1 files changed, 114 insertions, 0 deletions
diff --git a/recipes-kernel/linux/files/0003-HID-CVE-2014-3184.patch b/recipes-kernel/linux/files/0003-HID-CVE-2014-3184.patch
new file mode 100644
index 0000000..f58b2f0
--- /dev/null
+++ b/recipes-kernel/linux/files/0003-HID-CVE-2014-3184.patch
@@ -0,0 +1,114 @@
+From 4ab25786c87eb20857bbb715c3ae34ec8fd6a214 Mon Sep 17 00:00:00 2001
+From: Jiri Kosina <jkosina@suse.cz>
+Date: Thu, 21 Aug 2014 09:57:48 -0500
+Subject: [PATCH] HID: fix a couple of off-by-ones
+There are a few very theoretical off-by-one bugs in report descriptor size
+checking when performing a pre-parsing fixup. Fix those.
+This fixes CVE-2014-3184
+Upstream-Status: Backport
+Cc: stable@vger.kernel.org
+Reported-by: Ben Hawkes <hawkes@google.com>
+Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+ drivers/hid/hid-cherry.c   | 2 +-
+ drivers/hid/hid-kye.c      | 2 +-
+ drivers/hid/hid-lg.c       | 4 ++--
+ drivers/hid/hid-monterey.c | 2 +-
+ drivers/hid/hid-petalynx.c | 2 +-
+ drivers/hid/hid-sunplus.c  | 2 +-
+ 6 files changed, 7 insertions(+), 7 deletions(-)
+diff --git a/drivers/hid/hid-cherry.c b/drivers/hid/hid-cherry.c
+index 1bdcccc..f745d2c 100644
+--- a/drivers/hid/hid-cherry.c
+++ b/drivers/hid/hid-cherry.c
+@@ -28,7 +28,7 @@
+ static __u8 *ch_report_fixup(struct hid_device *hdev, __u8 *rdesc,
+                unsigned int *rsize)
+ {
+-       if (*rsize >= 17 && rdesc[11] == 0x3c && rdesc[12] == 0x02) {
+       if (*rsize >= 18 && rdesc[11] == 0x3c && rdesc[12] == 0x02) {
+                hid_info(hdev, "fixing up Cherry Cymotion report descriptor\n");
+                rdesc[11] = rdesc[16] = 0xff;
+                rdesc[12] = rdesc[17] = 0x03;
+diff --git a/drivers/hid/hid-kye.c b/drivers/hid/hid-kye.c
+index e776963..b92bf01 100644
+--- a/drivers/hid/hid-kye.c
+++ b/drivers/hid/hid-kye.c
+@@ -300,7 +300,7 @@ static __u8 *kye_report_fixup(struct hid_device *hdev, __u8 *rdesc,
+                 *   - change the button usage range to 4-7 for the extra
+                 *     buttons
+                 */
+-               if (*rsize >= 74 &&
+               if (*rsize >= 75 &&
+                        rdesc[61] == 0x05 && rdesc[62] == 0x08 &&
+                        rdesc[63] == 0x19 && rdesc[64] == 0x08 &&
+                        rdesc[65] == 0x29 && rdesc[66] == 0x0f &&
+diff --git a/drivers/hid/hid-lg.c b/drivers/hid/hid-lg.c
+index a976f48..f91ff14 100644
+--- a/drivers/hid/hid-lg.c
+++ b/drivers/hid/hid-lg.c
+@@ -345,14 +345,14 @@ static __u8 *lg_report_fixup(struct hid_device *hdev, __u8 *rdesc,
+        struct usb_device_descriptor *udesc;
+        __u16 bcdDevice, rev_maj, rev_min;
+ 
+-       if ((drv_data->quirks & LG_RDESC) && *rsize >= 90 && rdesc[83] == 0x26 &&
+       if ((drv_data->quirks & LG_RDESC) && *rsize >= 91 && rdesc[83] == 0x26 &&
+                        rdesc[84] == 0x8c && rdesc[85] == 0x02) {
+                hid_info(hdev,
+                         "fixing up Logitech keyboard report descriptor\n");
+                rdesc[84] = rdesc[89] = 0x4d;
+                rdesc[85] = rdesc[90] = 0x10;
+        }
+-       if ((drv_data->quirks & LG_RDESC_REL_ABS) && *rsize >= 50 &&
+       if ((drv_data->quirks & LG_RDESC_REL_ABS) && *rsize >= 51 &&
+                        rdesc[32] == 0x81 && rdesc[33] == 0x06 &&
+                        rdesc[49] == 0x81 && rdesc[50] == 0x06) {
+                hid_info(hdev,
