summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorSona Sarmadi <sona.sarmadi@enea.com>2015-01-27 09:10:42 +0100
committerZhenhua Luo <zhenhua.luo@freescale.com>2015-02-03 10:04:50 +0800
commit2d64414dded202975082a0531fcfb4461256bf2d (patch)
tree8c08d5696abac9bc8849e411a1d26413d8f292ad
parent42590aa5fb3ae3212c7950f2c71fcf7b3b19ecde (diff)
downloadmeta-freescale-2d64414dded202975082a0531fcfb4461256bf2d.tar.gz
Kernel-HID/USB: multiple CVEs
CVE-2014-3181 Kernel: HID: OOB write in magicmouse driver CVE-2014-3182 Kernel: HID: logitech-dj OOB array access CVE-2014-3184 Kernel: HID: off by one error in various _report_fixup routine CVE-2014-3185 Kernel: USB serial: memory corruption flaw References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3181 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3182 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3184 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3185 Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
-rw-r--r--meta-fsl-ppc/recipes-kernel/linux/files/0001-HID-CVE-2014-3181.patch52
-rw-r--r--meta-fsl-ppc/recipes-kernel/linux/files/0002-HID-CVE-2014-3182.patch65
-rw-r--r--meta-fsl-ppc/recipes-kernel/linux/files/0003-HID-CVE-2014-3184.patch114
-rw-r--r--meta-fsl-ppc/recipes-kernel/linux/files/0004-USB-CVE-2014-3185.patch51
-rw-r--r--meta-fsl-ppc/recipes-kernel/linux/linux-qoriq_3.12.bb4
5 files changed, 286 insertions, 0 deletions
diff --git a/meta-fsl-ppc/recipes-kernel/linux/files/0001-HID-CVE-2014-3181.patch b/meta-fsl-ppc/recipes-kernel/linux/files/0001-HID-CVE-2014-3181.patch
new file mode 100644
index 00000000..4355c68f
--- /dev/null
+++ b/meta-fsl-ppc/recipes-kernel/linux/files/0001-HID-CVE-2014-3181.patch
@@ -0,0 +1,52 @@
1From c54def7bd64d7c0b6993336abcffb8444795bf38 Mon Sep 17 00:00:00 2001
2From: Jiri Kosina <jkosina@suse.cz>
3Date: Wed, 27 Aug 2014 09:12:24 +0200
4Subject: [PATCH] HID: magicmouse: sanity check report size in raw_event()
5 callback
6
7The report passed to us from transport driver could potentially be
8arbitrarily large, therefore we better sanity-check it so that
9magicmouse_emit_touch() gets only valid values of raw_id.
10
11This fixes CVE-2014-3181
12Upstream-Status: Backport
13
14Cc: stable@vger.kernel.org
15Reported-by: Steven Vittitoe <scvitti@google.com>
16Signed-off-by: Jiri Kosina <jkosina@suse.cz>
17Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
18---
19 drivers/hid/hid-magicmouse.c | 10 ++++++++++
20 1 file changed, 10 insertions(+)
21
22diff --git a/drivers/hid/hid-magicmouse.c b/drivers/hid/hid-magicmouse.c
23index ecc2cbf..29a74c1 100644
24--- a/drivers/hid/hid-magicmouse.c
25+++ b/drivers/hid/hid-magicmouse.c
26@@ -290,6 +290,11 @@ static int magicmouse_raw_event(struct hid_device *hdev,
27 if (size < 4 || ((size - 4) % 9) != 0)
28 return 0;
29 npoints = (size - 4) / 9;
30+ if (npoints > 15) {
31+ hid_warn(hdev, "invalid size value (%d) for TRACKPAD_REPORT_ID\n",
32+ size);
