cz> | ||
15 | Signed-off-by: Adrian Dudau <adrian.dudau@enea.com> | ||
16 | --- | ||
17 | drivers/hid/hid-core.c | 58 ++++++++++++++++++++++++++++++++++++++++++++++++ | ||
18 | include/linux/hid.h | 4 ++++ | ||
19 | 2 files changed, 62 insertions(+) | ||
20 | |||
21 | diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c | ||
22 | index ae88a97..be52c06 100644 | ||
23 | --- a/drivers/hid/hid-core.c | ||
24 | +++ b/drivers/hid/hid-core.c | ||
25 | @@ -801,6 +801,64 @@ int hid_parse_report(struct hid_device *hid, __u8 *start, unsigned size) | ||
26 | } | ||
27 | EXPORT_SYMBOL_GPL(hid_parse_report); | ||
28 | |||
29 | +static const char * const hid_report_names[] = { | ||
30 | + "HID_INPUT_REPORT", | ||
31 | + "HID_OUTPUT_REPORT", | ||
32 | + "HID_FEATURE_REPORT", | ||
33 | +}; | ||
34 | +/** | ||
35 | + * hid_validate_values - validate existing device report's value indexes | ||
36 | + * | ||
37 | + * @device: hid device | ||
38 | + * @type: which report type to examine | ||
39 | + * @id: which report ID to examine (0 for first) | ||
40 | + * @field_index: which report field to examine | ||
41 | + * @report_counts: expected number of values | ||
42 | + * | ||
43 | + * Validate the number of values in a given field of a given report, after | ||
44 | + * parsing. | ||
45 | + */ | ||
46 | +struct hid_report *hid_validate_values(struct hid_device *hid, | ||
47 | + unsigned int type, unsigned int id, | ||
48 | + unsigned int field_index, | ||
49 | + unsigned int report_counts) | ||
50 | +{ | ||
51 | + struct hid_report *report; | ||
52 | + | ||
53 | + if (type > HID_FEATURE_REPORT) { | ||
54 | + hid_err(hid, "invalid HID report type %u\n", type); | ||
55 | + return NULL; | ||
56 | + } | ||
57 | + | ||
58 | + if (id >= HID_MAX_IDS) { | ||
59 | + hid_err(hid, "invalid HID report id %u\n", id); | ||
60 | + return NULL; | ||
61 | + } | ||
62 | + | ||
63 | + /* | ||
64 | + * Explicitly not using hid_get_report() here since it depends on | ||
65 | + * ->numbered being checked, which may not always be the case when | ||
66 | + * drivers go to access report values. | ||
67 | + */ | ||
68 | + report = hid->report_enum[type].report_id_hash[id]; | ||
69 | + if (!report) { | ||
70 | + hid_err(hid, "missing %s %u\n", hid_report_names[type], id); | ||
71 | + return NULL; | ||
72 | + } | ||
73 | + if (report->maxfield <= field_index) { | ||
74 | + hid_err(hid, "not enough fields in %s %u\n", | ||
75 | + hid_report_names[type], id); | ||
76 | + return NULL; | ||
77 | + } | ||
78 | + if (report->field[field_index]->report_count < report_counts) { | ||
79 | + hid_err(hid, "not enough values in %s %u field %u\n", | ||
80 | + hid_report_names[type], id, field_index); | ||
81 | + return NULL; | ||
82 | + } | ||
83 | + return report; | ||
84 | +} | ||
85 | +EXPORT_SYMBOL_GPL(hid_validate_values); | ||
86 | + | ||
87 | /** | ||
88 | * hid_open_report - open a driver-specific device report | ||
89 | * | ||
90 | diff --git a/include/linux/hid.h b/include/linux/hid.h | ||
91 | index ee1ffc5..31b9d29 100644 | ||
92 | --- a/include/linux/hid.h | ||
93 | +++ b/include/linux/hid.h | ||
94 | @@ -756,6 +756,10 @@ u8 *hid_alloc_report_buf(struct hid_report *report, gfp_t flags); | ||
95 | struct hid_device *hid_allocate_device(void); | ||
96 | struct hid_report *hid_register_report(struct hid_device *device, unsigned type, unsigned id); | ||
97 | int hid_parse_report(struct hid_device *hid, __u8 *start, unsigned size); | ||
98 | +struct hid_report *hid_validate_values(struct hid_device *hid, | ||
99 | + unsigned int type, unsigned int id, | ||
100 | + unsigned int field_index, | ||
101 | + unsigned int report_counts); | ||
102 | int hid_open_report(struct hid_device *device); | ||
103 | int hid_check_keys_pressed(struct hid_device *hid); | ||
104 | int hid_connect(struct hid_device *hid, unsigned int connect_mask); | ||
105 | -- | ||
106 | 1.7.9.5 | ||
107 | |||
diff --git a/recipes-kernel/linux/files/HID_CVE_patches/0003-HID-zeroplus-validate-output-report-details.patch b/recipes-kernel/linux/files/HID_CVE_patches/0003-HID-zeroplus-validate-output-report-details.patch new file mode 100644 index 0000000..a2641cf --- /dev/null +++ b/recipes-kernel/linux/files/HID_CVE_patches/0003-HID-zeroplus-validate-output-report-details.patch | |||
@@ -0,0 +1,59 @@ | |||
1 | From 78214e81a1bf43740ce89bb5efda78eac2f8ef83 Mon Sep 17 00:00:00 2001 | ||
2 | From: Kees Cook <keescook@chromium.org> | ||
3 | Date: Wed, 11 Sep 2013 21:56:51 +0200 | ||
4 | Subject: [PATCH] HID: zeroplus: validate output report details | ||
5 | |||
6 | The zeroplus HID driver was not checking the size of allocated values | ||
7 | in fields it used. A HID device could send a malicious output report | ||
8 | that would cause the driver to write beyond the output report allocation | ||
9 | during initialization, causing a heap overflow: | ||
10 | |||
11 | [ 1442.728680] usb 1-1: New USB device found, idVendor=0c12, idProduct=0005 | ||
12 | ... | ||
13 | [ 1466.243173] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten | ||
14 | |||
15 | CVE-2013-2889 | ||
16 | |||
17 | Signed-off-by: Kees Cook <keescook@chromium.org> | ||
18 | Cc: stable@vger.kernel.org | ||
19 | Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com> | ||
20 | Signed-off-by: Jiri Kosina <jkosina@suse.cz> | ||
21 | Signed-off-by: Adrian Dudau <adrian.dudau@enea.com> | ||
22 | --- | ||
23 | drivers/hid/hid-zpff.c | 18 +++++------------- | ||
24 | 1 file changed, 5 insertions(+), 13 deletions(-) | ||
25 | |||
26 | diff --git a/drivers/hid/hid-zpff.c b/drivers/hid/hid-zpff.c | ||
