Linux v3.10.13
This commit is contained in:
parent
38d9b67779
commit
2838ee0969
|
@ -1,83 +1,3 @@
|
|||
From aab9cb0a00ecdd937273f3b9649311d81bf4f0cb Mon Sep 17 00:00:00 2001
|
||||
From: Kees Cook <keescook@chromium.org>
|
||||
Date: Wed, 28 Aug 2013 22:29:55 +0200
|
||||
Subject: [PATCH 01/16] HID: validate HID report id size
|
||||
|
||||
The "Report ID" field of a HID report is used to build indexes of
|
||||
reports. The kernel's index of these is limited to 256 entries, so any
|
||||
malicious device that sets a Report ID greater than 255 will trigger
|
||||
memory corruption on the host:
|
||||
|
||||
[ 1347.156239] BUG: unable to handle kernel paging request at ffff88094958a878
|
||||
[ 1347.156261] IP: [<ffffffff813e4da0>] hid_register_report+0x2a/0x8b
|
||||
|
||||
CVE-2013-2888
|
||||
|
||||
Signed-off-by: Kees Cook <keescook@chromium.org>
|
||||
Cc: stable@kernel.org
|
||||
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
|
||||
---
|
||||
drivers/hid/hid-core.c | 10 +++++++---
|
||||
include/linux/hid.h | 4 +++-
|
||||
2 files changed, 10 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c
|
||||
index 36668d1..5ea7d51 100644
|
||||
--- a/drivers/hid/hid-core.c
|
||||
+++ b/drivers/hid/hid-core.c
|
||||
@@ -63,6 +63,8 @@ struct hid_report *hid_register_report(struct hid_device *device, unsigned type,
|
||||
struct hid_report_enum *report_enum = device->report_enum + type;
|
||||
struct hid_report *report;
|
||||
|
||||
+ if (id >= HID_MAX_IDS)
|
||||
+ return NULL;
|
||||
if (report_enum->report_id_hash[id])
|
||||
return report_enum->report_id_hash[id];
|
||||
|
||||
@@ -404,8 +406,10 @@ static int hid_parser_global(struct hid_parser *parser, struct hid_item *item)
|
||||
|
||||
case HID_GLOBAL_ITEM_TAG_REPORT_ID:
|
||||
parser->global.report_id = item_udata(item);
|
||||
- if (parser->global.report_id == 0) {
|
||||
- hid_err(parser->device, "report_id 0 is invalid\n");
|
||||
+ if (parser->global.report_id == 0 ||
|
||||
+ parser->global.report_id >= HID_MAX_IDS) {
|
||||
+ hid_err(parser->device, "report_id %u is invalid\n",
|
||||
+ parser->global.report_id);
|
||||
return -1;
|
||||
}
|
||||
return 0;
|
||||
@@ -575,7 +579,7 @@ static void hid_close_report(struct hid_device *device)
|
||||
for (i = 0; i < HID_REPORT_TYPES; i++) {
|
||||
struct hid_report_enum *report_enum = device->report_enum + i;
|
||||
|
||||
- for (j = 0; j < 256; j++) {
|
||||
+ for (j = 0; j < HID_MAX_IDS; j++) {
|
||||
struct hid_report *report = report_enum->report_id_hash[j];
|
||||
if (report)
|
||||
hid_free_report(report);
|
||||
diff --git a/include/linux/hid.h b/include/linux/hid.h
|
||||
index 0c48991..ff545cc 100644
|
||||
--- a/include/linux/hid.h
|
||||
+++ b/include/linux/hid.h
|
||||
@@ -393,10 +393,12 @@ struct hid_report {
|
||||
struct hid_device *device; /* associated device */
|
||||
};
|
||||
|
||||
+#define HID_MAX_IDS 256
|
||||
+
|
||||
struct hid_report_enum {
|
||||
unsigned numbered;
|
||||
struct list_head report_list;
|
||||
- struct hid_report *report_id_hash[256];
|
||||
+ struct hid_report *report_id_hash[HID_MAX_IDS];
|
||||
};
|
||||
|
||||
#define HID_REPORT_TYPES 3
|
||||
--
|
||||
1.8.3.1
|
||||
|
||||
|
||||
From ba6d8d44eaeb0ee58082f4b4c95138416e1f58a5 Mon Sep 17 00:00:00 2001
|
||||
From: Kees Cook <keescook@chromium.org>
|
||||
Date: Wed, 11 Sep 2013 21:56:50 +0200
|
||||
|
@ -864,214 +784,3 @@ index 762d988..31cf29a 100644
|
|||
|
||||
--
|
||||
1.8.3.1
|
||||
|
||||
|
||||
From b2438ded3cdd8d6d6af77d9bce38d2d8f353a790 Mon Sep 17 00:00:00 2001
|
||||
From: Kees Cook <keescook@chromium.org>
|
||||
Date: Wed, 28 Aug 2013 22:32:01 +0200
|
||||
Subject: [PATCH 12/16] HID: check for NULL field when setting values
|
||||
|
||||
Defensively check that the field to be worked on is not NULL.
