1 files changed, 52 insertions, 0 deletions
diff --git a/recipes-kernel/linux/files/0001-HID-CVE-2014-3181.patch b/recipes-kernel/linux/files/0001-HID-CVE-2014-3181.patch
new file mode 100644
index 0000000..4355c68
--- /dev/null
+++ b/recipes-kernel/linux/files/0001-HID-CVE-2014-3181.patch
@@ -0,0 +1,52 @@
+From c54def7bd64d7c0b6993336abcffb8444795bf38 Mon Sep 17 00:00:00 2001
+From: Jiri Kosina <jkosina@suse.cz>
+Date: Wed, 27 Aug 2014 09:12:24 +0200
+Subject: [PATCH] HID: magicmouse: sanity check report size in raw_event()
+ callback
+The report passed to us from transport driver could potentially be
+arbitrarily large, therefore we better sanity-check it so that
+magicmouse_emit_touch() gets only valid values of raw_id.
+This fixes CVE-2014-3181
+Upstream-Status: Backport
+Cc: stable@vger.kernel.org
+Reported-by: Steven Vittitoe <scvitti@google.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+ drivers/hid/hid-magicmouse.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+diff --git a/drivers/hid/hid-magicmouse.c b/drivers/hid/hid-magicmouse.c
+index ecc2cbf..29a74c1 100644
+--- a/drivers/hid/hid-magicmouse.c
+++ b/drivers/hid/hid-magicmouse.c
+@@ -290,6 +290,11 @@ static int magicmouse_raw_event(struct hid_device *hdev,
+                if (size < 4 || ((size - 4) % 9) != 0)
+                        return 0;
+                npoints = (size - 4) / 9;
+               if (npoints > 15) {
+                       hid_warn(hdev, "invalid size value (%d) for TRACKPAD_REPORT_ID\n",
+                                       size);
+                       return 0;
+               }
+                msc->ntouches = 0;
+                for (ii = 0; ii < npoints; ii++)
+                        magicmouse_emit_touch(msc, ii, data + ii * 9 + 4);
+@@ -307,6 +312,11 @@ static int magicmouse_raw_event(struct hid_device *hdev,
+                if (size < 6 || ((size - 6) % 8) != 0)
+                        return 0;
+                npoints = (size - 6) / 8;
+               if (npoints > 15) {
+                       hid_warn(hdev, "invalid size value (%d) for MOUSE_REPORT_ID\n",
+                                       size);
+                       return 0;
+               }
+                msc->ntouches = 0;
+                for (ii = 0; ii < npoints; ii++)
+                        magicmouse_emit_touch(msc, ii, data + ii * 8 + 6);
+-- 
+1.9.1

diff --git a/recipes-kernel/linux/files/0001-HID-CVE-2014-3181.patch b/recipes-kernel/linux/files/0001-HID-CVE-2014-3181.patch new file mode 100644 index 0000000..4355c68 --- /dev/null +++ b/recipes-kernel/linux/files/0001-HID-CVE-2014-3181.patch
@@ -0,0 +1,52 @@
	1	From c54def7bd64d7c0b6993336abcffb8444795bf38 Mon Sep 17 00:00:00 2001
	2	From: Jiri Kosina <jkosina@suse.cz>
	3	Date: Wed, 27 Aug 2014 09:12:24 +0200
	4	Subject: [PATCH] HID: magicmouse: sanity check report size in raw_event()
	5	callback
	6
	7	The report passed to us from transport driver could potentially be
	8	arbitrarily large, therefore we better sanity-check it so that
	9	magicmouse_emit_touch() gets only valid values of raw_id.
	10
	11	This fixes CVE-2014-3181
	12	Upstream-Status: Backport
	13
	14	Cc: stable@vger.kernel.org
	15	Reported-by: Steven Vittitoe <scvitti@google.com>
	16	Signed-off-by: Jiri Kosina <jkosina@suse.cz>
	17	Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
	18	---
	19	drivers/hid/hid-magicmouse.c \| 10 ++++++++++
	20	1 file changed, 10 insertions(+)
	21
	22	diff --git a/drivers/hid/hid-magicmouse.c b/drivers/hid/hid-magicmouse.c
	23	index ecc2cbf..29a74c1 100644
	24	--- a/drivers/hid/hid-magicmouse.c
	25	+++ b/drivers/hid/hid-magicmouse.c
	26	@@ -290,6 +290,11 @@ static int magicmouse_raw_event(struct hid_device *hdev,
	27	if (size < 4 \|\| ((size - 4) % 9) != 0)
	28	return 0;
	29	npoints = (size - 4) / 9;
	30	+ if (npoints > 15) {
	31	+ hid_warn(hdev, "invalid size value (%d) for TRACKPAD_REPORT_ID\n",
	32	+ size);
	33	+ return 0;
	34	+ }
	35	msc->ntouches = 0;
	36	for (ii = 0; ii < npoints; ii++)
	37	magicmouse_emit_touch(msc, ii, data + ii * 9 + 4);
	38	@@ -307,6 +312,11 @@ static int magicmouse_raw_event(struct hid_device *hdev,
	39	if (size < 6 \|\| ((size - 6) % 8) != 0)
	40	return 0;
	41	npoints = (size - 6) / 8;
	42	+ if (npoints > 15) {
	43	+ hid_warn(hdev, "invalid size value (%d) for MOUSE_REPORT_ID\n",
	44	+ size);
	45	+ return 0;
	46	+ }
	47	msc->ntouches = 0;
	48	for (ii = 0; ii < npoints; ii++)
	49	magicmouse_emit_touch(msc, ii, data + ii * 8 + 6);
	50	--
	51	1.9.1
	52