27 | index 6ec28a3..a29756c 100644 | ||
28 | --- a/drivers/hid/hid-zpff.c | ||
29 | +++ b/drivers/hid/hid-zpff.c | ||
30 | @@ -68,21 +68,13 @@ static int zpff_init(struct hid_device *hid) | ||
31 | struct hid_report *report; | ||
32 | struct hid_input *hidinput = list_entry(hid->inputs.next, | ||
33 | struct hid_input, list); | ||
34 | - struct list_head *report_list = | ||
35 | - &hid->report_enum[HID_OUTPUT_REPORT].report_list; | ||
36 | struct input_dev *dev = hidinput->input; | ||
37 | - int error; | ||
38 | + int i, error; | ||
39 | |||
40 | - if (list_empty(report_list)) { | ||
41 | - hid_err(hid, "no output report found\n"); | ||
42 | - return -ENODEV; | ||
43 | - } | ||
44 | - | ||
45 | - report = list_entry(report_list->next, struct hid_report, list); | ||
46 | - | ||
47 | - if (report->maxfield < 4) { | ||
48 | - hid_err(hid, "not enough fields in report\n"); | ||
49 | - return -ENODEV; | ||
50 | + for (i = 0; i < 4; i++) { | ||
51 | + report = hid_validate_values(hid, HID_OUTPUT_REPORT, 0, i, 1); | ||
52 | + if (!report) | ||
53 | + return -ENODEV; | ||
54 | } | ||
55 | |||
56 | zpff = kzalloc(sizeof(struct zpff_device), GFP_KERNEL); | ||
57 | -- | ||
58 | 1.7.9.5 | ||
59 | |||
diff --git a/recipes-kernel/linux/files/HID_CVE_patches/0004-HID-sony-validate-HID-output-report-details.patch b/recipes-kernel/linux/files/HID_CVE_patches/0004-HID-sony-validate-HID-output-report-details.patch new file mode 100644 index 0000000..3a4e843 --- /dev/null +++ b/recipes-kernel/linux/files/HID_CVE_patches/0004-HID-sony-validate-HID-output-report-details.patch | |||
@@ -0,0 +1,43 @@ | |||
1 | From 9446edb9a1740989cf6c20daf7510fb9a23be14a Mon Sep 17 00:00:00 2001 | ||
2 | From: Kees Cook <keescook@chromium.org> | ||
3 | Date: Wed, 11 Sep 2013 21:56:52 +0200 | ||
4 | Subject: [PATCH] HID: sony: validate HID output report details | ||
5 | |||
6 | This driver must validate the availability of the HID output report and | ||
7 | its size before it can write LED states via buzz_set_leds(). This stops | ||
8 | a heap overflow that is possible if a device provides a malicious HID | ||
9 | output report: | ||
10 | |||
11 | [ 108.171280] usb 1-1: New USB device found, idVendor=054c, idProduct=0002 | ||
12 | ... | ||
13 | [ 117.507877] BUG kmalloc-192 (Not tainted): Redzone overwritten | ||
14 | |||
15 | CVE-2013-2890 | ||
16 | |||
17 | Signed-off-by: Kees Cook <keescook@chromium.org> | ||
18 | Cc: stable@vger.kernel.org #3.11 | ||
19 | Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com> | ||
20 | Signed-off-by: Jiri Kosina <jkosina@suse.cz> | ||
21 | Signed-off-by: Adrian Dudau <adrian.dudau@enea.com> | ||
22 | --- | ||
23 | drivers/hid/hid-sony.c | 4 ++++ | ||
24 | 1 file changed, 4 insertions(+) | ||
25 | |||
26 | diff --git a/drivers/hid/hid-sony.c b/drivers/hid/hid-sony.c | ||
27 | index 30dbb6b..b18320d 100644 | ||
28 | --- a/drivers/hid/hid-sony.c | ||
29 | +++ b/drivers/hid/hid-sony.c | ||
30 | @@ -537,6 +537,10 @@ static int buzz_init(struct hid_device *hdev) | ||
31 | drv_data = hid_get_drvdata(hdev); | ||
32 | BUG_ON(!(drv_data->quirks & BUZZ_CONTROLLER)); | ||
33 | |||
34 | + /* Validate expected report characteristics. */ | ||
35 | + if (!hid_validate_values(hdev, HID_OUTPUT_REPORT, 0, 0, 7)) | ||
36 | + return -ENODEV; | ||
37 | + | ||
38 | buzz = kzalloc(sizeof(*buzz), GFP_KERNEL); | ||
39 | if (!buzz) { | ||
40 | hid_err(hdev, "Insufficient memory, cannot allocate driver data\n"); | ||
41 | -- | ||
42 | 1.7.9.5 | ||
43 | |||
diff --git a/recipes-kernel/linux/files/HID_CVE_patches/0005-HID-steelseries-validate-output-report-details.patch b/recipes-kernel/linux/files/HID_CVE_patches/0005-HID-steelseries-validate-output-report-details.patch new file mode 100644 index 0000000..e4eadff --- /dev/null +++ b/recipes-kernel/linux/files/HID_CVE_patches/0005-HID-steelseries-validate-output-report-details.patch | |||
@@ -0,0 +1,43 @@ | |||
1 | From 41df7f6d43723deb7364340b44bc5d94bf717456 Mon Sep 17 00:00:00 2001 | ||
2 | From: Kees Cook <keescook@chromium.org> | ||
3 | Date: Wed, 11 Sep 2013 21:56:53 +0200 | ||
4 | Subject: [PATCH] HID: steelseries: validate output report details | ||
5 | |||
6 | A HID device could send a malicious output report that would cause the | ||
7 | steelseries HID driver to write beyond the output report allocation | ||
8 | during initialization, causing a heap overflow: | ||
9 | |||
10 | [ 167.981534] usb 1-1: New USB device found, idVendor=1038, idProduct=1410 | ||
11 | ... | ||
12 | [ 182.050547] BUG kmalloc-256 (Tainted: G W ): Redzone overwritten | ||
13 | |||
14 | CVE-2013-2891 | ||
15 | |||
16 | Signed-off-by: Kees Cook <keescook@chromium.org> | ||
17 | Cc: stable@vger.kernel.org | ||
18 | Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com> | ||
19 | Signed-off-by: Jiri Kosina <jkosina@suse.cz> | ||
20 | Signed-off-by: Adrian Dudau <adrian.dudau@enea.com> | ||
21 | --- | ||
22 | drivers/hid/hid-steelseries.c | 5 +++++ | ||
23 | 1 file changed, 5 insertions(+) | ||
24 | |||
25 | diff --git a/drivers/hid/hid-steelseries.c b/drivers/hid/hid-steelseries.c | ||
26 | index d164911..29f328f 100644 | ||
27 | --- a/drivers/hid/hid-steelseries.c | ||
28 | +++ b/drivers/hid/hid-steelseries.c | ||
29 | @@ -249,6 +249,11 @@ static int steelseries_srws1_probe(struct hid_device *hdev, | ||
30 | goto err_free; | ||
31 | } | ||
32 | |||
33 | + if (!hid_validate_values(hdev, HID_OUTPUT_REPORT, 0, 0, 16)) { | ||
34 | + ret = -ENODEV; | ||
35 | + goto err_free; | ||
36 | + } | ||
37 | + | ||
38 | ret = hid_hw_start(hdev, HID_CONNECT_DEFAULT); | ||