|
||||
|
||||
Signed-off-by: Kees Cook <keescook@chromium.org>
|
||||
Cc: stable@kernel.org
|
||||
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
|
||||
---
|
||||
drivers/hid/hid-core.c | 7 ++++++-
|
||||
1 file changed, 6 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c
|
||||
index 08500bc..e331cb1 100644
|
||||
--- a/drivers/hid/hid-core.c
|
||||
+++ b/drivers/hid/hid-core.c
|
||||
@@ -1212,7 +1212,12 @@ EXPORT_SYMBOL_GPL(hid_output_report);
|
||||
|
||||
int hid_set_field(struct hid_field *field, unsigned offset, __s32 value)
|
||||
{
|
||||
- unsigned size = field->report_size;
|
||||
+ unsigned size;
|
||||
+
|
||||
+ if (!field)
|
||||
+ return -1;
|
||||
+
|
||||
+ size = field->report_size;
|
||||
|
||||
hid_dump_input(field->report->device, field->usage + offset, value);
|
||||
|
||||
--
|
||||
1.8.3.1
|
||||
|
||||
|
||||
From d0502783cdafcdb0a677492c43a373748d900d50 Mon Sep 17 00:00:00 2001
|
||||
From: Kees Cook <keescook@chromium.org>
|
||||
Date: Wed, 28 Aug 2013 22:30:49 +0200
|
||||
Subject: [PATCH 13/16] HID: pantherlord: validate output report details
|
||||
|
||||
A HID device could send a malicious output report that would cause the
|
||||
pantherlord HID driver to write beyond the output report allocation
|
||||
during initialization, causing a heap overflow:
|
||||
|
||||
[ 310.939483] usb 1-1: New USB device found, idVendor=0e8f, idProduct=0003
|
||||
...
