From 012898697609c59c8c4608f03da69150fe196349 Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Fri, 6 Sep 2013 14:50:17 -0400 Subject: [PATCH] Linux v3.11-6855-g4de9ad9 --- HID-CVE-fixes.patch | 529 -------------------------------------------- config-generic | 1 + kernel.spec | 5 +- sources | 2 +- 4 files changed, 6 insertions(+), 531 deletions(-) diff --git a/HID-CVE-fixes.patch b/HID-CVE-fixes.patch index dc44c5edc..80fda9555 100644 --- a/HID-CVE-fixes.patch +++ b/HID-CVE-fixes.patch @@ -1,126 +1,3 @@ -Path: news.gmane.org!not-for-mail -From: Jiri Kosina -Newsgroups: gmane.linux.kernel.input -Subject: [PATCH 01/14] HID: validate HID report id size -Date: Wed, 28 Aug 2013 22:29:55 +0200 (CEST) -Lines: 81 -Approved: news@gmane.org -Message-ID: -NNTP-Posting-Host: plane.gmane.org -Mime-Version: 1.0 -Content-Type: TEXT/PLAIN; charset=US-ASCII -X-Trace: ger.gmane.org 1377721804 9521 80.91.229.3 (28 Aug 2013 20:30:04 GMT) -X-Complaints-To: usenet@ger.gmane.org -NNTP-Posting-Date: Wed, 28 Aug 2013 20:30:04 +0000 (UTC) -Cc: Kees Cook -To: linux-input@vger.kernel.org -Original-X-From: linux-input-owner@vger.kernel.org Wed Aug 28 22:30:06 2013 -Return-path: -Envelope-to: glki-linux-input-2@plane.gmane.org -Original-Received: from vger.kernel.org ([209.132.180.67]) - by plane.gmane.org with esmtp (Exim 4.69) - (envelope-from ) - id 1VEmNR-0008U8-2t - for glki-linux-input-2@plane.gmane.org; Wed, 28 Aug 2013 22:30:05 +0200 -Original-Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand - id S1754658Ab3H1UaD (ORCPT ); - Wed, 28 Aug 2013 16:30:03 -0400 -Original-Received: from cantor2.suse.de ([195.135.220.15]:57907 "EHLO mx2.suse.de" - rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP - id S1752748Ab3H1UaD (ORCPT ); - Wed, 28 Aug 2013 16:30:03 -0400 -Original-Received: from relay2.suse.de (unknown [195.135.220.254]) - by mx2.suse.de (Postfix) with ESMTP id 1C5ACA535B; - Wed, 28 Aug 2013 22:30:01 +0200 (CEST) -User-Agent: Alpine 2.00 (LNX 1167 2008-08-23) -Original-Sender: linux-input-owner@vger.kernel.org -Precedence: bulk -List-ID: -X-Mailing-List: linux-input@vger.kernel.org -Xref: news.gmane.org gmane.linux.kernel.input:31652 -Archived-At: - -From: Kees Cook - -The "Report ID" field of a HID report is used to build indexes of -reports. The kernel's index of these is limited to 256 entries, so any -malicious device that sets a Report ID greater than 255 will trigger -memory corruption on the host: - -[ 1347.156239] BUG: unable to handle kernel paging request at ffff88094958a878 -[ 1347.156261] IP: [] hid_register_report+0x2a/0x8b - -CVE-2013-2888 - -Signed-off-by: Kees Cook -Cc: stable@kernel.org ---- - drivers/hid/hid-core.c | 10 +++++++--- - include/linux/hid.h | 4 +++- - 2 files changed, 10 insertions(+), 4 deletions(-) - -diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c -index 36668d1..5ea7d51 100644 ---- a/drivers/hid/hid-core.c -+++ b/drivers/hid/hid-core.c -@@ -63,6 +63,8 @@ struct hid_report *hid_register_report(struct hid_device *device, unsigned type, - struct hid_report_enum *report_enum = device->report_enum + type; - struct hid_report *report; - -+ if (id >= HID_MAX_IDS) -+ return NULL; - if (report_enum->report_id_hash[id]) - return report_enum->report_id_hash[id]; - -@@ -404,8 +406,10 @@ static int hid_parser_global(struct hid_parser *parser, struct hid_item *item) - - case HID_GLOBAL_ITEM_TAG_REPORT_ID: - parser->global.report_id = item_udata(item); -- if (parser->global.report_id == 0) { -- hid_err(parser->device, "report_id 0 is