39 | if (ret) { | ||
40 | hid_err(hdev, "hw start failed\n"); | ||
41 | -- | ||
42 | 1.7.9.5 | ||
43 | |||
diff --git a/recipes-kernel/linux/files/HID_CVE_patches/0006-HID-pantherlord-validate-output-report-details.patch b/recipes-kernel/linux/files/HID_CVE_patches/0006-HID-pantherlord-validate-output-report-details.patch new file mode 100644 index 0000000..15cf09b --- /dev/null +++ b/recipes-kernel/linux/files/HID_CVE_patches/0006-HID-pantherlord-validate-output-report-details.patch | |||
@@ -0,0 +1,47 @@ | |||
1 | From 412f30105ec6735224535791eed5cdc02888ecb4 Mon Sep 17 00:00:00 2001 | ||
2 | From: Kees Cook <keescook@chromium.org> | ||
3 | Date: Wed, 28 Aug 2013 22:30:49 +0200 | ||
4 | Subject: [PATCH] HID: pantherlord: validate output report details | ||
5 | |||
6 | A HID device could send a malicious output report that would cause the | ||
7 | pantherlord HID driver to write beyond the output report allocation | ||
8 | during initialization, causing a heap overflow: | ||
9 | |||
10 | [ 310.939483] usb 1-1: New USB device found, idVendor=0e8f, idProduct=0003 | ||
11 | ... | ||
12 | [ 315.980774] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten | ||
13 | |||
14 | CVE-2013-2892 | ||
15 | |||
16 | Signed-off-by: Kees Cook <keescook@chromium.org> | ||
17 | Cc: stable@kernel.org | ||
18 | Signed-off-by: Jiri Kosina <jkosina@suse.cz> | ||
19 | Signed-off-by: Adrian Dudau <adrian.dudau@enea.com> | ||
20 | --- | ||
21 | drivers/hid/hid-pl.c | 10 ++++++++-- | ||
22 | 1 file changed, 8 insertions(+), 2 deletions(-) | ||
23 | |||
24 | diff --git a/drivers/hid/hid-pl.c b/drivers/hid/hid-pl.c | ||
25 | index d29112f..2dcd7d9 100644 | ||
26 | --- a/drivers/hid/hid-pl.c | ||
27 | +++ b/drivers/hid/hid-pl.c | ||
28 | @@ -132,8 +132,14 @@ static int plff_init(struct hid_device *hid) | ||
29 | strong = &report->field[0]->value[2]; | ||
30 | weak = &report->field[0]->value[3]; | ||
31 | debug("detected single-field device"); | ||
32 | - } else if (report->maxfield >= 4 && report->field[0]->maxusage == 1 && | ||
33 | - report->field[0]->usage[0].hid == (HID_UP_LED | 0x43)) { | ||
34 | + } else if (report->field[0]->maxusage == 1 && | ||
35 | + report->field[0]->usage[0].hid == | ||
36 | + (HID_UP_LED | 0x43) && | ||
37 | + report->maxfield >= 4 && | ||
38 | + report->field[0]->report_count >= 1 && | ||
39 | + report->field[1]->report_count >= 1 && | ||
40 | + report->field[2]->report_count >= 1 && | ||
41 | + report->field[3]->report_count >= 1) { | ||
42 | report->field[0]->value[0] = 0x00; | ||
43 | report->field[1]->value[0] = 0x00; | ||
44 | strong = &report->field[2]->value[0]; | ||
45 | -- | ||
46 | 1.7.9.5 | ||
47 | |||
diff --git a/recipes-kernel/linux/files/HID_CVE_patches/0007-HID-LG-validate-HID-output-report-details.patch b/recipes-kernel/linux/files/HID_CVE_patches/0007-HID-LG-validate-HID-output-report-details.patch new file mode 100644 index 0000000..9376c42 --- /dev/null +++ b/recipes-kernel/linux/files/HID_CVE_patches/0007-HID-LG-validate-HID-output-report-details.patch | |||
@@ -0,0 +1,195 @@ | |||
1 | From 0fb6bd06e06792469acc15bbe427361b56ada528 Mon Sep 17 00:00:00 2001 | ||
2 | From: Kees Cook <keescook@chromium.org> | ||
3 | Date: Wed, 11 Sep 2013 21:56:54 +0200 | ||
4 | Subject: [PATCH] HID: LG: validate HID output report details | ||
5 | |||
6 | A HID device could send a malicious output report that would cause the | ||
7 | lg, lg3, and lg4 HID drivers to write beyond the output report allocation | ||
8 | during an event, causing a heap overflow: | ||
9 | |||
10 | [ 325.245240] usb 1-1: New USB device found, idVendor=046d, idProduct=c287 | ||
11 | ... | ||
12 | [ 414.518960] BUG kmalloc-4096 (Not tainted): Redzone overwritten | ||
13 | |||
14 | Additionally, while lg2 did correctly validate the report details, it was | ||
15 | cleaned up and shortened. | ||
16 | |||
17 | CVE-2013-2893 | ||
18 | |||
19 | Signed-off-by: Kees Cook <keescook@chromium.org> | ||
20 | Cc: stable@vger.kernel.org | ||
21 | Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com> | ||
22 | Signed-off-by: Jiri Kosina <jkosina@suse.cz> | ||
23 | Signed-off-by: Adrian Dudau <adrian.dudau@enea.com> | ||
24 | --- | ||
25 | drivers/hid/hid-lg2ff.c | 19 +++---------------- | ||
26 | drivers/hid/hid-lg3ff.c | 29 ++++++----------------------- | ||
27 | drivers/hid/hid-lg4ff.c | 20 +------------------- | ||
28 | drivers/hid/hid-lgff.c | 17 ++--------------- | ||
29 | 4 files changed, 12 insertions(+), 73 deletions(-) | ||
30 | |||
31 | diff --git a/drivers/hid/hid-lg2ff.c b/drivers/hid/hid-lg2ff.c | ||
32 | index b3cd150..1a42eaa 100644 | ||
33 | --- a/drivers/hid/hid-lg2ff.c | ||
34 | +++ b/drivers/hid/hid-lg2ff.c | ||
35 | @@ -64,26 +64,13 @@ int lg2ff_init(struct hid_device *hid) | ||
36 | struct hid_report *report; | ||
37 | struct hid_input *hidinput = list_entry(hid->inputs.next, | ||
38 | struct hid_input, list); | ||
39 | - struct list_head *report_list = | ||
40 | - &hid->report_enum[HID_OUTPUT_REPORT].report_list; | ||
41 | struct input_dev *dev = hidinput->input; | ||
42 | int error; | ||
43 | |||
44 | - if (list_empty(report_list)) { | ||
45 | - hid_err(hid, "no output report found\n"); | ||
46 | + /* Check that the report looks ok */ | ||
47 | + report = hid_validate_values(hid, HID_OUTPUT_REPORT, 0, 0, 7); | ||
48 | + if (!report) | ||
49 | return -ENODEV; | ||
50 | - } | ||
51 | - | ||
52 | - report = list_entry(report_list->next, struct hid_report, list); | ||
53 | - | ||
54 | - if (report->maxfield < 1) { | ||
55 | - hid_err(hid, "output report is empty\n"); | ||
56 | - return -ENODEV; | ||