+diff --git a/drivers/hid/hid-monterey.c b/drivers/hid/hid-monterey.c
+index 9e14c00..25daf28 100644
+--- a/drivers/hid/hid-monterey.c
+++ b/drivers/hid/hid-monterey.c
+@@ -24,7 +24,7 @@
+ static __u8 *mr_report_fixup(struct hid_device *hdev, __u8 *rdesc,
+                unsigned int *rsize)
+ {
+-       if (*rsize >= 30 && rdesc[29] == 0x05 && rdesc[30] == 0x09) {
+       if (*rsize >= 31 && rdesc[29] == 0x05 && rdesc[30] == 0x09) {
+                hid_info(hdev, "fixing up button/consumer in HID report descriptor\n");
+                rdesc[30] = 0x0c;
+        }
+diff --git a/drivers/hid/hid-petalynx.c b/drivers/hid/hid-petalynx.c
+index 736b250..6aca4f2 100644
+--- a/drivers/hid/hid-petalynx.c
+++ b/drivers/hid/hid-petalynx.c
+@@ -25,7 +25,7 @@
+ static __u8 *pl_report_fixup(struct hid_device *hdev, __u8 *rdesc,
+                unsigned int *rsize)
+ {
+-       if (*rsize >= 60 && rdesc[39] == 0x2a && rdesc[40] == 0xf5 &&
+       if (*rsize >= 62 && rdesc[39] == 0x2a && rdesc[40] == 0xf5 &&
+                        rdesc[41] == 0x00 && rdesc[59] == 0x26 &&
+                        rdesc[60] == 0xf9 && rdesc[61] == 0x00) {
+                hid_info(hdev, "fixing up Petalynx Maxter Remote report descriptor\n");
+diff --git a/drivers/hid/hid-sunplus.c b/drivers/hid/hid-sunplus.c
+index 87fc91e..91072fa 100644
+--- a/drivers/hid/hid-sunplus.c
+++ b/drivers/hid/hid-sunplus.c
+@@ -24,7 +24,7 @@
+ static __u8 *sp_report_fixup(struct hid_device *hdev, __u8 *rdesc,
+                unsigned int *rsize)
+ {
+-       if (*rsize >= 107 && rdesc[104] == 0x26 && rdesc[105] == 0x80 &&
+       if (*rsize >= 112 && rdesc[104] == 0x26 && rdesc[105] == 0x80 &&
+                        rdesc[106] == 0x03) {
+                hid_info(hdev, "fixing up Sunplus Wireless Desktop report descriptor\n");
+                rdesc[105] = rdesc[110] = 0x03;
+-- 
+1.9.1

diff --git a/recipes-kernel/linux/files/0003-HID-CVE-2014-3184.patch b/recipes-kernel/linux/files/0003-HID-CVE-2014-3184.patch new file mode 100644 index 0000000..f58b2f0 --- /dev/null +++ b/recipes-kernel/linux/files/0003-HID-CVE-2014-3184.patch
@@ -0,0 +1,114 @@
	1	From 4ab25786c87eb20857bbb715c3ae34ec8fd6a214 Mon Sep 17 00:00:00 2001
	2	From: Jiri Kosina <jkosina@suse.cz>
	3	Date: Thu, 21 Aug 2014 09:57:48 -0500
	4	Subject: [PATCH] HID: fix a couple of off-by-ones
	5
	6	There are a few very theoretical off-by-one bugs in report descriptor size
	7	checking when performing a pre-parsing fixup. Fix those.
	8
	9	This fixes CVE-2014-3184
	10	Upstream-Status: Backport
	11
	12	Cc: stable@vger.kernel.org
	13	Reported-by: Ben Hawkes <hawkes@google.com>
	14	Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
	15	Signed-off-by: Jiri Kosina <jkosina@suse.cz>
	16	Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
	17	---
	18	drivers/hid/hid-cherry.c \| 2 +-
	19	drivers/hid/hid-kye.c \| 2 +-
	20	drivers/hid/hid-lg.c \| 4 ++--
	21	drivers/hid/hid-monterey.c \| 2 +-
	22	drivers/hid/hid-petalynx.c \| 2 +-
	23	drivers/hid/hid-sunplus.c \| 2 +-
	24	6 files changed, 7 insertions(+), 7 deletions(-)
	25
	26	diff --git a/drivers/hid/hid-cherry.c b/drivers/hid/hid-cherry.c
	27	index 1bdcccc..f745d2c 100644
	28	--- a/drivers/hid/hid-cherry.c
	29	+++ b/drivers/hid/hid-cherry.c
	30	@@ -28,7 +28,7 @@
	31	static __u8 ch_report_fixup(struct hid_device hdev, __u8 *rdesc,
	32	unsigned int *rsize)
	33	{
	34	- if (*rsize >= 17 && rdesc[11] == 0x3c && rdesc[12] == 0x02) {
