summaryrefslogtreecommitdiffstats
path: root/recipes-kernel/linux/files/hid-CVE-2016-5829.patch
diff options
context:
space:
mode:
authorSona Sarmadi <sona.sarmadi@enea.com>2016-07-25 12:34:27 +0200
committerNora Björklund <nora.bjorklund@enea.com>2016-07-27 14:45:52 +0200
commit40894e99a839ce0e337bb3a7b83327bd64417d56 (patch)
tree5d218098dd1adbb20829c5692dcd38ef7fdfebae /recipes-kernel/linux/files/hid-CVE-2016-5829.patch
parentee6caf6ebd64c77c4ca53fb5ab08856d41142722 (diff)
downloadmeta-enea-bsp-common-40894e99a839ce0e337bb3a7b83327bd64417d56.tar.gz
kernel/drivers/hid: CVE-2016-5829
Fixes a heap-based buffer overflow vulnerability in the Linux kernel's hiddev driver. This flaw could allow a local attacker to corrupt kernel memory or crashing the system. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5829 Upstream patch: https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/patch/?id=f67b6920a0cf03d363c5f3bfb14f5d258168dc8c Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> Signed-off-by: Nora Björklund <nora.bjorklund@enea.com>
Diffstat (limited to 'recipes-kernel/linux/files/hid-CVE-2016-5829.patch')
-rw-r--r--recipes-kernel/linux/files/hid-CVE-2016-5829.patch51
1 files changed, 51 insertions, 0 deletions
diff --git a/recipes-kernel/linux/files/hid-CVE-2016-5829.patch b/recipes-kernel/linux/files/hid-CVE-2016-5829.patch
new file mode 100644
index 0000000..fca7e51
--- /dev/null
+++ b/recipes-kernel/linux/files/hid-CVE-2016-5829.patch
@@ -0,0 +1,51 @@
1From f67b6920a0cf03d363c5f3bfb14f5d258168dc8c Mon Sep 17 00:00:00 2001
2From: Scott Bauer <sbauer@plzdonthack.me>
3Date: Thu, 23 Jun 2016 08:59:47 -0600
4Subject: HID: hiddev: validate num_values for HIDIOCGUSAGES, HIDIOCSUSAGES
5 commands
6
7[ Upstream commit 93a2001bdfd5376c3dc2158653034c20392d15c5 ]
8
9This patch validates the num_values parameter from userland during the
10HIDIOCGUSAGES and HIDIOCSUSAGES commands. Previously, if the report id was set
11to HID_REPORT_ID_UNKNOWN, we would fail to validate the num_values parameter
12leading to a heap overflow.
13
14CVE: CVE-2016-5829
15Upstream-Status: Backport
16
17Cc: stable@vger.kernel.org
18Signed-off-by: Scott Bauer <sbauer@plzdonthack.me>
19Signed-off-by: Jiri Kosina <jkosina@suse.cz>
20Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
21Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
22---
23 drivers/hid/usbhid/hiddev.c | 10 +++++-----
24 1 file changed, 5 insertions(+), 5 deletions(-)
25
26diff --git a/drivers/hid/usbhid/hiddev.c b/drivers/hid/usbhid/hiddev.c
27index 2f1ddca..700145b 100644
28--- a/drivers/hid/usbhid/hiddev.c
29+++ b/drivers/hid/usbhid/hiddev.c
30@@ -516,13 +516,13 @@ static noinline int hiddev_ioctl_usage(struct hiddev *hiddev, unsigned int cmd,
31 goto inval;
32 } else if (uref->usage_index >= field->report_count)
33 goto inval;
34-
35- else if ((cmd == HIDIOCGUSAGES || cmd == HIDIOCSUSAGES) &&
36- (uref_multi->num_values > HID_MAX_MULTI_USAGES ||
37- uref->usage_index + uref_multi->num_values > field->report_count))
38- goto inval;
39 }
40
41+ if ((cmd == HIDIOCGUSAGES || cmd == HIDIOCSUSAGES) &&
42+ (uref_multi->num_values > HID_MAX_MULTI_USAGES ||
43+ uref->usage_index + uref_multi->num_values > field->report_count))
44+ goto inval;
45+
46 switch (cmd) {
47 case HIDIOCGUSAGE:
48 uref->value = field->value[uref->usage_index];
49--
50cgit v0.12
51