57 | - } | ||
58 | - if (report->field[0]->report_count < 7) { | ||
59 | - hid_err(hid, "not enough values in the field\n"); | ||
60 | - return -ENODEV; | ||
61 | - } | ||
62 | |||
63 | lg2ff = kmalloc(sizeof(struct lg2ff_device), GFP_KERNEL); | ||
64 | if (!lg2ff) | ||
65 | diff --git a/drivers/hid/hid-lg3ff.c b/drivers/hid/hid-lg3ff.c | ||
66 | index e52f181..8c2da18 100644 | ||
67 | --- a/drivers/hid/hid-lg3ff.c | ||
68 | +++ b/drivers/hid/hid-lg3ff.c | ||
69 | @@ -66,10 +66,11 @@ static int hid_lg3ff_play(struct input_dev *dev, void *data, | ||
70 | int x, y; | ||
71 | |||
72 | /* | ||
73 | - * Maxusage should always be 63 (maximum fields) | ||
74 | - * likely a better way to ensure this data is clean | ||
75 | + * Available values in the field should always be 63, but we only use up to | ||
76 | + * 35. Instead, clear the entire area, however big it is. | ||
77 | */ | ||
78 | - memset(report->field[0]->value, 0, sizeof(__s32)*report->field[0]->maxusage); | ||
79 | + memset(report->field[0]->value, 0, | ||
80 | + sizeof(__s32) * report->field[0]->report_count); | ||
81 | |||
82 | switch (effect->type) { | ||
83 | case FF_CONSTANT: | ||
84 | @@ -129,32 +130,14 @@ static const signed short ff3_joystick_ac[] = { | ||
85 | int lg3ff_init(struct hid_device *hid) | ||
86 | { | ||
87 | struct hid_input *hidinput = list_entry(hid->inputs.next, struct hid_input, list); | ||
88 | - struct list_head *report_list = &hid->report_enum[HID_OUTPUT_REPORT].report_list; | ||
89 | struct input_dev *dev = hidinput->input; | ||
90 | - struct hid_report *report; | ||
91 | - struct hid_field *field; | ||
92 | const signed short *ff_bits = ff3_joystick_ac; | ||
93 | int error; | ||
94 | int i; | ||
95 | |||
96 | - /* Find the report to use */ | ||
97 | - if (list_empty(report_list)) { | ||
98 | - hid_err(hid, "No output report found\n"); | ||
99 | - return -1; | ||
100 | - } | ||
101 | - | ||
102 | /* Check that the report looks ok */ | ||
103 | - report = list_entry(report_list->next, struct hid_report, list); | ||
104 | - if (!report) { | ||
105 | - hid_err(hid, "NULL output report\n"); | ||
106 | - return -1; | ||
107 | - } | ||
108 | - | ||
109 | - field = report->field[0]; | ||
110 | - if (!field) { | ||
111 | - hid_err(hid, "NULL field\n"); | ||
112 | - return -1; | ||
113 | - } | ||
114 | + if (!hid_validate_values(hid, HID_OUTPUT_REPORT, 0, 0, 35)) | ||
115 | + return -ENODEV; | ||
116 | |||
117 | /* Assume single fixed device G940 */ | ||
118 | for (i = 0; ff_bits[i] >= 0; i++) | ||
119 | diff --git a/drivers/hid/hid-lg4ff.c b/drivers/hid/hid-lg4ff.c | ||
120 | index 0ddae2a..8782fe1 100644 | ||
121 | --- a/drivers/hid/hid-lg4ff.c | ||
122 | +++ b/drivers/hid/hid-lg4ff.c | ||
123 | @@ -484,34 +484,16 @@ static enum led_brightness lg4ff_led_get_brightness(struct led_classdev *led_cde | ||
124 | int lg4ff_init(struct hid_device *hid) | ||
125 | { | ||
126 | struct hid_input *hidinput = list_entry(hid->inputs.next, struct hid_input, list); | ||
127 | - struct list_head *report_list = &hid->report_enum[HID_OUTPUT_REPORT].report_list; | ||
128 | struct input_dev *dev = hidinput->input; | ||
129 | - struct hid_report *report; | ||
130 | - struct hid_field *field; | ||
131 | struct lg4ff_device_entry *entry; | ||
132 | struct lg_drv_data *drv_data; | ||
133 | struct usb_device_descriptor *udesc; | ||
134 | int error, i, j; | ||
135 | __u16 bcdDevice, rev_maj, rev_min; | ||
136 | |||
137 | - /* Find the report to use */ | ||
138 | - if (list_empty(report_list)) { | ||
139 | - hid_err(hid, "No output report found\n"); | ||
140 | - return -1; | ||
141 | - } | ||
142 | - | ||
143 | /* Check that the report looks ok */ | ||
144 | - report = list_entry(report_list->next, struct hid_report, list); | ||
145 | - if (!report) { | ||
146 | - hid_err(hid, "NULL output report\n"); | ||
147 | + if (!hid_validate_values(hid, HID_OUTPUT_REPORT, 0, 0, 7)) | ||
148 | return -1; | ||
149 | - } | ||
150 | - | ||
151 | - field = report->field[0]; | ||
152 | - if (!field) { | ||
153 | - hid_err(hid, "NULL field\n"); | ||
154 | - return -1; | ||
155 | - } | ||
156 | |||
157 | /* Check what wheel has been connected */ | ||
158 | for (i = 0; i < ARRAY_SIZE(lg4ff_devices); i++) { | ||
159 | diff --git a/drivers/hid/hid-lgff.c b/drivers/hid/hid-lgff.c | ||
160 | index d7ea8c8..e1394af 100644 | ||
161 | --- a/drivers/hid/hid-lgff.c | ||
162 | +++ b/drivers/hid/hid-lgff.c | ||
163 | @@ -128,27 +128,14 @@ static void hid_lgff_set_autocenter(struct input_dev *dev, u16 magnitude) | ||
164 | int lgff_init(struct hid_device* hid) | ||
165 | { | ||
166 | struct hid_input *hidinput = list_entry(hid->inputs.next, struct hid_input, list); | ||
167 | - struct list_head *report_list = &hid->report_enum[HID_OUTPUT_REPORT].report_list; | ||
168 | struct input_dev *dev = hidinput->input; | ||
169 | - struct hid_report *report; | ||
170 | - struct hid_field *field; | ||
171 | const signed short *ff_bits = ff_joystick; | ||
172 | int error; | ||
173 | int i; | ||
174 | |||
175 | - /* Find the report to use */ | ||
176 | - if (list_empty(report_list)) { | ||
177 | - hid_err(hid, "No output report found\n"); | ||
178 | - return -1; | ||
179 | - } | ||
180 | - | ||
181 | /* Check that the report looks ok */ | ||
182 | - report = list_entry(report_list->next, struct hid_report, list); | ||
183 | - field = report->field[0]; | ||
184 | - if (!field) { | ||
185 | - hid_err(hid, "NULL field\n"); | ||
186 | - return -1; | ||
187 | - } | ||
188 | + if (!hid_validate_values(hid, HID_OUTPUT_REPORT, 0, 0, 7)) | ||
189 | + return -ENODEV; | ||