invalid\n"); -+ if (parser->global.report_id == 0 || -+ parser->global.report_id >= HID_MAX_IDS) { -+ hid_err(parser->device, "report_id %u is invalid\n", -+ parser->global.report_id); - return -1; - } - return 0; -@@ -575,7 +579,7 @@ static void hid_close_report(struct hid_device *device) - for (i = 0; i < HID_REPORT_TYPES; i++) { - struct hid_report_enum *report_enum = device->report_enum + i; - -- for (j = 0; j < 256; j++) { -+ for (j = 0; j < HID_MAX_IDS; j++) { - struct hid_report *report = report_enum->report_id_hash[j]; - if (report) - hid_free_report(report); -diff --git a/include/linux/hid.h b/include/linux/hid.h -index 0c48991..ff545cc 100644 ---- a/include/linux/hid.h -+++ b/include/linux/hid.h -@@ -393,10 +393,12 @@ struct hid_report { - struct hid_device *device; /* associated device */ - }; - -+#define HID_MAX_IDS 256 -+ - struct hid_report_enum { - unsigned numbered; - struct list_head report_list; -- struct hid_report *report_id_hash[256]; -+ struct hid_report *report_id_hash[HID_MAX_IDS]; - }; - - #define HID_REPORT_TYPES 3 - --- -Jiri Kosina -SUSE Labs --- -To unsubscribe from this list: send the line "unsubscribe linux-input" in -the body of a message to majordomo@vger.kernel.org -More majordomo info at http://vger.kernel.org/majordomo-info.html - Path: news.gmane.org!not-for-mail From: Jiri Kosina Newsgroups: gmane.linux.kernel.input @@ -531,94 +408,6 @@ To unsubscribe from this list: send the line "unsubscribe linux-input" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html -Path: news.gmane.org!not-for-mail -From: Jiri Kosina -Newsgroups: gmane.linux.kernel.input -Subject: [PATCH 06/14] HID: pantherlord: validate output report details -Date: Wed, 28 Aug 2013 22:30:49 +0200 (CEST) -Lines: 47 -Approved: news@gmane.org -Message-ID: -NNTP-Posting-Host: plane.gmane.org -Mime-Version: 1.0 -Content-Type: TEXT/PLAIN; charset=US-ASCII -X-Trace: ger.gmane.org 1377721853 9919 80.91.229.3 (28 Aug 2013 20:30:53 GMT) -X-Complaints-To: usenet@ger.gmane.org -NNTP-Posting-Date: Wed, 28 Aug 2013 20:30:53 +0000 (UTC) -Cc: Kees Cook -To: linux-input@vger.kernel.org -Original-X-From: linux-input-owner@vger.kernel.org Wed Aug 28 22:30:55 2013 -Return-path: -Envelope-to: glki-linux-input-2@plane.gmane.org -Original-Received: from vger.kernel.org ([209.132.180.67]) - by plane.gmane.org with esmtp (Exim 4.69) - (envelope-from ) - id 1VEmOD-0000cl-Qd - for glki-linux-input-2@plane.gmane.org; Wed, 28 Aug 2013 22:30:54 +0200 -Original-Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand - id S1754500Ab3H1Uax (ORCPT ); - Wed, 28 Aug 2013 16:30:53 -0400 -Original-Received: from cantor2.suse.de ([195.135.220.15]:57948 "EHLO mx2.suse.de" - rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP - id S1753468Ab3H1Uaw (ORCPT ); - Wed, 28 Aug 2013 16:30:52 -0400 -Original-Received: from relay2.suse.de (unknown [195.135.220.254]) - by mx2.suse.de (Postfix) with ESMTP id 21315A531D; - Wed, 28 Aug 2013 22:30:52 +0200 (CEST) -User-Agent: Alpine 2.00 (LNX 1167 2008-08-23) -Original-Sender: linux-input-owner@vger.kernel.org -Precedence: bulk -List-ID: -X-Mailing-List: linux-input@vger.kernel.org -Xref: news.gmane.org gmane.linux.kernel.input:31657 -Archived-At: - -From: Kees Cook - -A HID device could send a malicious output report that would cause the -pantherlord HID driver to write beyond the output report allocation -during initialization, causing a heap overflow: - -[ 310.939483] usb 1-1: New USB device found, idVendor=0e8f, idProduct=0003 -... -[ 