From 40894e99a839ce0e337bb3a7b83327bd64417d56 Mon Sep 17 00:00:00 2001 From: Sona Sarmadi Date: Mon, 25 Jul 2016 12:34:27 +0200 Subject: kernel/drivers/hid: CVE-2016-5829 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes a heap-based buffer overflow vulnerability in the Linux kernel's hiddev driver. This flaw could allow a local attacker to corrupt kernel memory or crashing the system. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5829 Upstream patch: https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/patch/?id=f67b6920a0cf03d363c5f3bfb14f5d258168dc8c Signed-off-by: Sona Sarmadi Signed-off-by: Nora Björklund --- recipes-kernel/linux/files/hid-CVE-2016-5829.patch | 51 ++++++++++++++++++++++ recipes-kernel/linux/linux-yocto_4.%.bbappend | 3 +- 2 files changed, 53 insertions(+), 1 deletion(-) create mode 100644 recipes-kernel/linux/files/hid-CVE-2016-5829.patch diff --git a/recipes-kernel/linux/files/hid-CVE-2016-5829.patch b/recipes-kernel/linux/files/hid-CVE-2016-5829.patch new file mode 100644 index 0000000..fca7e51 --- /dev/null +++ b/recipes-kernel/linux/files/hid-CVE-2016-5829.patch @@ -0,0 +1,51 @@ +From f67b6920a0cf03d363c5f3bfb14f5d258168dc8c Mon Sep 17 00:00:00 2001 +From: Scott Bauer +Date: Thu, 23 Jun 2016 08:59:47 -0600 +Subject: HID: hiddev: validate num_values for HIDIOCGUSAGES, HIDIOCSUSAGES + commands + +[ Upstream commit 93a2001bdfd5376c3dc2158653034c20392d15c5 ] + +This patch validates the num_values parameter from userland during the +HIDIOCGUSAGES and HIDIOCSUSAGES commands. Previously, if the report id was set +to HID_REPORT_ID_UNKNOWN, we would fail to validate the num_values parameter +leading to a heap overflow. + +CVE: CVE-2016-5829 +Upstream-Status: Backport + +Cc: stable@vger.kernel.org +Signed-off-by: Scott Bauer +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +Signed-off-by: Sona Sarmadi +--- + drivers/hid/usbhid/hiddev.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/drivers/hid/usbhid/hiddev.c b/drivers/hid/usbhid/hiddev.c +index 2f1ddca..700145b 100644 +--- a/drivers/hid/usbhid/hiddev.c ++++ b/drivers/hid/usbhid/hiddev.c +@@ -516,13 +516,13 @@ static noinline int hiddev_ioctl_usage(struct hiddev *hiddev, unsigned int cmd, + goto inval; + } else if (uref->usage_index >= field->report_count) + goto inval; +- +- else if ((cmd == HIDIOCGUSAGES || cmd == HIDIOCSUSAGES) && +- (uref_multi->num_values > HID_MAX_MULTI_USAGES || +- uref->usage_index + uref_multi->num_values > field->report_count)) +- goto inval; + } + ++ if ((cmd == HIDIOCGUSAGES || cmd == HIDIOCSUSAGES) && ++ (uref_multi->num_values > HID_MAX_MULTI_USAGES || ++ uref->usage_index + uref_multi->num_values > field->report_count)) ++ goto inval; ++ + switch (cmd) { + case HIDIOCGUSAGE: + uref->value = field->value[uref->usage_index]; +-- +cgit v0.12 + diff --git a/recipes-kernel/linux/linux-yocto_4.%.bbappend b/recipes-kernel/linux/linux-yocto_4.%.bbappend index a2cdfec..2ae6b4b 100644 --- a/recipes-kernel/linux/linux-yocto_4.%.bbappend +++ b/recipes-kernel/linux/linux-yocto_4.%.bbappend @@ -2,7 +2,8 @@ require recipes-kernel/linux/enea-common.inc FILESEXTRAPATHS_prepend := "${THISDIR}/files:" -SRC_URI += "" +SRC_URI += "file://hid-CVE-2016-5829.patch \ + " ENEA_KERNEL_FRAGMENTS += "\ cfg/localversion.cfg \ -- cgit v1.2.3-54-g00ecf