190 | |||
191 | for (i = 0; i < ARRAY_SIZE(devices); i++) { | ||
192 | if (dev->id.vendor == devices[i].idVendor && | ||
193 | -- | ||
194 | 1.7.9.5 | ||
195 | |||
diff --git a/recipes-kernel/linux/files/HID_CVE_patches/0008-HID-lenovo-tpkbd-validate-output-report-details.patch b/recipes-kernel/linux/files/HID_CVE_patches/0008-HID-lenovo-tpkbd-validate-output-report-details.patch new file mode 100644 index 0000000..1c53d77 --- /dev/null +++ b/recipes-kernel/linux/files/HID_CVE_patches/0008-HID-lenovo-tpkbd-validate-output-report-details.patch | |||
@@ -0,0 +1,48 @@ | |||
1 | From 0a9cd0a80ac559357c6a90d26c55270ed752aa26 Mon Sep 17 00:00:00 2001 | ||
2 | From: Kees Cook <keescook@chromium.org> | ||
3 | Date: Wed, 11 Sep 2013 21:56:55 +0200 | ||
4 | Subject: [PATCH] HID: lenovo-tpkbd: validate output report details | ||
5 | |||
6 | A HID device could send a malicious output report that would cause the | ||
7 | lenovo-tpkbd HID driver to write just beyond the output report allocation | ||
8 | during initialization, causing a heap overflow: | ||
9 | |||
10 | [ 76.109807] usb 1-1: New USB device found, idVendor=17ef, idProduct=6009 | ||
11 | ... | ||
12 | [ 80.462540] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten | ||
13 | |||
14 | CVE-2013-2894 | ||
15 | |||
16 | Signed-off-by: Kees Cook <keescook@chromium.org> | ||
17 | Cc: stable@vger.kernel.org | ||
18 | Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com> | ||
19 | Signed-off-by: Jiri Kosina <jkosina@suse.cz> | ||
20 | Signed-off-by: Adrian Dudau <adrian.dudau@enea.com> | ||
21 | --- | ||
22 | drivers/hid/hid-lenovo-tpkbd.c | 10 +++++++++- | ||
23 | 1 file changed, 9 insertions(+), 1 deletion(-) | ||
24 | |||
25 | diff --git a/drivers/hid/hid-lenovo-tpkbd.c b/drivers/hid/hid-lenovo-tpkbd.c | ||
26 | index 07837f5..762d988 100644 | ||
27 | --- a/drivers/hid/hid-lenovo-tpkbd.c | ||
28 | +++ b/drivers/hid/hid-lenovo-tpkbd.c | ||
29 | @@ -339,7 +339,15 @@ static int tpkbd_probe_tp(struct hid_device *hdev) | ||
30 | struct tpkbd_data_pointer *data_pointer; | ||
31 | size_t name_sz = strlen(dev_name(dev)) + 16; | ||
32 | char *name_mute, *name_micmute; | ||
33 | - int ret; | ||
34 | + int i, ret; | ||
35 | + | ||
36 | + /* Validate required reports. */ | ||
37 | + for (i = 0; i < 4; i++) { | ||
38 | + if (!hid_validate_values(hdev, HID_FEATURE_REPORT, 4, i, 1)) | ||
39 | + return -ENODEV; | ||
40 | + } | ||
41 | + if (!hid_validate_values(hdev, HID_OUTPUT_REPORT, 3, 0, 2)) | ||
42 | + return -ENODEV; | ||
43 | |||
44 | if (sysfs_create_group(&hdev->dev.kobj, | ||
45 | &tpkbd_attr_group_pointer)) { | ||
46 | -- | ||
47 | 1.7.9.5 | ||
48 | |||
diff --git a/recipes-kernel/linux/files/HID_CVE_patches/0009-HID-logitech-dj-validate-output-report-details.patch b/recipes-kernel/linux/files/HID_CVE_patches/0009-HID-logitech-dj-validate-output-report-details.patch new file mode 100644 index 0000000..a249c54 --- /dev/null +++ b/recipes-kernel/linux/files/HID_CVE_patches/0009-HID-logitech-dj-validate-output-report-details.patch | |||
@@ -0,0 +1,63 @@ | |||
1 | From 297502abb32e225fb23801fcdb0e4f6f8e17099a Mon Sep 17 00:00:00 2001 | ||
2 | From: Kees Cook <keescook@chromium.org> | ||
3 | Date: Wed, 11 Sep 2013 21:56:56 +0200 | ||
4 | Subject: [PATCH] HID: logitech-dj: validate output report details | ||
5 | |||
6 | A HID device could send a malicious output report that would cause the | ||
7 | logitech-dj HID driver to leak kernel memory contents to the device, or | ||
8 | trigger a NULL dereference during initialization: | ||
9 | |||
10 | [ 304.424553] usb 1-1: New USB device found, idVendor=046d, idProduct=c52b | ||
11 | ... | ||
12 | [ 304.780467] BUG: unable to handle kernel NULL pointer dereference at 0000000000000028 | ||
13 | [ 304.781409] IP: [<ffffffff815d50aa>] logi_dj_recv_send_report.isra.11+0x1a/0x90 | ||
14 | |||
15 | CVE-2013-2895 | ||
16 | |||
17 | Signed-off-by: Kees Cook <keescook@chromium.org> | ||
18 | Cc: stable@vger.kernel.org | ||
19 | Signed-off-by: Benjamin Tissoires <benjamin.tissoires@gmail.com> | ||
20 | Signed-off-by: Jiri Kosina <jkosina@suse.cz> | ||
21 | Signed-off-by: Adrian Dudau <adrian.dudau@enea.com> | ||
22 | --- | ||
23 | drivers/hid/hid-logitech-dj.c | 10 ++++++++-- | ||
24 | 1 file changed, 8 insertions(+), 2 deletions(-) | ||
25 | |||
26 | diff --git a/drivers/hid/hid-logitech-dj.c b/drivers/hid/hid-logitech-dj.c | ||
27 | index 7800b14..2e53024 100644 | ||
28 | --- a/drivers/hid/hid-logitech-dj.c | ||
29 | +++ b/drivers/hid/hid-logitech-dj.c | ||
30 | @@ -461,7 +461,7 @@ static int logi_dj_recv_send_report(struct dj_receiver_dev *djrcv_dev, | ||
31 | struct hid_report *report; | ||
32 | struct hid_report_enum *output_report_enum; | ||
33 | u8 *data = (u8 *)(&dj_report->device_index); | ||
34 | - int i; | ||
35 | + unsigned int i; | ||
36 | |||
37 | output_report_enum = &hdev->report_enum[HID_OUTPUT_REPORT]; | ||
38 | report = output_report_enum->report_id_hash[REPORT_ID_DJ_SHORT]; | ||
39 | @@ -471,7 +471,7 @@ static int logi_dj_recv_send_report(struct dj_receiver_dev *djrcv_dev, | ||
40 | return -ENODEV; | ||
41 | } | ||
42 | |||
43 | - for (i = 0; i < report->field[0]->report_count; i++) | ||
44 | + for (i = 0; i < DJREPORT_SHORT_LENGTH - 1; i++) | ||
45 | report->field[0]->value[i] = data[i]; | ||
46 | |||
47 | hid_hw_request(hdev, report, HID_REQ_SET_REPORT); | ||
48 | @@ -791,6 +791,12 @@ static int logi_dj_probe(struct hid_device *hdev, | ||
49 | goto hid_parse_fail; | ||
50 | } | ||
51 | |||
52 | + if (!hid_validate_values(hdev, HID_OUTPUT_REPORT, REPORT_ID_DJ_SHORT, | ||