315.980774] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten - -CVE-2013-2892 - -Signed-off-by: Kees Cook -Cc: stable@kernel.org ---- - drivers/hid/hid-pl.c | 10 ++++++++-- - 1 file changed, 8 insertions(+), 2 deletions(-) - -diff --git a/drivers/hid/hid-pl.c b/drivers/hid/hid-pl.c -index d29112f..2dcd7d9 100644 ---- a/drivers/hid/hid-pl.c -+++ b/drivers/hid/hid-pl.c -@@ -132,8 +132,14 @@ static int plff_init(struct hid_device *hid) - strong = &report->field[0]->value[2]; - weak = &report->field[0]->value[3]; - debug("detected single-field device"); -- } else if (report->maxfield >= 4 && report->field[0]->maxusage == 1 && -- report->field[0]->usage[0].hid == (HID_UP_LED | 0x43)) { -+ } else if (report->field[0]->maxusage == 1 && -+ report->field[0]->usage[0].hid == -+ (HID_UP_LED | 0x43) && -+ report->maxfield >= 4 && -+ report->field[0]->report_count >= 1 && -+ report->field[1]->report_count >= 1 && -+ report->field[2]->report_count >= 1 && -+ report->field[3]->report_count >= 1) { - report->field[0]->value[0] = 0x00; - report->field[1]->value[0] = 0x00; - strong = &report->field[2]->value[0]; --- -Jiri Kosina -SUSE Labs --- -To unsubscribe from this list: send the line "unsubscribe linux-input" in -the body of a message to majordomo@vger.kernel.org -More majordomo info at http://vger.kernel.org/majordomo-info.html Path: news.gmane.org!not-for-mail From: Jiri Kosina @@ -1049,88 +838,6 @@ To unsubscribe from this list: send the line "unsubscribe linux-input" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html -Path: news.gmane.org!not-for-mail -From: Jiri Kosina -Newsgroups: gmane.linux.kernel.input -Subject: [PATCH 10/14] HID: ntrig: validate feature report details -Date: Wed, 28 Aug 2013 22:31:28 +0200 (CEST) -Lines: 41 -Approved: news@gmane.org -Message-ID: -NNTP-Posting-Host: plane.gmane.org -Mime-Version: 1.0 -Content-Type: TEXT/PLAIN; charset=US-ASCII -X-Trace: ger.gmane.org 1377721895 10362 80.91.229.3 (28 Aug 2013 20:31:35 GMT) -X-Complaints-To: usenet@ger.gmane.org -NNTP-Posting-Date: Wed, 28 Aug 2013 20:31:35 +0000 (UTC) -Cc: Kees Cook , Rafi Rubin -To: linux-input@vger.kernel.org -Original-X-From: linux-input-owner@vger.kernel.org Wed Aug 28 22:31:36 2013 -Return-path: -Envelope-to: glki-linux-input-2@plane.gmane.org -Original-Received: from vger.kernel.org ([209.132.180.67]) - by plane.gmane.org with esmtp (Exim 4.69) - (envelope-from ) - id 1VEmOq-0000cl-KK - for glki-linux-input-2@plane.gmane.org; Wed, 28 Aug 2013 22:31:32 +0200 -Original-Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand - id S1753024Ab3H1Ubc (ORCPT ); - Wed, 28 Aug 2013 16:31:32 -0400 -Original-Received: from cantor2.suse.de ([195.135.220.15]:57985 "EHLO mx2.suse.de" - rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP - id S1751971Ab3H1Ubb (ORCPT ); - Wed, 28 Aug 2013 16:31:31 -0400 -Original-Received: from relay1.suse.de (unknown [195.135.220.254]) - by mx2.suse.de (Postfix) with ESMTP id C4DDAA531D; - Wed, 28 Aug 2013 22:31:30 +0200 (CEST) -User-Agent: Alpine 2.00 (LNX 1167 2008-08-23) -Original-Sender: linux-input-owner@vger.kernel.org -Precedence: bulk -List-ID: -X-Mailing-List: linux-input@vger.kernel.org -Xref: news.gmane.org gmane.linux.kernel.input:31661 -Archived-At: - -From: Kees Cook - -A HID device could send a malicious feature report that would cause the -ntrig HID driver to trigger a NULL dereference during initialization: - -[57383.031190] usb 3-1: New USB device found, idVendor=1b96, idProduct=0001 -... -[57383.315193] BUG: unable to handle kernel NULL pointer dereference at 0000000000000030 -[57383.315308] IP: [] ntrig_probe+0x25e/0x420 [hid_ntrig] - -CVE-2013-2896 - -Signed-off-by: Kees Cook -Cc: stable@kernel.org ---- - drivers/hid/hid-ntrig.