aboutsummaryrefslogtreecommitdiff
path: root/include
diff options
context:
space:
mode:
authorKees Cook <keescook@chromium.org>2013-08-28 22:29:55 +0200
committerBen Hutchings <ben@decadent.org.uk>2013-10-26 21:06:00 +0100
commit1ccd1fd4c43407721caa38ae034359bf8d9a1b34 (patch)
tree161255925d7a0b776cffbf437dedcc2672a6a595 /include
parent934796aadc4cf907d21b9346b70383d520bd0eea (diff)
HID: validate HID report id size
commit 43622021d2e2b82ea03d883926605bdd0525e1d1 upstream. The "Report ID" field of a HID report is used to build indexes of reports. The kernel's index of these is limited to 256 entries, so any malicious device that sets a Report ID greater than 255 will trigger memory corruption on the host: [ 1347.156239] BUG: unable to handle kernel paging request at ffff88094958a878 [ 1347.156261] IP: [<ffffffff813e4da0>] hid_register_report+0x2a/0x8b CVE-2013-2888 Signed-off-by: Kees Cook <keescook@chromium.org> Signed-off-by: Jiri Kosina <jkosina@suse.cz> [bwh: Backported to 3.2: use dbg_hid() not hid_err()] Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Diffstat (limited to 'include')
-rw-r--r--include/linux/hid.h4
1 files changed, 3 insertions, 1 deletions
diff --git a/include/linux/hid.h b/include/linux/hid.h
index 331e2ef7eaa..f9523c8e728 100644
--- a/include/linux/hid.h
+++ b/include/linux/hid.h
@@ -416,10 +416,12 @@ struct hid_report {
struct hid_device *device; /* associated device */
};
+#define HID_MAX_IDS 256
+
struct hid_report_enum {
unsigned numbered;
struct list_head report_list;
- struct hid_report *report_id_hash[256];
+ struct hid_report *report_id_hash[HID_MAX_IDS];
};
#define HID_REPORT_TYPES 3