|
||||
[ 315.980774] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten
|
||||
|
||||
CVE-2013-2892
|
||||
|
||||
Signed-off-by: Kees Cook <keescook@chromium.org>
|
||||
Cc: stable@kernel.org
|
||||
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
|
||||
---
|
||||
drivers/hid/hid-pl.c | 10 ++++++++--
|
||||
1 file changed, 8 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/drivers/hid/hid-pl.c b/drivers/hid/hid-pl.c
|
||||
index d29112f..2dcd7d9 100644
|
||||
--- a/drivers/hid/hid-pl.c
|
||||
+++ b/drivers/hid/hid-pl.c
|
||||
@@ -132,8 +132,14 @@ static int plff_init(struct hid_device *hid)
|
||||
strong = &report->field[0]->value[2];
|
||||
weak = &report->field[0]->value[3];
|
||||
debug("detected single-field device");
|
||||
- } else if (report->maxfield >= 4 && report->field[0]->maxusage == 1 &&
|
||||
- report->field[0]->usage[0].hid == (HID_UP_LED | 0x43)) {
|
||||
+ } else if (report->field[0]->maxusage == 1 &&
|
||||
+ report->field[0]->usage[0].hid ==
|
||||
+ (HID_UP_LED | 0x43) &&
|
||||
+ report->maxfield >= 4 &&
|
||||
+ report->field[0]->report_count >= 1 &&
|
||||
+ report->field[1]->report_count >= 1 &&
|
||||
+ report->field[2]->report_count >= 1 &&
|
||||
+ report->field[3]->report_count >= 1) {
|
||||
report->field[0]->value[0] = 0x00;
|
||||
report->field[1]->value[0] = 0x00;
|
||||
strong = &report->field[2]->value[0];
|
||||
--
|
||||
1.8.3.1
|
||||
|
||||
|
||||
From dc4db3b624cc7bf6972817615af88e250a8526cc Mon Sep 17 00:00:00 2001
|
||||
From: Kees Cook <keescook@chromium.org>
|
||||
Date: Wed, 28 Aug 2013 22:31:28 +0200
|
||||
Subject: [PATCH 14/16] HID: ntrig: validate feature report details
|
||||
|
||||
A HID device could send a malicious feature report that would cause the
|
||||
ntrig HID driver to trigger a NULL dereference during initialization:
|
||||
|
||||
[57383.031190] usb 3-1: New USB device found, idVendor=1b96, idProduct=0001
|
||||
...
|
||||
[57383.315193] BUG: unable to handle kernel NULL pointer dereference at 0000000000000030
|
||||
[57383.315308] IP: [<ffffffffa08102de>] ntrig_probe+0x25e/0x420 [hid_ntrig]
|
||||
|
||||
CVE-2013-2896
|
||||
|
||||
Signed-off-by: Kees Cook <keescook@chromium.org>
|
||||
Cc: stable@kernel.org
|
||||
Signed-off-by: Rafi Rubin <rafi@seas.upenn.edu>
|
||||
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
|
||||
---
|
||||
drivers/hid/hid-ntrig.c | 3 ++-
|
||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/drivers/hid/hid-ntrig.c b/drivers/hid/hid-ntrig.c
|
||||
index ef95102..5482156 100644
|
||||
--- a/drivers/hid/hid-ntrig.c
|
||||
+++ b/drivers/hid/hid-ntrig.c
|
||||
@@ -115,7 +115,8 @@ static inline int ntrig_get_mode(struct hid_device *hdev)
|
||||
struct hid_report *report = hdev->report_enum[HID_FEATURE_REPORT].
|
||||
report_id_hash[0x0d];
|
||||
|
||||
- if (!report)
|
||||
+ if (!report || report->maxfield < 1 ||
|
||||
+ report->field[0]->report_count < 1)
|
||||
return -EINVAL;
|
||||
|
||||
hid_hw_request(hdev, report, HID_REQ_GET_REPORT);
|
||||
--
|
||||
1.8.3.1
|
||||
|
||||
|
||||
From 34490675479f16680a60726632ad2e808eab54bd Mon Sep 17 00:00:00 2001
|
||||
From: Kees Cook <keescook@chromium.org>
|
||||
Date: Wed, 28 Aug 2013 22:31:44 +0200
|
||||
Subject: [PATCH 15/16] HID: sensor-hub: validate feature report details
|
||||
|
||||
A HID device could send a malicious feature report that would cause the
|
||||
sensor-hub HID driver to read past the end of heap allocation, leaking
|
||||
kernel memory contents to the caller.