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/drivers/hid/hid-ntrig.c b/drivers/hid/hid-ntrig.c -index ef95102..5482156 100644 ---- a/drivers/hid/hid-ntrig.c -+++ b/drivers/hid/hid-ntrig.c -@@ -115,7 +115,8 @@ static inline int ntrig_get_mode(struct hid_device *hdev) - struct hid_report *report = hdev->report_enum[HID_FEATURE_REPORT]. - report_id_hash[0x0d]; - -- if (!report) -+ if (!report || report->maxfield < 1 || -+ report->field[0]->report_count < 1) - return -EINVAL; - - hid_hw_request(hdev, report, HID_REQ_GET_REPORT); - --- -Jiri Kosina -SUSE Labs --- -To unsubscribe from this list: send the line "unsubscribe linux-input" in -the body of a message to majordomo@vger.kernel.org -More majordomo info at http://vger.kernel.org/majordomo-info.html Path: news.gmane.org!not-for-mail From: Jiri Kosina @@ -1252,239 +959,3 @@ SUSE Labs To unsubscribe from this list: send the line "unsubscribe linux-input" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html - -Path: news.gmane.org!not-for-mail -From: Jiri Kosina -Newsgroups: gmane.linux.kernel.input -Subject: [PATCH 12/14] HID: sensor-hub: validate feature report details -Date: Wed, 28 Aug 2013 22:31:44 +0200 (CEST) -Lines: 36 -Approved: news@gmane.org -Message-ID: -NNTP-Posting-Host: plane.gmane.org -Mime-Version: 1.0 -Content-Type: TEXT/PLAIN; charset=US-ASCII -X-Trace: ger.gmane.org 1377721907 10489 80.91.229.3 (28 Aug 2013 20:31:47 GMT) -X-Complaints-To: usenet@ger.gmane.org -NNTP-Posting-Date: Wed, 28 Aug 2013 20:31:47 +0000 (UTC) -Cc: Kees Cook , - Mika Westerberg , - srinivas pandruvada -To: linux-input@vger.kernel.org -Original-X-From: linux-input-owner@vger.kernel.org Wed Aug 28 22:31:51 2013 -Return-path: -Envelope-to: glki-linux-input-2@plane.gmane.org -Original-Received: from vger.kernel.org ([209.132.180.67]) - by plane.gmane.org with esmtp (Exim 4.69) - (envelope-from ) - id 1VEmP8-0000cl-9D - for glki-linux-input-2@plane.gmane.org; Wed, 28 Aug 2013 22:31:50 +0200 -Original-Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand - id S1754788Ab3H1Ubt (ORCPT ); - Wed, 28 Aug 2013 16:31:49 -0400 -Original-Received: from cantor2.suse.de ([195.135.220.15]:58000 "EHLO mx2.suse.de" - rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP - id S1754228Ab3H1Ubt (ORCPT ); - Wed, 28 Aug 2013 16:31:49 -0400 -Original-Received: from relay2.suse.de (unknown [195.135.220.254]) - by mx2.suse.de (Postfix) with ESMTP id BBD85A535B; - Wed, 28 Aug 2013 22:31:47 +0200 (CEST) -User-Agent: Alpine 2.00 (LNX 1167 2008-08-23) -Original-Sender: linux-input-owner@vger.kernel.org -Precedence: bulk -List-ID: -X-Mailing-List: linux-input@vger.kernel.org -Xref: news.gmane.org gmane.linux.kernel.input:31663 -Archived-At: - -From: Kees Cook - -A HID device could send a malicious feature report that would cause the -sensor-hub HID driver to read past the end of heap allocation, leaking -kernel memory contents to the caller. - -CVE-2013-2898 - -Signed-off-by: Kees Cook -Cc: stable@kernel.org ---- - drivers/hid/hid-sensor-hub.