33+ return 0;
34+ }
35 msc->ntouches = 0;
36 for (ii = 0; ii < npoints; ii++)
37 magicmouse_emit_touch(msc, ii, data + ii * 9 + 4);
38@@ -307,6 +312,11 @@ static int magicmouse_raw_event(struct hid_device *hdev,
39 if (size < 6 || ((size - 6) % 8) != 0)
40 return 0;
41 npoints = (size - 6) / 8;
42+ if (npoints > 15) {
43+ hid_warn(hdev, "invalid size value (%d) for MOUSE_REPORT_ID\n",
44+ size);
45+ return 0;
46+ }
47 msc->ntouches = 0;
48 for (ii = 0; ii < npoints; ii++)
49 magicmouse_emit_touch(msc, ii, data + ii * 8 + 6);
50--
511.9.1
52
diff --git a/meta-fsl-ppc/recipes-kernel/linux/files/0002-HID-CVE-2014-3182.patch b/meta-fsl-ppc/recipes-kernel/linux/files/0002-HID-CVE-2014-3182.patch
new file mode 100644
index 00000000..a90d0799
--- /dev/null
+++ b/meta-fsl-ppc/recipes-kernel/linux/files/0002-HID-CVE-2014-3182.patch
@@ -0,0 +1,65 @@
1From ad3e14d7c5268c2e24477c6ef54bbdf88add5d36 Mon Sep 17 00:00:00 2001
2From: Jiri Kosina <jkosina@suse.cz>
3Date: Thu, 21 Aug 2014 09:57:17 -0500
4Subject: [PATCH] HID: logitech: perform bounds checking on device_id early
5 enough
6
7device_index is a char type and the size of paired_dj_deivces is 7
8elements, therefore proper bounds checking has to be applied to
9device_index before it is used.
10
11We are currently performing the bounds checking in
12logi_dj_recv_add_djhid_device(), which is too late, as malicious device
13could send REPORT_TYPE_NOTIF_DEVICE_UNPAIRED early enough and trigger the
14problem in one of the report forwarding functions called from
15logi_dj_raw_event().
16
17Fix this by performing the check at the earliest possible ocasion in
18logi_dj_raw_event().
19
20This fixes CVE-2014-3182
21Upstream-Status: Backport
22
23Cc: stable@vger.kernel.org
24Reported-by: Ben Hawkes <hawkes@google.com>
25Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
26Signed-off-by: Jiri Kosina <jkosina@suse.cz>
27Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
28---
29 drivers/hid/hid-logitech-dj.c | 13 ++++++-------
30 1 file changed, 6 insertions(+), 7 deletions(-)
31
32diff --git a/drivers/hid/hid-logitech-dj.c b/drivers/hid/hid-logitech-dj.c
33index ca0ab51..b7ba829 100644
34--- a/drivers/hid/hid-logitech-dj.c
35+++ b/drivers/hid/hid-logitech-dj.c
36@@ -238,13 +238,6 @@ static void logi_dj_recv_add_djhid_device(struct dj_receiver_dev *djrcv_dev,
37 return;
38 }
39
40- if ((dj_report->device_index < DJ_DEVICE_INDEX_MIN) ||
41- (dj_report->device_index > DJ_DEVICE_INDEX_MAX)) {
42- dev_err(&djrcv_hdev->dev, "%s: invalid device index:%d\n",
43- __func__, dj_report->device_index);
44- return;
45- }
46-
47 if (djrcv_dev->paired_dj_devices[dj_report->device_index]) {
48 /* The device is already known. No need to reallocate it. */
49 dbg_hid("%s: device is already known\n", __func__);
50@@ -690,6 +683,12 @@ static int logi_dj_raw_event(struct hid_device *hdev,
51 * device (via hid_input_report() ) and return 1 so hid-core does not do
52 * anything else with it.