53 | + 0, DJREPORT_SHORT_LENGTH - 1)) { | ||
54 | + retval = -ENODEV; | ||
55 | + goto hid_parse_fail; | ||
56 | + } | ||
57 | + | ||
58 | /* Starts the usb device and connects to upper interfaces hiddev and | ||
59 | * hidraw */ | ||
60 | retval = hid_hw_start(hdev, HID_CONNECT_DEFAULT); | ||
61 | -- | ||
62 | 1.7.9.5 | ||
63 | |||
diff --git a/recipes-kernel/linux/files/HID_CVE_patches/0010-HID-ntrig-validate-feature-report-details.patch b/recipes-kernel/linux/files/HID_CVE_patches/0010-HID-ntrig-validate-feature-report-details.patch new file mode 100644 index 0000000..b243fc6 --- /dev/null +++ b/recipes-kernel/linux/files/HID_CVE_patches/0010-HID-ntrig-validate-feature-report-details.patch | |||
@@ -0,0 +1,41 @@ | |||
1 | From 875b4e3763dbc941f15143dd1a18d10bb0be303b Mon Sep 17 00:00:00 2001 | ||
2 | From: Kees Cook <keescook@chromium.org> | ||
3 | Date: Wed, 28 Aug 2013 22:31:28 +0200 | ||
4 | Subject: [PATCH] HID: ntrig: validate feature report details | ||
5 | |||
6 | A HID device could send a malicious feature report that would cause the | ||
7 | ntrig HID driver to trigger a NULL dereference during initialization: | ||
8 | |||
9 | [57383.031190] usb 3-1: New USB device found, idVendor=1b96, idProduct=0001 | ||
10 | ... | ||
11 | [57383.315193] BUG: unable to handle kernel NULL pointer dereference at 0000000000000030 | ||
12 | [57383.315308] IP: [<ffffffffa08102de>] ntrig_probe+0x25e/0x420 [hid_ntrig] | ||
13 | |||
14 | CVE-2013-2896 | ||
15 | |||
16 | Signed-off-by: Kees Cook <keescook@chromium.org> | ||
17 | Cc: stable@kernel.org | ||
18 | Signed-off-by: Rafi Rubin <rafi@seas.upenn.edu> | ||
19 | Signed-off-by: Jiri Kosina <jkosina@suse.cz> | ||
20 | Signed-off-by: Adrian Dudau <adrian.dudau@enea.com> | ||
21 | --- | ||
22 | drivers/hid/hid-ntrig.c | 3 ++- | ||
23 | 1 file changed, 2 insertions(+), 1 deletion(-) | ||
24 | |||
25 | diff --git a/drivers/hid/hid-ntrig.c b/drivers/hid/hid-ntrig.c | ||
26 | index 98d1fdf..600f207 100644 | ||
27 | --- a/drivers/hid/hid-ntrig.c | ||
28 | +++ b/drivers/hid/hid-ntrig.c | ||
29 | @@ -115,7 +115,8 @@ static inline int ntrig_get_mode(struct hid_device *hdev) | ||
30 | struct hid_report *report = hdev->report_enum[HID_FEATURE_REPORT]. | ||
31 | report_id_hash[0x0d]; | ||
32 | |||
33 | - if (!report) | ||
34 | + if (!report || report->maxfield < 1 || | ||
35 | + report->field[0]->report_count < 1) | ||
36 | return -EINVAL; | ||
37 | |||
38 | hid_hw_request(hdev, report, HID_REQ_GET_REPORT); | ||
39 | -- | ||
40 | 1.7.9.5 | ||
41 | |||
diff --git a/recipes-kernel/linux/files/HID_CVE_patches/0011-HID-multitouch-validate-indexes-details.patch b/recipes-kernel/linux/files/HID_CVE_patches/0011-HID-multitouch-validate-indexes-details.patch new file mode 100644 index 0000000..ff425ec --- /dev/null +++ b/recipes-kernel/linux/files/HID_CVE_patches/0011-HID-multitouch-validate-indexes-details.patch | |||
@@ -0,0 +1,86 @@ | |||
1 | From 8821f5dc187bdf16cfb32ef5aa8c3035273fa79a Mon Sep 17 00:00:00 2001 | ||
2 | From: Benjamin Tissoires <benjamin.tissoires@redhat.com> | ||
3 | Date: Wed, 11 Sep 2013 21:56:58 +0200 | ||
4 | Subject: [PATCH] HID: multitouch: validate indexes details | ||
5 | |||
6 | When working on report indexes, always validate that they are in bounds. | ||
7 | Without this, a HID device could report a malicious feature report that | ||
8 | could trick the driver into a heap overflow: | ||
9 | |||
10 | [ 634.885003] usb 1-1: New USB device found, idVendor=0596, idProduct=0500 | ||
11 | ... | ||
12 | [ 676.469629] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten | ||
13 | |||
14 | Note that we need to change the indexes from s8 to s16 as they can | ||
15 | be between -1 and 255. | ||
16 | |||
17 | CVE-2013-2897 | ||
18 | |||
19 | Cc: stable@vger.kernel.org | ||
20 | Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com> | ||
21 | Acked-by: Kees Cook <keescook@chromium.org> | ||
22 | Signed-off-by: Jiri Kosina <jkosina@suse.cz> | ||
23 | Signed-off-by: Adrian Dudau <adrian.dudau@enea.com> | ||
24 | --- | ||
25 | drivers/hid/hid-multitouch.c | 26 ++++++++++++++------------ | ||
26 | 1 file changed, 14 insertions(+), 12 deletions(-) | ||
27 | |||
28 | diff --git a/drivers/hid/hid-multitouch.c b/drivers/hid/hid-multitouch.c | ||
29 | index ac28f08..5e5fe1b 100644 | ||
30 | --- a/drivers/hid/hid-multitouch.c | ||
31 | +++ b/drivers/hid/hid-multitouch.c | ||
32 | @@ -101,9 +101,9 @@ struct mt_device { | ||
33 | unsigned last_slot_field; /* the last field of a slot */ | ||
34 | unsigned mt_report_id; /* the report ID of the multitouch device */ | ||
35 | unsigned pen_report_id; /* the report ID of the pen device */ | ||
36 | - __s8 inputmode; /* InputMode HID feature, -1 if non-existent */ | ||
37 | - __s8 inputmode_index; /* InputMode HID feature index in the report */ | ||
38 | - __s8 maxcontact_report_id; /* Maximum Contact Number HID feature, | ||
39 | + __s16 inputmode; /* InputMode HID feature, -1 if non-existent */ | ||
40 | + __s16 inputmode_index; /* InputMode HID feature index in the report */ | ||
41 | + __s16 maxcontact_report_id; /* Maximum Contact Number HID feature, | ||
42 | -1 if non-existent */ | ||
43 | __u8 num_received; /* how many contacts we received */ | ||
44 | __u8 num_expected; /* expected last contact index */ | ||
45 | @@ -312,20 +312,18 @@ static void mt_feature_mapping(struct hid_device *hdev, | ||
46 | struct hid_field *field, struct hid_usage *usage) | ||
47 | { | ||
48 | struct mt_device *td = hid_get_drvdata(hdev); | ||
49 | - int i; | ||
50 | |||
51 | switch (usage->hid) { | ||