|
||||
|
||||
CVE-2013-2898
|
||||
|
||||
Signed-off-by: Kees Cook <keescook@chromium.org>
|
||||
Cc: stable@kernel.org
|
||||
Reviewed-by: Mika Westerberg <mika.westerberg@linux.intel.com>
|
||||
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
|
||||
---
|
||||
drivers/hid/hid-sensor-hub.c | 3 ++-
|
||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/drivers/hid/hid-sensor-hub.c b/drivers/hid/hid-sensor-hub.c
|
||||
index ca749810..aa34755 100644
|
||||
--- a/drivers/hid/hid-sensor-hub.c
|
||||
+++ b/drivers/hid/hid-sensor-hub.c
|
||||
@@ -221,7 +221,8 @@ int sensor_hub_get_feature(struct hid_sensor_hub_device *hsdev, u32 report_id,
|
||||
|
||||
mutex_lock(&data->mutex);
|
||||
report = sensor_hub_report(report_id, hsdev->hdev, HID_FEATURE_REPORT);
|
||||
- if (!report || (field_index >= report->maxfield)) {
|
||||
+ if (!report || (field_index >= report->maxfield) ||
|
||||
+ report->field[field_index]->report_count < 1) {
|
||||
ret = -EINVAL;
|
||||
goto done_proc;
|
||||
}
|
||||
--
|
||||
1.8.3.1
|
||||
|
||||
|
||||
From a0155e41d3a7a9bd901368271d86ee1bb28d100f Mon Sep 17 00:00:00 2001
|
||||
From: Kees Cook <keescook@chromium.org>
|
||||
Date: Wed, 28 Aug 2013 22:31:52 +0200
|
||||
Subject: [PATCH 16/16] HID: picolcd_core: validate output report details
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
A HID device could send a malicious output report that would cause the
|
||||
picolcd HID driver to trigger a NULL dereference during attr file writing.
|
||||
|
||||
[jkosina@suse.cz: changed
|
||||
|
||||
report->maxfield < 1
|
||||
|
||||
to
|
||||
|
||||
report->maxfield != 1
|
||||
|
||||
as suggested by Bruno].
|
||||
|
||||
CVE-2013-2899
|
||||
|
||||
Signed-off-by: Kees Cook <keescook@chromium.org>
|
||||
Cc: stable@kernel.org
|
||||
Reviewed-by: Bruno Prémont <bonbons@linux-vserver.org>
|
||||
Acked-by: Bruno Prémont <bonbons@linux-vserver.org>
|
||||
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
|
||||
---
|
||||
drivers/hid/hid-picolcd_core.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/drivers/hid/hid-picolcd_core.c b/drivers/hid/hid-picolcd_core.c
|
||||
index b48092d..acbb0210 100644
|
||||
--- a/drivers/hid/hid-picolcd_core.c
|
||||
+++ b/drivers/hid/hid-picolcd_core.c
|
||||
@@ -290,7 +290,7 @@ static ssize_t picolcd_operation_mode_store(struct device *dev,
|
||||
buf += 10;
|
||||
cnt -= 10;
|
||||
}
|
||||
- if (!report)
|
||||
+ if (!report || report->maxfield != 1)
|
||||
return -EINVAL;
|
||||
|
||||
while (cnt > 0 && (buf[cnt-1] == '\n' || buf[cnt-1] == '\r'))
|
||||
--
|
||||
1.8.3.1
|
||||
|
||||
|
|
|
@ -45,6 +45,7 @@ index 945b815..c526a3c 100644
|
|||
- if (ret >= 0)
|
||||
- ret = -EINVAL;
|
||||
+ ret = -ENODATA;
|
||||
kfree(buf);
|
||||
break;
|
||||
}
|
||||
+ ret = 0;
|
||||
|
|
|
@ -1,44 +0,0 @@
|
|||
commit 77dbd7a95e4a4f15264c333a9e9ab97ee27dc2aa
|
||||
Author: Herbert Xu <herbert@gondor.apana.org.au>
|
||||
Date: Sun Sep 8 14:33:50 2013 +1000
|
||||
|
||||
crypto: api - Fix race condition in larval lookup
|
||||
|
||||
crypto_larval_lookup should only return a larval if it created one.
|
||||
Any larval created by another entity must be processed through
|
||||
crypto_larval_wait before being returned.