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/drivers/hid/hid-sensor-hub.c b/drivers/hid/hid-sensor-hub.c -index ca749810..aa34755 100644 ---- a/drivers/hid/hid-sensor-hub.c -+++ b/drivers/hid/hid-sensor-hub.c -@@ -221,7 +221,8 @@ int sensor_hub_get_feature(struct hid_sensor_hub_device *hsdev, u32 report_id, - - mutex_lock(&data->mutex); - report = sensor_hub_report(report_id, hsdev->hdev, HID_FEATURE_REPORT); -- if (!report || (field_index >= report->maxfield)) { -+ if (!report || (field_index >= report->maxfield) || -+ report->field[field_index]->report_count < 1) { - ret = -EINVAL; - goto done_proc; - } --- -Jiri Kosina -SUSE Labs --- -To unsubscribe from this list: send the line "unsubscribe linux-input" in -the body of a message to majordomo@vger.kernel.org -More majordomo info at http://vger.kernel.org/majordomo-info.html - -Path: news.gmane.org!not-for-mail -From: Jiri Kosina -Newsgroups: gmane.linux.kernel.input -Subject: [PATCH 13/14] HID: picolcd_core: validate output report details -Date: Wed, 28 Aug 2013 22:31:52 +0200 (CEST) -Lines: 34 -Approved: news@gmane.org -Message-ID: -NNTP-Posting-Host: plane.gmane.org -Mime-Version: 1.0 -Content-Type: TEXT/PLAIN; charset=US-ASCII -X-Trace: ger.gmane.org 1377721917 10573 80.91.229.3 (28 Aug 2013 20:31:57 GMT) -X-Complaints-To: usenet@ger.gmane.org -NNTP-Posting-Date: Wed, 28 Aug 2013 20:31:57 +0000 (UTC) -Cc: Kees Cook , - =?ISO-8859-15?Q?Bruno_Pr=E9mont?= -To: linux-input@vger.kernel.org -Original-X-From: linux-input-owner@vger.kernel.org Wed Aug 28 22:31:59 2013 -Return-path: -Envelope-to: glki-linux-input-2@plane.gmane.org -Original-Received: from vger.kernel.org ([209.132.180.67]) - by plane.gmane.org with esmtp (Exim 4.69) - (envelope-from ) - id 1VEmPE-0000cl-T8 - for glki-linux-input-2@plane.gmane.org; Wed, 28 Aug 2013 22:31:57 +0200 -Original-Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand - id S1754901Ab3H1Ub4 (ORCPT ); - Wed, 28 Aug 2013 16:31:56 -0400 -Original-Received: from cantor2.suse.de ([195.135.220.15]:58006 "EHLO mx2.suse.de" - rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP - id S1754228Ab3H1Ub4 (ORCPT ); - Wed, 28 Aug 2013 16:31:56 -0400 -Original-Received: from relay2.suse.de (unknown [195.135.220.254]) - by mx2.suse.de (Postfix) with ESMTP id 2720DA531D; - Wed, 28 Aug 2013 22:31:55 +0200 (CEST) -User-Agent: Alpine 2.00 (LNX 1167 2008-08-23) -Original-Sender: linux-input-owner@vger.kernel.org -Precedence: bulk -List-ID: -X-Mailing-List: linux-input@vger.kernel.org -Xref: news.gmane.org gmane.linux.kernel.input:31664 -Archived-At: - -From: Kees Cook - -A HID device could send a malicious output report that would cause the -picolcd HID driver to trigger a NULL dereference during attr file writing. - -CVE-2013-2899 - -Signed-off-by: Kees Cook -Cc: stable@kernel.org ---- - drivers/hid/hid-picolcd_core.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/drivers/hid/hid-picolcd_core.c b/drivers/hid/hid-picolcd_core.c -index b48092d..72bba1e 100644 ---- a/drivers/hid/hid-picolcd_core.c -+++ b/drivers/hid/hid-picolcd_core.c -@@ -290,7 +290,7 @@ static ssize_t picolcd_operation_mode_store(struct device *dev, - buf += 10; - cnt -= 10; - } -- if (!report) -+ if (!report || report->maxfield < 1) - return -EINVAL; - - while (cnt > 0 && (buf[cnt-1] == '\n' || buf[cnt-1] == '\r')) --- -Jiri Kosina -SUSE Labs --- -To unsubscribe from this list: send the line "unsubscribe linux-input" in -the body of a message to majordomo@vger.kernel.org -More majordomo info at http://vger.kernel.org/majordomo-info.html - -Path: news.gmane.org!not-for-mail -From: Jiri Kosina -Newsgroups: gmane.linux.kernel.input -Subject: [PATCH 14/14] HID: check for NULL field when setting values -Date: Wed, 28 Aug 2013 22:32:01 +0200 (CEST) -Lines: 36 -Approved: news@gmane.org -Message-ID: -NNTP-Posting-Host: plane.gmane.org -Mime-Version: 