diff options
Diffstat (limited to 'recipes-kernel/linux/files/hid-CVE-2016-5829.patch')
-rw-r--r-- | recipes-kernel/linux/files/hid-CVE-2016-5829.patch | 51 |
1 files changed, 0 insertions, 51 deletions
diff --git a/recipes-kernel/linux/files/hid-CVE-2016-5829.patch b/recipes-kernel/linux/files/hid-CVE-2016-5829.patch deleted file mode 100644 index fca7e51..0000000 --- a/recipes-kernel/linux/files/hid-CVE-2016-5829.patch +++ /dev/null | |||
@@ -1,51 +0,0 @@ | |||
1 | From f67b6920a0cf03d363c5f3bfb14f5d258168dc8c Mon Sep 17 00:00:00 2001 | ||
2 | From: Scott Bauer <sbauer@plzdonthack.me> | ||
3 | Date: Thu, 23 Jun 2016 08:59:47 -0600 | ||
4 | Subject: HID: hiddev: validate num_values for HIDIOCGUSAGES, HIDIOCSUSAGES | ||
5 | commands | ||
6 | |||
7 | [ Upstream commit 93a2001bdfd5376c3dc2158653034c20392d15c5 ] | ||
8 | |||
9 | This patch validates the num_values parameter from userland during the | ||
10 | HIDIOCGUSAGES and HIDIOCSUSAGES commands. Previously, if the report id was set | ||
11 | to HID_REPORT_ID_UNKNOWN, we would fail to validate the num_values parameter | ||
12 | leading to a heap overflow. | ||
13 | |||
14 | CVE: CVE-2016-5829 | ||
15 | Upstream-Status: Backport | ||
16 | |||
17 | Cc: stable@vger.kernel.org | ||
18 | Signed-off-by: Scott Bauer <sbauer@plzdonthack.me> | ||
19 | Signed-off-by: Jiri Kosina <jkosina@suse.cz> | ||
20 | Signed-off-by: Sasha Levin <sasha.levin@oracle.com> | ||
21 | Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> | ||
22 | --- | ||
23 | drivers/hid/usbhid/hiddev.c | 10 +++++----- | ||
24 | 1 file changed, 5 insertions(+), 5 deletions(-) | ||
25 | |||
26 | diff --git a/drivers/hid/usbhid/hiddev.c b/drivers/hid/usbhid/hiddev.c | ||
27 | index 2f1ddca..700145b 100644 | ||
28 | --- a/drivers/hid/usbhid/hiddev.c | ||
29 | +++ b/drivers/hid/usbhid/hiddev.c | ||
30 | @@ -516,13 +516,13 @@ static noinline int hiddev_ioctl_usage(struct hiddev *hiddev, unsigned int cmd, | ||
31 | goto inval; | ||
32 | } else if (uref->usage_index >= field->report_count) | ||
33 | goto inval; | ||
34 | - | ||
35 | - else if ((cmd == HIDIOCGUSAGES || cmd == HIDIOCSUSAGES) && | ||
36 | - (uref_multi->num_values > HID_MAX_MULTI_USAGES || | ||
37 | - uref->usage_index + uref_multi->num_values > field->report_count)) | ||
38 | - goto inval; | ||
39 | } | ||
40 | |||
41 | + if ((cmd == HIDIOCGUSAGES || cmd == HIDIOCSUSAGES) && | ||
42 | + (uref_multi->num_values > HID_MAX_MULTI_USAGES || | ||
43 | + uref->usage_index + uref_multi->num_values > field->report_count)) | ||
44 | + goto inval; | ||
45 | + | ||
46 | switch (cmd) { | ||
47 | case HIDIOCGUSAGE: | ||
48 | uref->value = field->value[uref->usage_index]; | ||
49 | -- | ||
50 | cgit v0.12 | ||
51 | |||