|
||||
|
||||
Otherwise this will lead to a larval being killed twice, which
|
||||
will most likely lead to a crash.
|
||||
|
||||
Cc: stable@vger.kernel.org
|
||||
Reported-by: Kees Cook <keescook@chromium.org>
|
||||
Tested-by: Kees Cook <keescook@chromium.org>
|
||||
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
|
||||
|
||||
diff --git a/crypto/api.c b/crypto/api.c
|
||||
index 320ea4d..a2b39c5 100644
|
||||
--- a/crypto/api.c
|
||||
+++ b/crypto/api.c
|
||||
@@ -34,6 +34,8 @@ EXPORT_SYMBOL_GPL(crypto_alg_sem);
|
||||
BLOCKING_NOTIFIER_HEAD(crypto_chain);
|
||||
EXPORT_SYMBOL_GPL(crypto_chain);
|
||||
|
||||
+static struct crypto_alg *crypto_larval_wait(struct crypto_alg *alg);
|
||||
+
|
||||
struct crypto_alg *crypto_mod_get(struct crypto_alg *alg)
|
||||
{
|
||||
return try_module_get(alg->cra_module) ? crypto_alg_get(alg) : NULL;
|
||||
@@ -144,8 +146,11 @@ static struct crypto_alg *crypto_larval_add(const char *name, u32 type,
|
||||
}
|
||||
up_write(&crypto_alg_sem);
|
||||
|
||||
- if (alg != &larval->alg)
|
||||
+ if (alg != &larval->alg) {
|
||||
kfree(larval);
|
||||
+ if (crypto_is_larval(alg))
|
||||
+ alg = crypto_larval_wait(alg);
|
||||
+ }
|
||||
|
||||
return alg;
|
||||
}
|
11
kernel.spec
11
kernel.spec
|
@ -74,7 +74,7 @@ Summary: The Linux kernel
|
|||
%if 0%{?released_kernel}
|
||||
|
||||
# Do we have a -stable update to apply?
|
||||
%define stable_update 12
|
||||
%define stable_update 13
|
||||
# Is it a -stable RC?
|
||||
%define stable_rc 0
|
||||
# Set rpm version accordingly
|
||||
|
@ -776,9 +776,6 @@ Patch25079: rt2800-rearrange-bbp-rfcsr-initialization.patch
|
|||
#CVE-2013-2897 rhbz 1000536 1002600 CVE-2013-2899 rhbz 1000373 1002604
|
||||
Patch25099: HID-CVE-fixes.patch
|
||||
|
||||
#rhbz 1002351
|
||||
Patch25100: crypto-fix-race-in-larval-lookup.patch
|
||||
|
||||
#CVE-2013-4343 rhbz 1007733 1007741
|
||||
Patch25101: tuntap-correctly-handle-error-in-tun_set_iff.patch
|
||||
|
||||
|
@ -1505,9 +1502,6 @@ ApplyPatch HID-CVE-fixes.patch
|
|||
#rhbz 1000679
|
||||
ApplyPatch rt2800-rearrange-bbp-rfcsr-initialization.patch
|
||||
|
||||
#rhbz1002351
|
||||
ApplyPatch crypto-fix-race-in-larval-lookup.patch
|
||||
|
||||
#CVE-2013-4343 rhbz 1007733 1007741
|
||||
ApplyPatch tuntap-correctly-handle-error-in-tun_set_iff.patch
|
||||
|
||||
|
@ -2364,6 +2358,9 @@ fi
|
|||
# ||----w |
|
||||
# || ||
|
||||
%changelog
|
||||
* Fri Sep 27 2013 Justin M. Forbes <jforbes@fedoraproject.org> 3.10.13-100
|
||||
- Linux v3.10.13
|
||||
|
||||
* Mon Sep 23 2013 Neil Horman <nhorman@redhat.com>
|
||||
- Add alb learning packet config knob (rhbz 971893)
|
||||
|
||||
|
|
Loading…
Reference in New Issue