	35	+ if (*rsize >= 18 && rdesc[11] == 0x3c && rdesc[12] == 0x02) {
	36	hid_info(hdev, "fixing up Cherry Cymotion report descriptor\n");
	37	rdesc[11] = rdesc[16] = 0xff;
	38	rdesc[12] = rdesc[17] = 0x03;
	39	diff --git a/drivers/hid/hid-kye.c b/drivers/hid/hid-kye.c
	40	index e776963..b92bf01 100644
	41	--- a/drivers/hid/hid-kye.c
	42	+++ b/drivers/hid/hid-kye.c
	43	@@ -300,7 +300,7 @@ static __u8 kye_report_fixup(struct hid_device hdev, __u8 *rdesc,
	44	* - change the button usage range to 4-7 for the extra
	45	* buttons
	46	*/
	47	- if (*rsize >= 74 &&
	48	+ if (*rsize >= 75 &&
	49	rdesc[61] == 0x05 && rdesc[62] == 0x08 &&
	50	rdesc[63] == 0x19 && rdesc[64] == 0x08 &&
	51	rdesc[65] == 0x29 && rdesc[66] == 0x0f &&
	52	diff --git a/drivers/hid/hid-lg.c b/drivers/hid/hid-lg.c
	53	index a976f48..f91ff14 100644
	54	--- a/drivers/hid/hid-lg.c
	55	+++ b/drivers/hid/hid-lg.c
	56	@@ -345,14 +345,14 @@ static __u8 lg_report_fixup(struct hid_device hdev, __u8 *rdesc,
	57	struct usb_device_descriptor *udesc;
	58	__u16 bcdDevice, rev_maj, rev_min;
	59
	60	- if ((drv_data->quirks & LG_RDESC) && *rsize >= 90 && rdesc[83] == 0x26 &&
	61	+ if ((drv_data->quirks & LG_RDESC) && *rsize >= 91 && rdesc[83] == 0x26 &&
	62	rdesc[84] == 0x8c && rdesc[85] == 0x02) {
	63	hid_info(hdev,
	64	"fixing up Logitech keyboard report descriptor\n");
	65	rdesc[84] = rdesc[89] = 0x4d;
	66	rdesc[85] = rdesc[90] = 0x10;
	67	}
	68	- if ((drv_data->quirks & LG_RDESC_REL_ABS) && *rsize >= 50 &&
	69	+ if ((drv_data->quirks & LG_RDESC_REL_ABS) && *rsize >= 51 &&
	70	rdesc[32] == 0x81 && rdesc[33] == 0x06 &&
	71	rdesc[49] == 0x81 && rdesc[50] == 0x06) {
	72	hid_info(hdev,
	73	diff --git a/drivers/hid/hid-monterey.c b/drivers/hid/hid-monterey.c
	74	index 9e14c00..25daf28 100644
	75	--- a/drivers/hid/hid-monterey.c
	76	+++ b/drivers/hid/hid-monterey.c
	77	@@ -24,7 +24,7 @@
	78	static __u8 mr_report_fixup(struct hid_device hdev, __u8 *rdesc,
	79	unsigned int *rsize)
	80	{
	81	- if (*rsize >= 30 && rdesc[29] == 0x05 && rdesc[30] == 0x09) {
	82	+ if (*rsize >= 31 && rdesc[29] == 0x05 && rdesc[30] == 0x09) {
	83	hid_info(hdev, "fixing up button/consumer in HID report descriptor\n");
	84	rdesc[30] = 0x0c;
	85	}
	86	diff --git a/drivers/hid/hid-petalynx.c b/drivers/hid/hid-petalynx.c
	87	index 736b250..6aca4f2 100644
	88	--- a/drivers/hid/hid-petalynx.c
	89	+++ b/drivers/hid/hid-petalynx.c
	90	@@ -25,7 +25,7 @@
	91	static __u8 pl_report_fixup(struct hid_device hdev, __u8 *rdesc,
	92	unsigned int *rsize)
	93	{
	94	- if (*rsize >= 60 && rdesc[39] == 0x2a && rdesc[40] == 0xf5 &&
	95	+ if (*rsize >= 62 && rdesc[39] == 0x2a && rdesc[40] == 0xf5 &&
	96	rdesc[41] == 0x00 && rdesc[59] == 0x26 &&
	97	rdesc[60] == 0xf9 && rdesc[61] == 0x00) {
	98	hid_info(hdev, "fixing up Petalynx Maxter Remote report descriptor\n");
	99	diff --git a/drivers/hid/hid-sunplus.c b/drivers/hid/hid-sunplus.c
	100	index 87fc91e..91072fa 100644
	101	--- a/drivers/hid/hid-sunplus.c
	102	+++ b/drivers/hid/hid-sunplus.c
	103	@@ -24,7 +24,7 @@
	104	static __u8 sp_report_fixup(struct hid_device hdev, __u8 *rdesc,
	105	unsigned int *rsize)
	106	{
	107	- if (*rsize >= 107 && rdesc[104] == 0x26 && rdesc[105] == 0x80 &&
	108	+ if (*rsize >= 112 && rdesc[104] == 0x26 && rdesc[105] == 0x80 &&
	109	rdesc[106] == 0x03) {
	110	hid_info(hdev, "fixing up Sunplus Wireless Desktop report descriptor\n");
	111	rdesc[105] = rdesc[110] = 0x03;
	112	--
	113	1.9.1
	114