53 */
54+ if ((dj_report->device_index < DJ_DEVICE_INDEX_MIN) ||
55+ (dj_report->device_index > DJ_DEVICE_INDEX_MAX)) {
56+ dev_err(&hdev->dev, "%s: invalid device index:%d\n",
57+ __func__, dj_report->device_index);
58+ return false;
59+ }
60
61 spin_lock_irqsave(&djrcv_dev->lock, flags);
62 if (dj_report->report_id == REPORT_ID_DJ_SHORT) {
63--
641.9.1
65
diff --git a/meta-fsl-ppc/recipes-kernel/linux/files/0003-HID-CVE-2014-3184.patch b/meta-fsl-ppc/recipes-kernel/linux/files/0003-HID-CVE-2014-3184.patch
new file mode 100644
index 00000000..f58b2f0e
--- /dev/null
+++ b/meta-fsl-ppc/recipes-kernel/linux/files/0003-HID-CVE-2014-3184.patch
@@ -0,0 +1,114 @@
1From 4ab25786c87eb20857bbb715c3ae34ec8fd6a214 Mon Sep 17 00:00:00 2001
2From: Jiri Kosina <jkosina@suse.cz>
3Date: Thu, 21 Aug 2014 09:57:48 -0500
4Subject: [PATCH] HID: fix a couple of off-by-ones
5
6There are a few very theoretical off-by-one bugs in report descriptor size
7checking when performing a pre-parsing fixup. Fix those.
8
9This fixes CVE-2014-3184
10Upstream-Status: Backport
11
12Cc: stable@vger.kernel.org
13Reported-by: Ben Hawkes <hawkes@google.com>
14Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
15Signed-off-by: Jiri Kosina <jkosina@suse.cz>
16Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
17---
18 drivers/hid/hid-cherry.c | 2 +-
19 drivers/hid/hid-kye.c | 2 +-
20 drivers/hid/hid-lg.c | 4 ++--
21 drivers/hid/hid-monterey.c | 2 +-
22 drivers/hid/hid-petalynx.c | 2 +-
23 drivers/hid/hid-sunplus.c | 2 +-
24 6 files changed, 7 insertions(+), 7 deletions(-)
25
26diff --git a/drivers/hid/hid-cherry.c b/drivers/hid/hid-cherry.c
27index 1bdcccc..f745d2c 100644
28--- a/drivers/hid/hid-cherry.c
29+++ b/drivers/hid/hid-cherry.c
30@@ -28,7 +28,7 @@
31 static __u8 *ch_report_fixup(struct hid_device *hdev, __u8 *rdesc,
32 unsigned int *rsize)
33 {
34- if (*rsize >= 17 && rdesc[11] == 0x3c && rdesc[12] == 0x02) {
35+ if (*rsize >= 18 && rdesc[11] == 0x3c && rdesc[12] == 0x02) {
36 hid_info(hdev, "fixing up Cherry Cymotion report descriptor\n");
37 rdesc[11] = rdesc[16] = 0xff;
38 rdesc[12] = rdesc[17] = 0x03;
39diff --git a/drivers/hid/hid-kye.c b/drivers/hid/hid-kye.c
40index e776963..b92bf01 100644
41--- a/drivers/hid/hid-kye.c
42+++ b/drivers/hid/hid-kye.c
43@@ -300,7 +300,7 @@ static __u8 *kye_report_fixup(struct hid_device *hdev, __u8 *rdesc,
44 * - change the button usage range to 4-7 for the extra
45 * buttons
46 */
47- if (*rsize >= 74 &&
48+ if (*rsize >= 75 &&
49 rdesc[61] == 0x05 && rdesc[62] == 0x08 &&
50 rdesc[63] == 0x19 && rdesc[64] == 0x08 &&
51 rdesc[65] == 0x29 && rdesc[66] == 0x0f &&
52diff --git a/drivers/hid/hid-lg.c b/drivers/hid/hid-lg.c
53index a976f48..f91ff14 100644
54--- a/drivers/hid/hid-lg.c
55+++ b/drivers/hid/hid-lg.c
56@@ -345,14 +345,14 @@ static __u8 *lg_report_fixup(struct hid_device *hdev, __u8 *rdesc,
57 struct usb_device_descriptor *udesc;
58 __u16 bcdDevice, rev_maj, rev_min;
59
60- if ((drv_data->quirks & LG_RDESC) && *rsize >= 90 && rdesc[83] == 0x26 &&