52 | case HID_DG_INPUTMODE: | ||
53 | - td->inputmode = field->report->id; | ||
54 | - td->inputmode_index = 0; /* has to be updated below */ | ||
55 | - | ||
56 | - for (i=0; i < field->maxusage; i++) { | ||
57 | - if (field->usage[i].hid == usage->hid) { | ||
58 | - td->inputmode_index = i; | ||
59 | - break; | ||
60 | - } | ||
61 | + /* Ignore if value index is out of bounds. */ | ||
62 | + if (usage->usage_index >= field->report_count) { | ||
63 | + dev_err(&hdev->dev, "HID_DG_INPUTMODE out of range\n"); | ||
64 | + break; | ||
65 | } | ||
66 | |||
67 | + td->inputmode = field->report->id; | ||
68 | + td->inputmode_index = usage->usage_index; | ||
69 | + | ||
70 | break; | ||
71 | case HID_DG_CONTACTMAX: | ||
72 | td->maxcontact_report_id = field->report->id; | ||
73 | @@ -511,6 +509,10 @@ static int mt_touch_input_mapping(struct hid_device *hdev, struct hid_input *hi, | ||
74 | mt_store_field(usage, td, hi); | ||
75 | return 1; | ||
76 | case HID_DG_CONTACTCOUNT: | ||
77 | + /* Ignore if indexes are out of bounds. */ | ||
78 | + if (field->index >= field->report->maxfield || | ||
79 | + usage->usage_index >= field->report_count) | ||
80 | + return 1; | ||
81 | td->cc_index = field->index; | ||
82 | td->cc_value_index = usage->usage_index; | ||
83 | return 1; | ||
84 | -- | ||
85 | 1.7.9.5 | ||
86 | |||
diff --git a/recipes-kernel/linux/files/HID_CVE_patches/0012-HID-sensor-hub-validate-feature-report-details.patch b/recipes-kernel/linux/files/HID_CVE_patches/0012-HID-sensor-hub-validate-feature-report-details.patch new file mode 100644 index 0000000..745fa9e --- /dev/null +++ b/recipes-kernel/linux/files/HID_CVE_patches/0012-HID-sensor-hub-validate-feature-report-details.patch | |||
@@ -0,0 +1,37 @@ | |||
1 | From 9e8910257397372633e74b333ef891f20c800ee4 Mon Sep 17 00:00:00 2001 | ||
2 | From: Kees Cook <keescook@chromium.org> | ||
3 | Date: Wed, 28 Aug 2013 22:31:44 +0200 | ||
4 | Subject: [PATCH] HID: sensor-hub: validate feature report details | ||
5 | |||
6 | A HID device could send a malicious feature report that would cause the | ||
7 | sensor-hub HID driver to read past the end of heap allocation, leaking | ||
8 | kernel memory contents to the caller. | ||
9 | |||
10 | CVE-2013-2898 | ||
11 | |||
12 | Signed-off-by: Kees Cook <keescook@chromium.org> | ||
13 | Cc: stable@kernel.org | ||
14 | Reviewed-by: Mika Westerberg <mika.westerberg@linux.intel.com> | ||
15 | Signed-off-by: Jiri Kosina <jkosina@suse.cz> | ||
16 | Signed-off-by: Adrian Dudau <adrian.dudau@enea.com> | ||
17 | --- | ||
18 | drivers/hid/hid-sensor-hub.c | 3 ++- | ||
19 | 1 file changed, 2 insertions(+), 1 deletion(-) | ||
20 | |||
21 | diff --git a/drivers/hid/hid-sensor-hub.c b/drivers/hid/hid-sensor-hub.c | ||
22 | index ffc80cf..6fca30e 100644 | ||
23 | --- a/drivers/hid/hid-sensor-hub.c | ||
24 | +++ b/drivers/hid/hid-sensor-hub.c | ||
25 | @@ -221,7 +221,8 @@ int sensor_hub_get_feature(struct hid_sensor_hub_device *hsdev, u32 report_id, | ||
26 | |||
27 | mutex_lock(&data->mutex); | ||
28 | report = sensor_hub_report(report_id, hsdev->hdev, HID_FEATURE_REPORT); | ||
29 | - if (!report || (field_index >= report->maxfield)) { | ||
30 | + if (!report || (field_index >= report->maxfield) || | ||
31 | + report->field[field_index]->report_count < 1) { | ||
32 | ret = -EINVAL; | ||
33 | goto done_proc; | ||
34 | } | ||
35 | -- | ||
36 | 1.7.9.5 | ||
37 | |||
diff --git a/recipes-kernel/linux/files/HID_CVE_patches/0013-HID-picolcd_core-validate-output-report-details.patch b/recipes-kernel/linux/files/HID_CVE_patches/0013-HID-picolcd_core-validate-output-report-details.patch new file mode 100644 index 0000000..7abf193 --- /dev/null +++ b/recipes-kernel/linux/files/HID_CVE_patches/0013-HID-picolcd_core-validate-output-report-details.patch | |||
@@ -0,0 +1,49 @@ | |||
1 | From 1e87a2456b0227ca4ab881e19a11bb99d164e792 Mon Sep 17 00:00:00 2001 | ||
2 | From: Kees Cook <keescook@chromium.org> | ||
3 | Date: Wed, 28 Aug 2013 22:31:52 +0200 | ||
4 | Subject: [PATCH] HID: picolcd_core: validate output report details | ||
5 | MIME-Version: 1.0 | ||
6 | Content-Type: text/plain; charset=UTF-8 | ||
7 | Content-Transfer-Encoding: 8bit | ||
8 | |||
9 | A HID device could send a malicious output report that would cause the | ||
10 | picolcd HID driver to trigger a NULL dereference during attr file writing. | ||
11 | |||
12 | [jkosina@suse.cz: changed | ||
13 | |||
14 | report->maxfield < 1 | ||
15 | |||
16 | to | ||
17 | |||
18 | report->maxfield != 1 | ||
19 | |||
20 | as suggested by Bruno]. | ||
21 | |||
22 | CVE-2013-2899 | ||
23 | |||
24 | Signed-off-by: Kees Cook <keescook@chromium.org> | ||
25 | Cc: stable@kernel.org | ||
26 | Reviewed-by: Bruno Prémont <bonbons@linux-vserver.org> | ||
27 | Acked-by: Bruno Prémont <bonbons@linux-vserver.org> | ||
28 | Signed-off-by: Jiri Kosina <jkosina@suse.cz> | ||
29 | Signed-off-by: Adrian Dudau <adrian.dudau@enea.com> | ||
30 | --- | ||
31 | drivers/hid/hid-picolcd_core.c | 2 +- | ||
32 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
33 | |||
34 | diff --git a/drivers/hid/hid-picolcd_core.c b/drivers/hid/hid-picolcd_core.c | ||
35 | index b48092d..acbb0210 100644 | ||
36 | --- a/drivers/hid/hid-picolcd_core.c | ||
37 | +++ b/drivers/hid/hid-picolcd_core.c | ||
38 | @@ -290,7 +290,7 @@ static ssize_t picolcd_operation_mode_store(struct device *dev, | ||
39 | buf += 10; | ||
40 | cnt -= 10; | ||
41 | } | ||
42 | - if (!report) | ||
43 | + if (!report || report->maxfield != 1) | ||
44 | return -EINVAL; | ||
45 | |||
46 | while (cnt > 0 && (buf[cnt-1] == '\n' || buf[cnt-1] == '\r')) | ||
