diff options
author | Sona Sarmadi <sona.sarmadi@enea.com> | 2016-07-25 12:34:27 +0200 |
---|---|---|
committer | Nora Björklund <nora.bjorklund@enea.com> | 2016-07-27 14:45:52 +0200 |
commit | 40894e99a839ce0e337bb3a7b83327bd64417d56 (patch) | |
tree | 5d218098dd1adbb20829c5692dcd38ef7fdfebae /recipes-kernel/linux/files | |
parent | ee6caf6ebd64c77c4ca53fb5ab08856d41142722 (diff) | |
download | meta-enea-bsp-common-40894e99a839ce0e337bb3a7b83327bd64417d56.tar.gz |
kernel/drivers/hid: CVE-2016-5829
Fixes a heap-based buffer overflow vulnerability in the Linux kernel's
hiddev driver. This flaw could allow a local attacker to corrupt
kernel memory or crashing the system.
References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5829
Upstream patch:
https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/patch/?id=f67b6920a0cf03d363c5f3bfb14f5d258168dc8c
Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Nora Björklund <nora.bjorklund@enea.com>
Diffstat (limited to 'recipes-kernel/linux/files')
-rw-r--r-- | recipes-kernel/linux/files/hid-CVE-2016-5829.patch | 51 |
1 files changed, 51 insertions, 0 deletions
diff --git a/recipes-kernel/linux/files/hid-CVE-2016-5829.patch b/recipes-kernel/linux/files/hid-CVE-2016-5829.patch new file mode 100644 index 0000000..fca7e51 --- /dev/null +++ b/recipes-kernel/linux/files/hid-CVE-2016-5829.patch | |||
@@ -0,0 +1,51 @@ | |||
1 | From f67b6920a0cf03d363c5f3bfb14f5d258168dc8c Mon Sep 17 00:00:00 2001 | ||
2 | From: Scott Bauer <sbauer@plzdonthack.me> | ||
3 | Date: Thu, 23 Jun 2016 08:59:47 -0600 | ||
4 | Subject: HID: hiddev: validate num_values for HIDIOCGUSAGES, HIDIOCSUSAGES | ||
5 | commands | ||
6 | |||
7 | [ Upstream commit 93a2001bdfd5376c3dc2158653034c20392d15c5 ] | ||
8 | |||
9 | This patch validates the num_values parameter from userland during the | ||
10 | HIDIOCGUSAGES and HIDIOCSUSAGES commands. Previously, if the report id was set | ||
11 | to HID_REPORT_ID_UNKNOWN, we would fail to validate the num_values parameter | ||
12 | leading to a heap overflow. | ||
13 | |||
14 | CVE: CVE-2016-5829 | ||
15 | Upstream-Status: Backport | ||
16 | |||
17 | Cc: stable@vger.kernel.org | ||
18 | Signed-off-by: Scott Bauer <sbauer@plzdonthack.me> | ||
19 | Signed-off-by: Jiri Kosina <jkosina@suse.cz> | ||
20 | Signed-off-by: Sasha Levin <sasha.levin@oracle.com> | ||
21 | Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> | ||
22 | --- | ||
23 | drivers/hid/usbhid/hiddev.c | 10 +++++----- | ||
24 | 1 file changed, 5 insertions(+), 5 deletions(-) | ||
25 | |||
26 | diff --git a/drivers/hid/usbhid/hiddev.c b/drivers/hid/usbhid/hiddev.c | ||
27 | index 2f1ddca..700145b 100644 | ||
28 | --- a/drivers/hid/usbhid/hiddev.c | ||
29 | +++ b/drivers/hid/usbhid/hiddev.c | ||
30 | @@ -516,13 +516,13 @@ static noinline int hiddev_ioctl_usage(struct hiddev *hiddev, unsigned int cmd, | ||
31 | goto inval; | ||
32 | } else if (uref->usage_index >= field->report_count) | ||
33 | goto inval; | ||
34 | - | ||
35 | - else if ((cmd == HIDIOCGUSAGES || cmd == HIDIOCSUSAGES) && | ||
36 | - (uref_multi->num_values > HID_MAX_MULTI_USAGES || | ||
37 | - uref->usage_index + uref_multi->num_values > field->report_count)) | ||
38 | - goto inval; | ||
39 | } | ||
40 | |||
41 | + if ((cmd == HIDIOCGUSAGES || cmd == HIDIOCSUSAGES) && | ||
42 | + (uref_multi->num_values > HID_MAX_MULTI_USAGES || | ||
43 | + uref->usage_index + uref_multi->num_values > field->report_count)) | ||
44 | + goto inval; | ||
45 | + | ||
46 | switch (cmd) { | ||
47 | case HIDIOCGUSAGE: | ||
48 | uref->value = field->value[uref->usage_index]; | ||
49 | -- | ||
50 | cgit v0.12 | ||
51 | |||