61+ if ((drv_data->quirks & LG_RDESC) && *rsize >= 91 && rdesc[83] == 0x26 &&
62 rdesc[84] == 0x8c && rdesc[85] == 0x02) {
63 hid_info(hdev,
64 "fixing up Logitech keyboard report descriptor\n");
65 rdesc[84] = rdesc[89] = 0x4d;
66 rdesc[85] = rdesc[90] = 0x10;
67 }
68- if ((drv_data->quirks & LG_RDESC_REL_ABS) && *rsize >= 50 &&
69+ if ((drv_data->quirks & LG_RDESC_REL_ABS) && *rsize >= 51 &&
70 rdesc[32] == 0x81 && rdesc[33] == 0x06 &&
71 rdesc[49] == 0x81 && rdesc[50] == 0x06) {
72 hid_info(hdev,
73diff --git a/drivers/hid/hid-monterey.c b/drivers/hid/hid-monterey.c
74index 9e14c00..25daf28 100644
75--- a/drivers/hid/hid-monterey.c
76+++ b/drivers/hid/hid-monterey.c
77@@ -24,7 +24,7 @@
78 static __u8 *mr_report_fixup(struct hid_device *hdev, __u8 *rdesc,
79 unsigned int *rsize)
80 {
81- if (*rsize >= 30 && rdesc[29] == 0x05 && rdesc[30] == 0x09) {
82+ if (*rsize >= 31 && rdesc[29] == 0x05 && rdesc[30] == 0x09) {
83 hid_info(hdev, "fixing up button/consumer in HID report descriptor\n");
84 rdesc[30] = 0x0c;
85 }
86diff --git a/drivers/hid/hid-petalynx.c b/drivers/hid/hid-petalynx.c
87index 736b250..6aca4f2 100644
88--- a/drivers/hid/hid-petalynx.c
89+++ b/drivers/hid/hid-petalynx.c
90@@ -25,7 +25,7 @@
91 static __u8 *pl_report_fixup(struct hid_device *hdev, __u8 *rdesc,
92 unsigned int *rsize)
93 {
94- if (*rsize >= 60 && rdesc[39] == 0x2a && rdesc[40] == 0xf5 &&
95+ if (*rsize >= 62 && rdesc[39] == 0x2a && rdesc[40] == 0xf5 &&
96 rdesc[41] == 0x00 && rdesc[59] == 0x26 &&
97 rdesc[60] == 0xf9 && rdesc[61] == 0x00) {
98 hid_info(hdev, "fixing up Petalynx Maxter Remote report descriptor\n");
99diff --git a/drivers/hid/hid-sunplus.c b/drivers/hid/hid-sunplus.c
100index 87fc91e..91072fa 100644
101--- a/drivers/hid/hid-sunplus.c
102+++ b/drivers/hid/hid-sunplus.c
103@@ -24,7 +24,7 @@
104 static __u8 *sp_report_fixup(struct hid_device *hdev, __u8 *rdesc,
105 unsigned int *rsize)
106 {
107- if (*rsize >= 107 && rdesc[104] == 0x26 && rdesc[105] == 0x80 &&
108+ if (*rsize >= 112 && rdesc[104] == 0x26 && rdesc[105] == 0x80 &&
109 rdesc[106] == 0x03) {
110 hid_info(hdev, "fixing up Sunplus Wireless Desktop report descriptor\n");
111 rdesc[105] = rdesc[110] = 0x03;
112--
1131.9.1
114
diff --git a/meta-fsl-ppc/recipes-kernel/linux/files/0004-USB-CVE-2014-3185.patch b/meta-fsl-ppc/recipes-kernel/linux/files/0004-USB-CVE-2014-3185.patch
new file mode 100644
index 00000000..08208076
--- /dev/null
+++ b/meta-fsl-ppc/recipes-kernel/linux/files/0004-USB-CVE-2014-3185.patch
@@ -0,0 +1,51 @@
1From 6817ae225cd650fb1c3295d769298c38b1eba818 Mon Sep 17 00:00:00 2001
2From: James Forshaw <forshaw@google.com>
3Date: Sat, 23 Aug 2014 14:39:48 -0700
4Subject: [PATCH] USB: whiteheat: Added bounds checking for bulk command
5 response
6
7This patch fixes a potential security issue in the whiteheat USB driver
8which might allow a local attacker to cause kernel memory corrpution. This
9is due to an unchecked memcpy into a fixed size buffer (of 64 bytes). On
10EHCI and XHCI busses it's possible to craft responses greater than 64
11bytes leading a buffer overflow.