47 | -- | ||
48 | 1.7.9.5 | ||
49 | |||
diff --git a/recipes-kernel/linux/files/HID_CVE_patches/0014-HID-check-for-NULL-field-when-setting-values.patch b/recipes-kernel/linux/files/HID_CVE_patches/0014-HID-check-for-NULL-field-when-setting-values.patch new file mode 100644 index 0000000..f75e653 --- /dev/null +++ b/recipes-kernel/linux/files/HID_CVE_patches/0014-HID-check-for-NULL-field-when-setting-values.patch | |||
@@ -0,0 +1,36 @@ | |||
1 | From be67b68d52fa28b9b721c47bb42068f0c1214855 Mon Sep 17 00:00:00 2001 | ||
2 | From: Kees Cook <keescook@chromium.org> | ||
3 | Date: Wed, 28 Aug 2013 22:32:01 +0200 | ||
4 | Subject: [PATCH] HID: check for NULL field when setting values | ||
5 | |||
6 | Defensively check that the field to be worked on is not NULL. | ||
7 | |||
8 | Signed-off-by: Kees Cook <keescook@chromium.org> | ||
9 | Cc: stable@kernel.org | ||
10 | Signed-off-by: Jiri Kosina <jkosina@suse.cz> | ||
11 | Signed-off-by: Adrian Dudau <adrian.dudau@enea.com> | ||
12 | --- | ||
13 | drivers/hid/hid-core.c | 7 ++++++- | ||
14 | 1 file changed, 6 insertions(+), 1 deletion(-) | ||
15 | |||
16 | diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c | ||
17 | index ebf5781..dcd60eb 100644 | ||
18 | --- a/drivers/hid/hid-core.c | ||
19 | +++ b/drivers/hid/hid-core.c | ||
20 | @@ -1169,7 +1169,12 @@ EXPORT_SYMBOL_GPL(hid_alloc_report_buf); | ||
21 | |||
22 | int hid_set_field(struct hid_field *field, unsigned offset, __s32 value) | ||
23 | { | ||
24 | - unsigned size = field->report_size; | ||
25 | + unsigned size; | ||
26 | + | ||
27 | + if (!field) | ||
28 | + return -1; | ||
29 | + | ||
30 | + size = field->report_size; | ||
31 | |||
32 | hid_dump_input(field->report->device, field->usage + offset, value); | ||
33 | |||
34 | -- | ||
35 | 1.7.9.5 | ||
36 | |||
diff --git a/recipes-kernel/linux/files/arm_arch_timer-Keystone-2-architected-timer-frequenc.patch b/recipes-kernel/linux/files/arm_arch_timer-Keystone-2-architected-timer-frequenc.patch new file mode 100644 index 0000000..49bf07b --- /dev/null +++ b/recipes-kernel/linux/files/arm_arch_timer-Keystone-2-architected-timer-frequenc.patch | |||
@@ -0,0 +1,55 @@ | |||
1 | From e2d575410329f42542972b7276fbb1c2c7f48334 Mon Sep 17 00:00:00 2001 | ||
2 | From: =?UTF-8?q?Sixten=20Sj=C3=B6str=C3=B6m=20Thames?= | ||
3 | <Sixten.Sjoestroem.Thames@enea.com> | ||
4 | Date: Mon, 12 May 2014 21:18:47 +0200 | ||
5 | Subject: [PATCH] arm_arch_timer: Keystone 2 architected timer frequency fix | ||
6 | MIME-Version: 1.0 | ||
7 | Content-Type: text/plain; charset=UTF-8 | ||
8 | Content-Transfer-Encoding: 8bit | ||
9 | |||
10 | The arch timer frequency register returns incorrect values on early | ||
11 | versions of the Keystone 2 evm silicon. The frequency register always | ||
12 | returns 1000 MHz on bad silicon. This temporary fix solves that. | ||
13 | |||
14 | Signed-off-by: Sixten Sjöström Thames <Sixten.Sjoestroem.Thames@enea.com> | ||
15 | --- | ||
16 | drivers/clocksource/arm_arch_timer.c | 16 ++++++++++++++++ | ||
17 | 1 file changed, 16 insertions(+) | ||
18 | |||
19 | diff --git a/drivers/clocksource/arm_arch_timer.c b/drivers/clocksource/arm_arch_timer.c | ||
20 | index a2b2541..321aba1 100644 | ||
21 | --- a/drivers/clocksource/arm_arch_timer.c | ||
22 | +++ b/drivers/clocksource/arm_arch_timer.c | ||
23 | @@ -23,6 +23,8 @@ | ||
24 | |||
25 | #include <clocksource/arm_arch_timer.h> | ||
26 | |||
27 | +#define K2_PG1_AT_FREQ 133120000UL | ||
28 | + | ||
29 | static u32 arch_timer_rate; | ||
30 | |||
31 | enum ppi_nr { | ||
32 | @@ -165,6 +167,20 @@ static int arch_timer_available(void) | ||
33 | if (arch_timer_rate == 0) { | ||
34 | freq = arch_timer_get_cntfrq(); | ||
35 | |||
36 | + /* The Keystone 2 EVM PG1.0 silicon has a malfunctional | ||
37 | + * Architected timer. The timer frequency register allways | ||
38 | + * incorrectly returns 1000 MHz. This is a temorary fix for | ||
39 | + * internal Enea Linux testing so that the same kernel can | ||
40 | + * be used on targets with both PG1.0 and PG1.1 silicon. | ||
41 | + * Another solution is to have different DTBs with hard | ||
42 | + * coded frequencies.*/ | ||
43 | + if (freq == 1000000000) { | ||
44 | + pr_warn("Keystone 2 EVM specific arch timer fix\n"); | ||
45 | + pr_warn("Set architected timer frequency to %u\n", | ||
46 | + K2_PG1_AT_FREQ); | ||
47 | + freq = K2_PG1_AT_FREQ; | ||
48 | + } | ||
49 | + | ||
50 | /* Check the timer frequency. */ | ||
51 | if (freq == 0) { | ||
52 | pr_warn("Architected timer frequency not available\n"); | ||
53 | -- | ||
54 | 1.7.10.4 | ||
55 | |||
diff --git a/recipes-kernel/linux/files/disable_hw_checksum_offload.patch b/recipes-kernel/linux/files/disable_hw_checksum_offload.patch new file mode 100644 index 0000000..4b318c1 --- /dev/null +++ b/recipes-kernel/linux/files/disable_hw_checksum_offload.patch | |||
@@ -0,0 +1,19 @@ | |||
1 | Temporarily disable HW checksum offload | ||
2 | |||
3 | Signed-off-by: Tudor Florea <tudor.florea@enea.com> | ||
4 | Upstream-Status: Pending | ||
5 | |||
6 | |||
7 | diff --git a/arch/arm/boot/dts/k2hk-evm.dts b/arch/arm/boot/dts/k2hk-evm.dts | ||
8 | index 16cf335..7dc9665 100644 | ||
9 | --- a/arch/arm/boot/dts/k2hk-evm.dts | ||
10 | +++ b/arch/arm/boot/dts/k2hk-evm.dts | ||
11 | @@ -2521,7 +2521,7 @@ | ||
12 | }; | ||
13 | pa: pa@2000000 { | ||
14 | label = "keystone-pa"; | ||
15 | - checksum-offload = <1>; /* 1 - HW offload */ | ||
16 | + checksum-offload = <2>; | ||
17 | txhook-order = <10>; | ||
18 | txhook-softcsum = <40>; | ||
19 | rxhook-order = <10>; | ||