1.0 -Content-Type: TEXT/PLAIN; charset=US-ASCII -X-Trace: ger.gmane.org 1377721927 10651 80.91.229.3 (28 Aug 2013 20:32:07 GMT) -X-Complaints-To: usenet@ger.gmane.org -NNTP-Posting-Date: Wed, 28 Aug 2013 20:32:07 +0000 (UTC) -Cc: Kees Cook -To: linux-input@vger.kernel.org -Original-X-From: linux-input-owner@vger.kernel.org Wed Aug 28 22:32:06 2013 -Return-path: -Envelope-to: glki-linux-input-2@plane.gmane.org -Original-Received: from vger.kernel.org ([209.132.180.67]) - by plane.gmane.org with esmtp (Exim 4.69) - (envelope-from ) - id 1VEmPO-0000cl-40 - for glki-linux-input-2@plane.gmane.org; Wed, 28 Aug 2013 22:32:06 +0200 -Original-Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand - id S1754959Ab3H1UcF (ORCPT ); - Wed, 28 Aug 2013 16:32:05 -0400 -Original-Received: from cantor2.suse.de ([195.135.220.15]:58016 "EHLO mx2.suse.de" - rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP - id S1754282Ab3H1UcE (ORCPT ); - Wed, 28 Aug 2013 16:32:04 -0400 -Original-Received: from relay1.suse.de (unknown [195.135.220.254]) - by mx2.suse.de (Postfix) with ESMTP id 6D278A531D; - Wed, 28 Aug 2013 22:32:03 +0200 (CEST) -User-Agent: Alpine 2.00 (LNX 1167 2008-08-23) -Original-Sender: linux-input-owner@vger.kernel.org -Precedence: bulk -List-ID: -X-Mailing-List: linux-input@vger.kernel.org -Xref: news.gmane.org gmane.linux.kernel.input:31665 -Archived-At: - -From: Kees Cook - -Defensively check that the field to be worked on is not NULL. - -Signed-off-by: Kees Cook -Cc: stable@kernel.org ---- - drivers/hid/hid-core.c | 7 ++++++- - 1 file changed, 6 insertions(+), 1 deletion(-) - -diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c -index 55798b2..192be6b 100644 ---- a/drivers/hid/hid-core.c -+++ b/drivers/hid/hid-core.c -@@ -1206,7 +1206,12 @@ EXPORT_SYMBOL_GPL(hid_output_report); - - int hid_set_field(struct hid_field *field, unsigned offset, __s32 value) - { -- unsigned size = field->report_size; -+ unsigned size; -+ -+ if (!field) -+ return -1; -+ -+ size = field->report_size; - - hid_dump_input(field->report->device, field->usage + offset, value); - --- -Jiri Kosina -SUSE Labs --- -To unsubscribe from this list: send the line "unsubscribe linux-input" in -the body of a message to majordomo@vger.kernel.org -More majordomo info at http://vger.kernel.org/majordomo-info.html - diff --git a/config-generic b/config-generic index ef9ee056a..7df3652f0 100644 --- a/config-generic +++ b/config-generic @@ -3346,6 +3346,7 @@ CONFIG_HID_SMARTJOYPLUS=m CONFIG_HID_TOPSEED=m CONFIG_HID_THINGM=m CONFIG_HID_THRUSTMASTER=m +CONFIG_HID_XINMO=m CONFIG_HID_ZEROPLUS=m CONFIG_HID_ZYDACRON=m CONFIG_HID_SENSOR_HUB=m diff --git a/kernel.spec b/kernel.spec index 28a218b04..ff0e3d636 100644 --- a/kernel.spec +++ b/kernel.spec @@ -95,7 +95,7 @@ Summary: The Linux kernel # The rc snapshot level %define rcrev 0 # The git snapshot level -%define gitrev 13 +%define gitrev 14 # Set rpm version accordingly %define rpmversion 3.%{upstream_sublevel}.0 %endif @@ -2301,6 +2301,9 @@ fi # ||----w | # || || %changelog +* Fri Sep 06 2013 Josh Boyer - 3.12.0-0.rc0.git14.1 +- Linux v3.11-6855-g4de9ad9 + * Fri Sep 06 2013 Kyle McMartin - [arm] enable KERNEL_MODE_NEON, safe to do, as the raid6 code tests hwcaps so it won't impact tegra. diff --git a/sources b/sources index 8ea8152cd..a705ca02e 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ fea363551ff45fbe4cb88497b863b261 linux-3.11.tar.xz -a0f29a37d42d8aa73393fb70992ffb11 patch-3.11-git13.xz +fa0d29db568eef6e318c5d78dc4de40d patch-3.11-git14.xz