12
13This fixes CVE-2014-3185
14Upstream-Status: Backport
15
16Signed-off-by: James Forshaw <forshaw@google.com>
17Cc: stable <stable@vger.kernel.org>
18Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
19Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
20---
21 drivers/usb/serial/whiteheat.c | 7 ++++++-
22 1 file changed, 6 insertions(+), 1 deletion(-)
23
24diff --git a/drivers/usb/serial/whiteheat.c b/drivers/usb/serial/whiteheat.c
25index e62f2df..6c3734d 100644
26--- a/drivers/usb/serial/whiteheat.c
27+++ b/drivers/usb/serial/whiteheat.c
28@@ -514,6 +514,10 @@ static void command_port_read_callback(struct urb *urb)
29 dev_dbg(&urb->dev->dev, "%s - command_info is NULL, exiting.\n", __func__);
30 return;
31 }
32+ if (!urb->actual_length) {
33+ dev_dbg(&urb->dev->dev, "%s - empty response, exiting.\n", __func__);
34+ return;
35+ }
36 if (status) {
37 dev_dbg(&urb->dev->dev, "%s - nonzero urb status: %d\n", __func__, status);
38 if (status != -ENOENT)
39@@ -534,7 +538,8 @@ static void command_port_read_callback(struct urb *urb)
40 /* These are unsolicited reports from the firmware, hence no
41 waiting command to wakeup */
42 dev_dbg(&urb->dev->dev, "%s - event received\n", __func__);
43- } else if (data[0] == WHITEHEAT_GET_DTR_RTS) {
44+ } else if ((data[0] == WHITEHEAT_GET_DTR_RTS) &&
45+ (urb->actual_length - 1 <= sizeof(command_info->result_buffer))) {
46 memcpy(command_info->result_buffer, &data[1],
47 urb->actual_length - 1);
48 command_info->command_finished = WHITEHEAT_CMD_COMPLETE;
49--
501.9.1
51
diff --git a/meta-fsl-ppc/recipes-kernel/linux/linux-qoriq_3.12.bb b/meta-fsl-ppc/recipes-kernel/linux/linux-qoriq_3.12.bb
index 874a3f2b..195b4777 100644
--- a/meta-fsl-ppc/recipes-kernel/linux/linux-qoriq_3.12.bb
+++ b/meta-fsl-ppc/recipes-kernel/linux/linux-qoriq_3.12.bb
@@ -13,6 +13,10 @@ SRC_URI = "git://git.freescale.com/ppc/sdk/linux.git;nobranch=1 \
13 file://0005-mnt-CVE-2014-5206_CVE-2014-5207.patch \ 13 file://0005-mnt-CVE-2014-5206_CVE-2014-5207.patch \
14 file://udf-CVE-2014-6410.patch \ 14 file://udf-CVE-2014-6410.patch \
15 file://net-sctp-CVE-2014-0101.patch \ 15 file://net-sctp-CVE-2014-0101.patch \
16 file://0001-HID-CVE-2014-3181.patch \
17 file://0002-HID-CVE-2014-3182.patch \
18 file://0003-HID-CVE-2014-3184.patch \
19 file://0004-USB-CVE-2014-3185.patch \
16" 20"
17SRCREV = "6619b8b55796cdf0cec04b66a71288edd3057229" 21SRCREV = "6619b8b55796cdf0cec04b66a71288edd3057229"
18 22