HID: validate feature and input report details - linux

diff options

author	Benjamin Tissoires <benjamin.tissoires@redhat.com>	2013-09-11 21:56:57 +0200
committer	Ben Hutchings <ben@decadent.org.uk>	2013-10-26 21:06:04 +0100
commit	32eed83c07cc2b6e7487fc7c4e47938d7906f3f8 (patch)
tree	85f022b564fe6b220901f48da1cc2c0eb5da7380 /scripts/patch-kernel
parent	3da8b771809032cf829869cabbffbed96cd47bc4 (diff)

HID: validate feature and input report details

commit cc6b54aa54bf40b762cab45a9fc8aa81653146eb upstream. When dealing with usage_index, be sure to properly use unsigned instead of int to avoid overflows. When working on report fields, always validate that their report_counts are in bounds. Without this, a HID device could report a malicious feature report that could trick the driver into a heap overflow: [ 634.885003] usb 1-1: New USB device found, idVendor=0596, idProduct=0500 ... [ 676.469629] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten CVE-2013-2897 Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com> Acked-by: Kees Cook <keescook@chromium.org> Signed-off-by: Jiri Kosina <jkosina@suse.cz> [bwh: Backported to 3.2: - Drop inapplicable changes to hid_usage::usage_index initialisation and to hid_report_raw_event() - Adjust context in report_features() Signed-off-by: Ben Hutchings <ben@decadent.org.uk>

Diffstat (limited to 'scripts/patch-kernel')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: