From 700b375ec0451e65534ffca0cf605d217bb532ef Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Thu, 12 Sep 2013 08:55:16 -0400 Subject: [PATCH] Update to v3 of the upstream HID fixes --- HID-CVE-fixes.patch | 1361 ++++++++++++++++++++++++++++--------------- 1 file changed, 877 insertions(+), 484 deletions(-) diff --git a/HID-CVE-fixes.patch b/HID-CVE-fixes.patch index 80fda9555..cad53a352 100644 --- a/HID-CVE-fixes.patch +++ b/HID-CVE-fixes.patch @@ -1,64 +1,78 @@ -Path: news.gmane.org!not-for-mail -From: Jiri Kosina -Newsgroups: gmane.linux.kernel.input -Subject: [PATCH 02/14] HID: provide a helper for validating hid reports -Date: Wed, 28 Aug 2013 22:30:06 +0200 (CEST) -Lines: 99 -Approved: news@gmane.org -Message-ID: -NNTP-Posting-Host: plane.gmane.org -Mime-Version: 1.0 -Content-Type: TEXT/PLAIN; charset=US-ASCII -X-Trace: ger.gmane.org 1377721810 9564 80.91.229.3 (28 Aug 2013 20:30:10 GMT) -X-Complaints-To: usenet@ger.gmane.org -NNTP-Posting-Date: Wed, 28 Aug 2013 20:30:10 +0000 (UTC) -Cc: Kees Cook -To: linux-input@vger.kernel.org -Original-X-From: linux-input-owner@vger.kernel.org Wed Aug 28 22:30:12 2013 -Return-path: -Envelope-to: glki-linux-input-2@plane.gmane.org -Original-Received: from vger.kernel.org ([209.132.180.67]) - by plane.gmane.org with esmtp (Exim 4.69) - (envelope-from ) - id 1VEmNX-0008U8-Cg - for glki-linux-input-2@plane.gmane.org; Wed, 28 Aug 2013 22:30:11 +0200 -Original-Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand - id S1754750Ab3H1UaK (ORCPT ); - Wed, 28 Aug 2013 16:30:10 -0400 -Original-Received: from cantor2.suse.de ([195.135.220.15]:57911 "EHLO mx2.suse.de" +From linux-kernel-owner@vger.kernel.org Wed Sep 11 16:03:58 2013 +Delivered-To: jwboyer@gmail.com +Received: by 10.76.168.104 with SMTP id zv8csp11796oab; + Wed, 11 Sep 2013 13:03:58 -0700 (PDT) +X-Received: by 10.68.212.106 with SMTP id nj10mr3810582pbc.74.1378929838373; + Wed, 11 Sep 2013 13:03:58 -0700 (PDT) +Return-Path: +Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) + by mx.google.com with ESMTP id ar2si22908345pbc.232.1969.12.31.16.00.00; + Wed, 11 Sep 2013 13:03:58 -0700 (PDT) +Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; +Authentication-Results: mx.google.com; + spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mail=linux-kernel-owner@vger.kernel.org +Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand + id S1756767Ab3IKT5P (ORCPT + + 99 others); Wed, 11 Sep 2013 15:57:15 -0400 +Received: from mx1.redhat.com ([209.132.183.28]:61286 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP - id S1752748Ab3H1UaK (ORCPT ); - Wed, 28 Aug 2013 16:30:10 -0400 -Original-Received: from relay1.suse.de (unknown [195.135.220.254]) - by mx2.suse.de (Postfix) with ESMTP id 3C054A531D; - Wed, 28 Aug 2013 22:30:09 +0200 (CEST) -User-Agent: Alpine 2.00 (LNX 1167 2008-08-23) -Original-Sender: linux-input-owner@vger.kernel.org + id S1755250Ab3IKT5M (ORCPT ); + Wed, 11 Sep 2013 15:57:12 -0400 +Received: from int-mx02.intmail.prod.int.phx2.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12]) + by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id r8BJv5ds028134 + (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); + Wed, 11 Sep 2013 15:57:05 -0400 +Received: from t410.redhat.com (ovpn-116-31.ams2.redhat.com [10.36.116.31]) + by int-mx02.intmail.prod.int.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id r8BJv0jX020673; + Wed, 11 Sep 2013 15:57:03 -0400 +From: Benjamin Tissoires +To: Benjamin Tissoires , + Kees Cook , + Henrik Rydberg , + Jiri Kosina , linux-input@vger.kernel.org, + linux-kernel@vger.kernel.org +Subject: [PATCH v3 01/10] HID: provide a helper for validating hid reports +Date: Wed, 11 Sep 2013 21:56:50 +0200 +Message-Id: <1378929419-6269-2-git-send-email-benjamin.tissoires@redhat.com> +In-Reply-To: <1378929419-6269-1-git-send-email-benjamin.tissoires@redhat.com> +References: <1378929419-6269-1-git-send-email-benjamin.tissoires@redhat.com> +X-Scanned-By: MIMEDefang 2.67 on 10.5.11.12 +Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk -List-ID: -X-Mailing-List: linux-input@vger.kernel.org -Xref: news.gmane.org gmane.linux.kernel.input:31653 -Archived-At: +List-ID: +X-Mailing-List: linux-kernel@vger.kernel.org +Status: RO +Content-Length: 3882 +Lines: 115 From: Kees Cook Many drivers need to validate the characteristics of their HID report during initialization to avoid misusing the reports. This adds a common -helper to perform validation of the report, its field count, and the -value count within the fields. +helper to perform validation of the report exisitng, the field existing, +and the expected number of values within the field. Signed-off-by: Kees Cook -Cc: stable@kernel.org +Cc: stable@vger.kernel.org +Reviewed-by: Benjamin Tissoires --- - drivers/hid/hid-core.c | 50 ++++++++++++++++++++++++++++++++++++++++++++++++ - include/linux/hid.h | 4 ++++ - 2 files changed, 54 insertions(+) +v3: + - no changes + +v2: + - suggestions from Benjamin Tissoires: + - check id too, just to be double-safe. + - updated to check a specific field, moving the for loop to callers. + + drivers/hid/hid-core.c | 58 ++++++++++++++++++++++++++++++++++++++++++++++++++ + include/linux/hid.h | 4 ++++ + 2 files changed, 62 insertions(+) diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c -index 5ea7d51..55798b2 100644 +index 2c77854..44b6c68 100644 --- a/drivers/hid/hid-core.c +++ b/drivers/hid/hid-core.c -@@ -759,6 +759,56 @@ int hid_parse_report(struct hid_device *hid, __u8 *start, unsigned size) +@@ -801,6 +801,64 @@ int hid_parse_report(struct hid_device *hid, __u8 *start, unsigned size) } EXPORT_SYMBOL_GPL(hid_parse_report); @@ -68,118 +82,131 @@ index 5ea7d51..55798b2 100644 + "HID_FEATURE_REPORT", +}; +/** -+ * hid_validate_report - validate existing device report ++ * hid_validate_values - validate existing device report's value indexes + * + * @device: hid device + * @type: which report type to examine + * @id: which report ID to examine (0 for first) -+ * @fields: expected number of fields -+ * @report_counts: expected number of values per field ++ * @field_index: which report field to examine ++ * @report_counts: expected number of values + * -+ * Validate the report details after parsing. ++ * Validate the number of values in a given field of a given report, after ++ * parsing. + */ -+struct hid_report *hid_validate_report(struct hid_device *hid, ++struct hid_report *hid_validate_values(struct hid_device *hid, + unsigned int type, unsigned int id, -+ unsigned int fields, ++ unsigned int field_index, + unsigned int report_counts) +{ + struct hid_report *report; -+ unsigned int i; + + if (type > HID_FEATURE_REPORT) { -+ hid_err(hid, "invalid HID report %u\n", type); ++ hid_err(hid, "invalid HID report type %u\n", type); + return NULL; + } + ++ if (id >= HID_MAX_IDS) { ++ hid_err(hid, "invalid HID report id %u\n", id); ++ return NULL; ++ } ++ ++ /* ++ * Explicitly not using hid_get_report() here since it depends on ++ * ->numbered being checked, which may not always be the case when ++ * drivers go to access report values. ++ */ + report = hid->report_enum[type].report_id_hash[id]; + if (!report) { + hid_err(hid, "missing %s %u\n", hid_report_names[type], id); + return NULL; + } -+ if (report->maxfield < fields) { ++ if (report->maxfield <= field_index) { + hid_err(hid, "not enough fields in %s %u\n", + hid_report_names[type], id); + return NULL; + } -+ for (i = 0; i < fields; i++) { -+ if (report->field[i]->report_count < report_counts) { -+ hid_err(hid, "not enough values in %s %u fields\n", -+ hid_report_names[type], id); -+ return NULL; -+ } ++ if (report->field[field_index]->report_count < report_counts) { ++ hid_err(hid, "not enough values in %s %u field %u\n", ++ hid_report_names[type], id, field_index); ++ return NULL; + } + return report; +} -+EXPORT_SYMBOL_GPL(hid_validate_report); ++EXPORT_SYMBOL_GPL(hid_validate_values); + /** * hid_open_report - open a driver-specific device report * diff --git a/include/linux/hid.h b/include/linux/hid.h -index ff545cc..76e41d8 100644 +index ee1ffc5..31b9d29 100644 --- a/include/linux/hid.h +++ b/include/linux/hid.h -@@ -749,6 +749,10 @@ void hid_output_report(struct hid_report *report, __u8 *data); +@@ -756,6 +756,10 @@ u8 *hid_alloc_report_buf(struct hid_report *report, gfp_t flags); struct hid_device *hid_allocate_device(void); struct hid_report *hid_register_report(struct hid_device *device, unsigned type, unsigned id); int hid_parse_report(struct hid_device *hid, __u8 *start, unsigned size); -+struct hid_report *hid_validate_report(struct hid_device *hid, ++struct hid_report *hid_validate_values(struct hid_device *hid, + unsigned int type, unsigned int id, -+ unsigned int fields, ++ unsigned int field_index, + unsigned int report_counts); int hid_open_report(struct hid_device *device); int hid_check_keys_pressed(struct hid_device *hid); int hid_connect(struct hid_device *hid, unsigned int connect_mask); - -- -Jiri Kosina -SUSE Labs +1.8.3.1 + -- -To unsubscribe from this list: send the line "unsubscribe linux-input" in +To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html +Please read the FAQ at http://www.tux.org/lkml/ -Path: news.gmane.org!not-for-mail -From: Jiri Kosina -Newsgroups: gmane.linux.kernel.input -Subject: [PATCH 03/14] HID: zeroplus: validate output report details -Date: Wed, 28 Aug 2013 22:30:15 +0200 (CEST) -Lines: 57 -Approved: news@gmane.org -Message-ID: -NNTP-Posting-Host: plane.gmane.org -Mime-Version: 1.0 -Content-Type: TEXT/PLAIN; charset=US-ASCII -X-Trace: ger.gmane.org 1377721819 9648 80.91.229.3 (28 Aug 2013 20:30:19 GMT) -X-Complaints-To: usenet@ger.gmane.org -NNTP-Posting-Date: Wed, 28 Aug 2013 20:30:19 +0000 (UTC) -Cc: Kees Cook -To: linux-input@vger.kernel.org -Original-X-From: linux-input-owner@vger.kernel.org Wed Aug 28 22:30:21 2013 -Return-path: -Envelope-to: glki-linux-input-2@plane.gmane.org -Original-Received: from vger.kernel.org ([209.132.180.67]) - by plane.gmane.org with esmtp (Exim 4.69) - (envelope-from ) - id 1VEmNg-0008U8-24 - for glki-linux-input-2@plane.gmane.org; Wed, 28 Aug 2013 22:30:21 +0200 -Original-Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand - id S1754896Ab3H1UaT (ORCPT ); - Wed, 28 Aug 2013 16:30:19 -0400 -Original-Received: from cantor2.suse.de ([195.135.220.15]:57913 "EHLO mx2.suse.de" +From linux-kernel-owner@vger.kernel.org Wed Sep 11 16:03:31 2013 +Delivered-To: jwboyer@gmail.com +Received: by 10.76.168.104 with SMTP id zv8csp11793oab; + Wed, 11 Sep 2013 13:03:31 -0700 (PDT) +X-Received: by 10.66.218.166 with SMTP id ph6mr5787502pac.28.1378929811148; + Wed, 11 Sep 2013 13:03:31 -0700 (PDT) +Return-Path: +Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) + by mx.google.com with ESMTP id r5si6448917pbj.181.1969.12.31.16.00.00; + Wed, 11 Sep 2013 13:03:31 -0700 (PDT) +Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; +Authentication-Results: mx.google.com; + spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mail=linux-kernel-owner@vger.kernel.org +Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand + id S1757217Ab3IKT5Q (ORCPT + + 99 others); Wed, 11 Sep 2013 15:57:16 -0400 +Received: from mx1.redhat.com ([209.132.183.28]:55160 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP - id S1752748Ab3H1UaS (ORCPT ); - Wed, 28 Aug 2013 16:30:18 -0400 -Original-Received: from relay2.suse.de (unknown [195.135.220.254]) - by mx2.suse.de (Postfix) with ESMTP id A94ACA531D; - Wed, 28 Aug 2013 22:30:17 +0200 (CEST) -User-Agent: Alpine 2.00 (LNX 1167 2008-08-23) -Original-Sender: linux-input-owner@vger.kernel.org + id S1756944Ab3IKT5N (ORCPT ); + Wed, 11 Sep 2013 15:57:13 -0400 +Received: from int-mx02.intmail.prod.int.phx2.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12]) + by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id r8BJv7kb002821 + (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); + Wed, 11 Sep 2013 15:57:07 -0400 +Received: from t410.redhat.com (ovpn-116-31.ams2.redhat.com [10.36.116.31]) + by int-mx02.intmail.prod.int.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id r8BJv0jY020673; + Wed, 11 Sep 2013 15:57:05 -0400 +From: Benjamin Tissoires +To: Benjamin Tissoires , + Kees Cook , + Henrik Rydberg , + Jiri Kosina , linux-input@vger.kernel.org, + linux-kernel@vger.kernel.org +Subject: [PATCH v3 02/10] HID: zeroplus: validate output report details +Date: Wed, 11 Sep 2013 21:56:51 +0200 +Message-Id: <1378929419-6269-3-git-send-email-benjamin.tissoires@redhat.com> +In-Reply-To: <1378929419-6269-1-git-send-email-benjamin.tissoires@redhat.com> +References: <1378929419-6269-1-git-send-email-benjamin.tissoires@redhat.com> +X-Scanned-By: MIMEDefang 2.67 on 10.5.11.12 +Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk -List-ID: -X-Mailing-List: linux-input@vger.kernel.org -Xref: news.gmane.org gmane.linux.kernel.input:31654 -Archived-At: +List-ID: +X-Mailing-List: linux-kernel@vger.kernel.org +Status: RO +Content-Length: 1957 +Lines: 62 From: Kees Cook @@ -195,29 +222,32 @@ during initialization, causing a heap overflow: CVE-2013-2889 Signed-off-by: Kees Cook -Cc: stable@kernel.org +Cc: stable@vger.kernel.org +Reviewed-by: Benjamin Tissoires --- - drivers/hid/hid-zpff.c | 14 ++------------ - 1 file changed, 2 insertions(+), 12 deletions(-) +v3: + - no changes + + drivers/hid/hid-zpff.c | 18 +++++------------- + 1 file changed, 5 insertions(+), 13 deletions(-) diff --git a/drivers/hid/hid-zpff.c b/drivers/hid/hid-zpff.c -index 6ec28a3..b124991 100644 +index 6ec28a3..a29756c 100644 --- a/drivers/hid/hid-zpff.c +++ b/drivers/hid/hid-zpff.c -@@ -68,22 +68,12 @@ static int zpff_init(struct hid_device *hid) +@@ -68,21 +68,13 @@ static int zpff_init(struct hid_device *hid) struct hid_report *report; struct hid_input *hidinput = list_entry(hid->inputs.next, struct hid_input, list); - struct list_head *report_list = - &hid->report_enum[HID_OUTPUT_REPORT].report_list; struct input_dev *dev = hidinput->input; - int error; +- int error; ++ int i, error; - if (list_empty(report_list)) { - hid_err(hid, "no output report found\n"); -+ report = hid_validate_report(hid, HID_OUTPUT_REPORT, 0, 4, 1); -+ if (!report) - return -ENODEV; +- return -ENODEV; - } - - report = list_entry(report_list->next, struct hid_report, list); @@ -225,60 +255,68 @@ index 6ec28a3..b124991 100644 - if (report->maxfield < 4) { - hid_err(hid, "not enough fields in report\n"); - return -ENODEV; -- } ++ for (i = 0; i < 4; i++) { ++ report = hid_validate_values(hid, HID_OUTPUT_REPORT, 0, i, 1); ++ if (!report) ++ return -ENODEV; + } zpff = kzalloc(sizeof(struct zpff_device), GFP_KERNEL); - if (!zpff) - -- -Jiri Kosina -SUSE Labs +1.8.3.1 + -- -To unsubscribe from this list: send the line "unsubscribe linux-input" in +To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html +Please read the FAQ at http://www.tux.org/lkml/ -Path: news.gmane.org!not-for-mail -From: Jiri Kosina -Newsgroups: gmane.linux.kernel.input -Subject: [PATCH 04/14] HID: sony: validate HID output report details -Date: Wed, 28 Aug 2013 22:30:23 +0200 (CEST) -Lines: 43 -Approved: news@gmane.org -Message-ID: -NNTP-Posting-Host: plane.gmane.org -Mime-Version: 1.0 -Content-Type: TEXT/PLAIN; charset=US-ASCII -X-Trace: ger.gmane.org 1377721826 9710 80.91.229.3 (28 Aug 2013 20:30:26 GMT) -X-Complaints-To: usenet@ger.gmane.org -NNTP-Posting-Date: Wed, 28 Aug 2013 20:30:26 +0000 (UTC) -Cc: Kees Cook -To: linux-input@vger.kernel.org -Original-X-From: linux-input-owner@vger.kernel.org Wed Aug 28 22:30:28 2013 -Return-path: -Envelope-to: glki-linux-input-2@plane.gmane.org -Original-Received: from vger.kernel.org ([209.132.180.67]) - by plane.gmane.org with esmtp (Exim 4.69) - (envelope-from ) - id 1VEmNn-0008U8-JR - for glki-linux-input-2@plane.gmane.org; Wed, 28 Aug 2013 22:30:27 +0200 -Original-Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand - id S1754899Ab3H1Ua1 (ORCPT ); - Wed, 28 Aug 2013 16:30:27 -0400 -Original-Received: from cantor2.suse.de ([195.135.220.15]:57919 "EHLO mx2.suse.de" +From linux-kernel-owner@vger.kernel.org Wed Sep 11 16:05:30 2013 +Delivered-To: jwboyer@gmail.com +Received: by 10.76.168.104 with SMTP id zv8csp11806oab; + Wed, 11 Sep 2013 13:05:31 -0700 (PDT) +X-Received: by 10.68.245.227 with SMTP id xr3mr3786856pbc.182.1378929930715; + Wed, 11 Sep 2013 13:05:30 -0700 (PDT) +Return-Path: +Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) + by mx.google.com with ESMTP id hk5si3647517pac.9.1969.12.31.16.00.00; + Wed, 11 Sep 2013 13:05:30 -0700 (PDT) +Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; +Authentication-Results: mx.google.com; + spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mail=linux-kernel-owner@vger.kernel.org +Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand + id S1757390Ab3IKT7e (ORCPT + + 99 others); Wed, 11 Sep 2013 15:59:34 -0400 +Received: from mx1.redhat.com ([209.132.183.28]:61377 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP - id S1753936Ab3H1Ua0 (ORCPT ); - Wed, 28 Aug 2013 16:30:26 -0400 -Original-Received: from relay1.suse.de (unknown [195.135.220.254]) - by mx2.suse.de (Postfix) with ESMTP id 02DB9A531D; - Wed, 28 Aug 2013 22:30:26 +0200 (CEST) -User-Agent: Alpine 2.00 (LNX 1167 2008-08-23) -Original-Sender: linux-input-owner@vger.kernel.org + id S1757186Ab3IKT5O (ORCPT ); + Wed, 11 Sep 2013 15:57:14 -0400 +Received: from int-mx02.intmail.prod.int.phx2.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12]) + by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id r8BJv9ae028162 + (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); + Wed, 11 Sep 2013 15:57:09 -0400 +Received: from t410.redhat.com (ovpn-116-31.ams2.redhat.com [10.36.116.31]) + by int-mx02.intmail.prod.int.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id r8BJv0jZ020673; + Wed, 11 Sep 2013 15:57:07 -0400 +From: Benjamin Tissoires +To: Benjamin Tissoires , + Kees Cook , + Henrik Rydberg , + Jiri Kosina , linux-input@vger.kernel.org, + linux-kernel@vger.kernel.org +Subject: [PATCH v3 03/10] HID: sony: validate HID output report details +Date: Wed, 11 Sep 2013 21:56:52 +0200 +Message-Id: <1378929419-6269-4-git-send-email-benjamin.tissoires@redhat.com> +In-Reply-To: <1378929419-6269-1-git-send-email-benjamin.tissoires@redhat.com> +References: <1378929419-6269-1-git-send-email-benjamin.tissoires@redhat.com> +X-Scanned-By: MIMEDefang 2.67 on 10.5.11.12 +Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk -List-ID: -X-Mailing-List: linux-input@vger.kernel.org -Xref: news.gmane.org gmane.linux.kernel.input:31655 -Archived-At: +List-ID: +X-Mailing-List: linux-kernel@vger.kernel.org +Status: RO +Content-Length: 1489 +Lines: 46 From: Kees Cook @@ -294,13 +332,17 @@ output report: CVE-2013-2890 Signed-off-by: Kees Cook -Cc: stable@kernel.org +Cc: stable@vger.kernel.org +Reviewed-by: Benjamin Tissoires --- - drivers/hid/hid-sony.c | 4 ++++ +v3: + - no changes + + drivers/hid/hid-sony.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/drivers/hid/hid-sony.c b/drivers/hid/hid-sony.c -index 87fbe29..b987926 100644 +index 30dbb6b..b18320d 100644 --- a/drivers/hid/hid-sony.c +++ b/drivers/hid/hid-sony.c @@ -537,6 +537,10 @@ static int buzz_init(struct hid_device *hdev) @@ -308,62 +350,67 @@ index 87fbe29..b987926 100644 BUG_ON(!(drv_data->quirks & BUZZ_CONTROLLER)); + /* Validate expected report characteristics. */ -+ if (!hid_validate_report(hdev, HID_OUTPUT_REPORT, 0, 1, 7)) ++ if (!hid_validate_values(hdev, HID_OUTPUT_REPORT, 0, 0, 7)) + return -ENODEV; + buzz = kzalloc(sizeof(*buzz), GFP_KERNEL); if (!buzz) { hid_err(hdev, "Insufficient memory, cannot allocate driver data\n"); - -- -Jiri Kosina -SUSE Labs +1.8.3.1 + -- -To unsubscribe from this list: send the line "unsubscribe linux-input" in +To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html +Please read the FAQ at http://www.tux.org/lkml/ -Path: news.gmane.org!not-for-mail -From: Jiri Kosina -Newsgroups: gmane.linux.kernel.input -Subject: [PATCH 05/14] HID: steelseries: validate output report details -Date: Wed, 28 Aug 2013 22:30:37 +0200 (CEST) -Lines: 43 -Approved: news@gmane.org -Message-ID: -NNTP-Posting-Host: plane.gmane.org -Mime-Version: 1.0 -Content-Type: TEXT/PLAIN; charset=US-ASCII -X-Trace: ger.gmane.org 1377721849 9885 80.91.229.3 (28 Aug 2013 20:30:49 GMT) -X-Complaints-To: usenet@ger.gmane.org -NNTP-Posting-Date: Wed, 28 Aug 2013 20:30:49 +0000 (UTC) -Cc: Kees Cook , Simon Wood -To: linux-input@vger.kernel.org -Original-X-From: linux-input-owner@vger.kernel.org Wed Aug 28 22:30:51 2013 -Return-path: -Envelope-to: glki-linux-input-2@plane.gmane.org -Original-Received: from vger.kernel.org ([209.132.180.67]) - by plane.gmane.org with esmtp (Exim 4.69) - (envelope-from ) - id 1VEmO7-0000cl-Po - for glki-linux-input-2@plane.gmane.org; Wed, 28 Aug 2013 22:30:48 +0200 -Original-Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand - id S1755238Ab3H1Uam (ORCPT ); - Wed, 28 Aug 2013 16:30:42 -0400 -Original-Received: from cantor2.suse.de ([195.135.220.15]:57942 "EHLO mx2.suse.de" +From linux-kernel-owner@vger.kernel.org Wed Sep 11 16:01:06 2013 +Delivered-To: jwboyer@gmail.com +Received: by 10.76.168.104 with SMTP id zv8csp11780oab; + Wed, 11 Sep 2013 13:01:07 -0700 (PDT) +X-Received: by 10.68.178.197 with SMTP id da5mr3851703pbc.28.1378929666801; + Wed, 11 Sep 2013 13:01:06 -0700 (PDT) +Return-Path: +Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) + by mx.google.com with ESMTP id yp5si22941669pbb.65.1969.12.31.16.00.00; + Wed, 11 Sep 2013 13:01:06 -0700 (PDT) +Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; +Authentication-Results: mx.google.com; + spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mail=linux-kernel-owner@vger.kernel.org +Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand + id S1757243Ab3IKT5U (ORCPT + + 99 others); Wed, 11 Sep 2013 15:57:20 -0400 +Received: from mx1.redhat.com ([209.132.183.28]:50734 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP - id S1754222Ab3H1Uak (ORCPT ); - Wed, 28 Aug 2013 16:30:40 -0400 -Original-Received: from relay1.suse.de (unknown [195.135.220.254]) - by mx2.suse.de (Postfix) with ESMTP id EFDE1A531D; - Wed, 28 Aug 2013 22:30:39 +0200 (CEST) -User-Agent: Alpine 2.00 (LNX 1167 2008-08-23) -Original-Sender: linux-input-owner@vger.kernel.org + id S1756944Ab3IKT5S (ORCPT ); + Wed, 11 Sep 2013 15:57:18 -0400 +Received: from int-mx02.intmail.prod.int.phx2.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12]) + by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id r8BJvBYq001582 + (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); + Wed, 11 Sep 2013 15:57:11 -0400 +Received: from t410.redhat.com (ovpn-116-31.ams2.redhat.com [10.36.116.31]) + by int-mx02.intmail.prod.int.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id r8BJv0ja020673; + Wed, 11 Sep 2013 15:57:09 -0400 +From: Benjamin Tissoires +To: Benjamin Tissoires , + Kees Cook , + Henrik Rydberg , + Jiri Kosina , linux-input@vger.kernel.org, + linux-kernel@vger.kernel.org +Subject: [PATCH v3 04/10] HID: steelseries: validate output report details +Date: Wed, 11 Sep 2013 21:56:53 +0200 +Message-Id: <1378929419-6269-5-git-send-email-benjamin.tissoires@redhat.com> +In-Reply-To: <1378929419-6269-1-git-send-email-benjamin.tissoires@redhat.com> +References: <1378929419-6269-1-git-send-email-benjamin.tissoires@redhat.com> +X-Scanned-By: MIMEDefang 2.67 on 10.5.11.12 +Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk -List-ID: -X-Mailing-List: linux-input@vger.kernel.org -Xref: news.gmane.org gmane.linux.kernel.input:31656 -Archived-At: +List-ID: +X-Mailing-List: linux-kernel@vger.kernel.org +Status: RO +Content-Length: 1388 +Lines: 46 From: Kees Cook @@ -378,20 +425,24 @@ during initialization, causing a heap overflow: CVE-2013-2891 Signed-off-by: Kees Cook -Cc: stable@kernel.org +Cc: stable@vger.kernel.org +Reviewed-by: Benjamin Tissoires --- - drivers/hid/hid-steelseries.c | 5 +++++ +v3: + - no changes + + drivers/hid/hid-steelseries.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/drivers/hid/hid-steelseries.c b/drivers/hid/hid-steelseries.c -index d164911..ef42e86 100644 +index d164911..29f328f 100644 --- a/drivers/hid/hid-steelseries.c +++ b/drivers/hid/hid-steelseries.c @@ -249,6 +249,11 @@ static int steelseries_srws1_probe(struct hid_device *hdev, goto err_free; } -+ if (!hid_validate_report(hdev, HID_OUTPUT_REPORT, 0, 1, 16)) { ++ if (!hid_validate_values(hdev, HID_OUTPUT_REPORT, 0, 0, 16)) { + ret = -ENODEV; + goto err_free; + } @@ -399,57 +450,61 @@ index d164911..ef42e86 100644 ret = hid_hw_start(hdev, HID_CONNECT_DEFAULT); if (ret) { hid_err(hdev, "hw start failed\n"); - -- -Jiri Kosina -SUSE Labs +1.8.3.1 + -- -To unsubscribe from this list: send the line "unsubscribe linux-input" in +To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html +Please read the FAQ at http://www.tux.org/lkml/ - -Path: news.gmane.org!not-for-mail -From: Jiri Kosina -Newsgroups: gmane.linux.kernel.input -Subject: [PATCH 07/14] HID: LG: validate HID output report details -Date: Wed, 28 Aug 2013 22:31:00 +0200 (CEST) -Lines: 194 -Approved: news@gmane.org -Message-ID: -NNTP-Posting-Host: plane.gmane.org -Mime-Version: 1.0 -Content-Type: TEXT/PLAIN; charset=US-ASCII -X-Trace: ger.gmane.org 1377721865 10099 80.91.229.3 (28 Aug 2013 20:31:05 GMT) -X-Complaints-To: usenet@ger.gmane.org -NNTP-Posting-Date: Wed, 28 Aug 2013 20:31:05 +0000 (UTC) -Cc: Kees Cook -To: linux-input@vger.kernel.org -Original-X-From: linux-input-owner@vger.kernel.org Wed Aug 28 22:31:07 2013 -Return-path: -Envelope-to: glki-linux-input-2@plane.gmane.org -Original-Received: from vger.kernel.org ([209.132.180.67]) - by plane.gmane.org with esmtp (Exim 4.69) - (envelope-from ) - id 1VEmOQ-0000cl-Fi - for glki-linux-input-2@plane.gmane.org; Wed, 28 Aug 2013 22:31:06 +0200 -Original-Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand - id S1753468Ab3H1UbF (ORCPT ); - Wed, 28 Aug 2013 16:31:05 -0400 -Original-Received: from cantor2.suse.de ([195.135.220.15]:57957 "EHLO mx2.suse.de" +From linux-kernel-owner@vger.kernel.org Wed Sep 11 16:03:13 2013 +Delivered-To: jwboyer@gmail.com +Received: by 10.76.168.104 with SMTP id zv8csp11792oab; + Wed, 11 Sep 2013 13:03:14 -0700 (PDT) +X-Received: by 10.68.164.161 with SMTP id yr1mr3875852pbb.40.1378929793546; + Wed, 11 Sep 2013 13:03:13 -0700 (PDT) +Return-Path: +Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) + by mx.google.com with ESMTP id br4si22834818pbd.183.1969.12.31.16.00.00; + Wed, 11 Sep 2013 13:03:13 -0700 (PDT) +Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; +Authentication-Results: mx.google.com; + spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mail=linux-kernel-owner@vger.kernel.org +Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand + id S1757365Ab3IKT6q (ORCPT + + 99 others); Wed, 11 Sep 2013 15:58:46 -0400 +Received: from mx1.redhat.com ([209.132.183.28]:65295 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP - id S1752780Ab3H1UbE (ORCPT ); - Wed, 28 Aug 2013 16:31:04 -0400 -Original-Received: from relay2.suse.de (unknown [195.135.220.254]) - by mx2.suse.de (Postfix) with ESMTP id 5F1F5A531D; - Wed, 28 Aug 2013 22:31:03 +0200 (CEST) -User-Agent: Alpine 2.00 (LNX 1167 2008-08-23) -Original-Sender: linux-input-owner@vger.kernel.org + id S1757242Ab3IKT5T (ORCPT ); + Wed, 11 Sep 2013 15:57:19 -0400 +Received: from int-mx02.intmail.prod.int.phx2.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12]) + by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id r8BJvD8J001594 + (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); + Wed, 11 Sep 2013 15:57:13 -0400 +Received: from t410.redhat.com (ovpn-116-31.ams2.redhat.com [10.36.116.31]) + by int-mx02.intmail.prod.int.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id r8BJv0jb020673; + Wed, 11 Sep 2013 15:57:11 -0400 +From: Benjamin Tissoires +To: Benjamin Tissoires , + Kees Cook , + Henrik Rydberg , + Jiri Kosina , linux-input@vger.kernel.org, + linux-kernel@vger.kernel.org +Subject: [PATCH v3 05/10] HID: LG: validate HID output report details +Date: Wed, 11 Sep 2013 21:56:54 +0200 +Message-Id: <1378929419-6269-6-git-send-email-benjamin.tissoires@redhat.com> +In-Reply-To: <1378929419-6269-1-git-send-email-benjamin.tissoires@redhat.com> +References: <1378929419-6269-1-git-send-email-benjamin.tissoires@redhat.com> +X-Scanned-By: MIMEDefang 2.67 on 10.5.11.12 +Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk -List-ID: -X-Mailing-List: linux-input@vger.kernel.org -Xref: news.gmane.org gmane.linux.kernel.input:31658 -Archived-At: +List-ID: +X-Mailing-List: linux-kernel@vger.kernel.org +Status: RO +Content-Length: 6409 +Lines: 198 From: Kees Cook @@ -467,16 +522,20 @@ cleaned up and shortened. CVE-2013-2893 Signed-off-by: Kees Cook -Cc: stable@kernel.org +Cc: stable@vger.kernel.org +Reviewed-by: Benjamin Tissoires --- - drivers/hid/hid-lg2ff.c | 19 +++---------------- - drivers/hid/hid-lg3ff.c | 29 ++++++----------------------- - drivers/hid/hid-lg4ff.c | 20 +------------------- - drivers/hid/hid-lgff.c | 17 ++--------------- +v3: + - no changes + + drivers/hid/hid-lg2ff.c | 19 +++---------------- + drivers/hid/hid-lg3ff.c | 29 ++++++----------------------- + drivers/hid/hid-lg4ff.c | 20 +------------------- + drivers/hid/hid-lgff.c | 17 ++--------------- 4 files changed, 12 insertions(+), 73 deletions(-) diff --git a/drivers/hid/hid-lg2ff.c b/drivers/hid/hid-lg2ff.c -index b3cd150..9805197 100644 +index b3cd150..1a42eaa 100644 --- a/drivers/hid/hid-lg2ff.c +++ b/drivers/hid/hid-lg2ff.c @@ -64,26 +64,13 @@ int lg2ff_init(struct hid_device *hid) @@ -491,7 +550,7 @@ index b3cd150..9805197 100644 - if (list_empty(report_list)) { - hid_err(hid, "no output report found\n"); + /* Check that the report looks ok */ -+ report = hid_validate_report(hid, HID_OUTPUT_REPORT, 0, 1, 7); ++ report = hid_validate_values(hid, HID_OUTPUT_REPORT, 0, 0, 7); + if (!report) return -ENODEV; - } @@ -510,7 +569,7 @@ index b3cd150..9805197 100644 lg2ff = kmalloc(sizeof(struct lg2ff_device), GFP_KERNEL); if (!lg2ff) diff --git a/drivers/hid/hid-lg3ff.c b/drivers/hid/hid-lg3ff.c -index e52f181..53ac79b 100644 +index e52f181..8c2da18 100644 --- a/drivers/hid/hid-lg3ff.c +++ b/drivers/hid/hid-lg3ff.c @@ -66,10 +66,11 @@ static int hid_lg3ff_play(struct input_dev *dev, void *data, @@ -558,13 +617,13 @@ index e52f181..53ac79b 100644 - hid_err(hid, "NULL field\n"); - return -1; - } -+ if (!hid_validate_report(hid, HID_OUTPUT_REPORT, 0, 1, 35)) ++ if (!hid_validate_values(hid, HID_OUTPUT_REPORT, 0, 0, 35)) + return -ENODEV; /* Assume single fixed device G940 */ for (i = 0; ff_bits[i] >= 0; i++) diff --git a/drivers/hid/hid-lg4ff.c b/drivers/hid/hid-lg4ff.c -index 0ddae2a..8b89f0f 100644 +index 0ddae2a..8782fe1 100644 --- a/drivers/hid/hid-lg4ff.c +++ b/drivers/hid/hid-lg4ff.c @@ -484,34 +484,16 @@ static enum led_brightness lg4ff_led_get_brightness(struct led_classdev *led_cde @@ -591,7 +650,7 @@ index 0ddae2a..8b89f0f 100644 - report = list_entry(report_list->next, struct hid_report, list); - if (!report) { - hid_err(hid, "NULL output report\n"); -+ if (!hid_validate_report(hid, HID_OUTPUT_REPORT, 0, 1, 7)) ++ if (!hid_validate_values(hid, HID_OUTPUT_REPORT, 0, 0, 7)) return -1; - } - @@ -604,7 +663,7 @@ index 0ddae2a..8b89f0f 100644 /* Check what wheel has been connected */ for (i = 0; i < ARRAY_SIZE(lg4ff_devices); i++) { diff --git a/drivers/hid/hid-lgff.c b/drivers/hid/hid-lgff.c -index d7ea8c8..a84fb40 100644 +index d7ea8c8..e1394af 100644 --- a/drivers/hid/hid-lgff.c +++ b/drivers/hid/hid-lgff.c @@ -128,27 +128,14 @@ static void hid_lgff_set_autocenter(struct input_dev *dev, u16 magnitude) @@ -632,61 +691,68 @@ index d7ea8c8..a84fb40 100644 - hid_err(hid, "NULL field\n"); - return -1; - } -+ if (!hid_validate_report(hid, HID_OUTPUT_REPORT, 0, 1, 7)) ++ if (!hid_validate_values(hid, HID_OUTPUT_REPORT, 0, 0, 7)) + return -ENODEV; for (i = 0; i < ARRAY_SIZE(devices); i++) { if (dev->id.vendor == devices[i].idVendor && -- -Jiri Kosina -SUSE Labs +1.8.3.1 + -- -To unsubscribe from this list: send the line "unsubscribe linux-input" in +To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html +Please read the FAQ at http://www.tux.org/lkml/ -Path: news.gmane.org!not-for-mail -From: Jiri Kosina -Newsgroups: gmane.linux.kernel.input -Subject: [PATCH 08/14] HID: lenovo-tpkbd: validate output report details -Date: Wed, 28 Aug 2013 22:31:10 +0200 (CEST) -Lines: 42 -Approved: news@gmane.org -Message-ID: -NNTP-Posting-Host: plane.gmane.org -Mime-Version: 1.0 -Content-Type: TEXT/PLAIN; charset=US-ASCII -X-Trace: ger.gmane.org 1377721874 10167 80.91.229.3 (28 Aug 2013 20:31:14 GMT) -X-Complaints-To: usenet@ger.gmane.org -NNTP-Posting-Date: Wed, 28 Aug 2013 20:31:14 +0000 (UTC) -Cc: Kees Cook , - Bernhard Seibold -To: linux-input@vger.kernel.org -Original-X-From: linux-input-owner@vger.kernel.org Wed Aug 28 22:31:16 2013 -Return-path: -Envelope-to: glki-linux-input-2@plane.gmane.org -Original-Received: from vger.kernel.org ([209.132.180.67]) - by plane.gmane.org with esmtp (Exim 4.69) - (envelope-from ) - id 1VEmOY-0000cl-HM - for glki-linux-input-2@plane.gmane.org; Wed, 28 Aug 2013 22:31:14 +0200 -Original-Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand - id S1754122Ab3H1UbN (ORCPT ); - Wed, 28 Aug 2013 16:31:13 -0400 -Original-Received: from cantor2.suse.de ([195.135.220.15]:57965 "EHLO mx2.suse.de" +From linux-kernel-owner@vger.kernel.org Wed Sep 11 16:02:34 2013 +Delivered-To: jwboyer@gmail.com +Received: by 10.76.168.104 with SMTP id zv8csp11790oab; + Wed, 11 Sep 2013 13:02:35 -0700 (PDT) +X-Received: by 10.68.170.133 with SMTP id am5mr3779285pbc.104.1378929754723; + Wed, 11 Sep 2013 13:02:34 -0700 (PDT) +Return-Path: +Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) + by mx.google.com with ESMTP id xn6si22906387pbc.242.1969.12.31.16.00.00; + Wed, 11 Sep 2013 13:02:34 -0700 (PDT) +Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; +Authentication-Results: mx.google.com; + spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mail=linux-kernel-owner@vger.kernel.org +Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand + id S1757267Ab3IKT5Y (ORCPT + + 99 others); Wed, 11 Sep 2013 15:57:24 -0400 +Received: from mx1.redhat.com ([209.132.183.28]:57999 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP - id S1752780Ab3H1UbN (ORCPT ); - Wed, 28 Aug 2013 16:31:13 -0400 -Original-Received: from relay1.suse.de (unknown [195.135.220.254]) - by mx2.suse.de (Postfix) with ESMTP id 982A1A531D; - Wed, 28 Aug 2013 22:31:12 +0200 (CEST) -User-Agent: Alpine 2.00 (LNX 1167 2008-08-23) -Original-Sender: linux-input-owner@vger.kernel.org + id S1756944Ab3IKT5W (ORCPT ); + Wed, 11 Sep 2013 15:57:22 -0400 +Received: from int-mx02.intmail.prod.int.phx2.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12]) + by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id r8BJvFmO002339 + (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); + Wed, 11 Sep 2013 15:57:15 -0400 +Received: from t410.redhat.com (ovpn-116-31.ams2.redhat.com [10.36.116.31]) + by int-mx02.intmail.prod.int.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id r8BJv0jc020673; + Wed, 11 Sep 2013 15:57:13 -0400 +From: Benjamin Tissoires +To: Benjamin Tissoires , + Kees Cook , + Henrik Rydberg , + Jiri Kosina , linux-input@vger.kernel.org, + linux-kernel@vger.kernel.org +Subject: [PATCH v3 06/10] HID: lenovo-tpkbd: validate output report details +Date: Wed, 11 Sep 2013 21:56:55 +0200 +Message-Id: <1378929419-6269-7-git-send-email-benjamin.tissoires@redhat.com> +In-Reply-To: <1378929419-6269-1-git-send-email-benjamin.tissoires@redhat.com> +References: <1378929419-6269-1-git-send-email-benjamin.tissoires@redhat.com> +X-Scanned-By: MIMEDefang 2.67 on 10.5.11.12 +Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk -List-ID: -X-Mailing-List: linux-input@vger.kernel.org -Xref: news.gmane.org gmane.linux.kernel.input:31659 -Archived-At: +List-ID: +X-Mailing-List: linux-kernel@vger.kernel.org +Status: RO +Content-Length: 1714 +Lines: 53 + +From: Kees Cook From: Kees Cook @@ -701,77 +767,91 @@ during initialization, causing a heap overflow: CVE-2013-2894 Signed-off-by: Kees Cook -Cc: stable@kernel.org +Cc: stable@vger.kernel.org +Signed-off-by: Benjamin Tissoires --- - drivers/hid/hid-lenovo-tpkbd.c | 5 +++++ - 1 file changed, 5 insertions(+) +v3: + - fix feature report check for report ID 4 + + drivers/hid/hid-lenovo-tpkbd.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/drivers/hid/hid-lenovo-tpkbd.c b/drivers/hid/hid-lenovo-tpkbd.c -index 07837f5..b697ada 100644 +index 07837f5..762d988 100644 --- a/drivers/hid/hid-lenovo-tpkbd.c +++ b/drivers/hid/hid-lenovo-tpkbd.c -@@ -341,6 +341,11 @@ static int tpkbd_probe_tp(struct hid_device *hdev) +@@ -339,7 +339,15 @@ static int tpkbd_probe_tp(struct hid_device *hdev) + struct tpkbd_data_pointer *data_pointer; + size_t name_sz = strlen(dev_name(dev)) + 16; char *name_mute, *name_micmute; - int ret; - -+ /* Validate required reports. */ -+ if (!hid_validate_report(hdev, HID_OUTPUT_REPORT, 4, 4, 1) || -+ !hid_validate_report(hdev, HID_OUTPUT_REPORT, 3, 1, 2)) -+ return -ENODEV; +- int ret; ++ int i, ret; + ++ /* Validate required reports. */ ++ for (i = 0; i < 4; i++) { ++ if (!hid_validate_values(hdev, HID_FEATURE_REPORT, 4, i, 1)) ++ return -ENODEV; ++ } ++ if (!hid_validate_values(hdev, HID_OUTPUT_REPORT, 3, 0, 2)) ++ return -ENODEV; + if (sysfs_create_group(&hdev->dev.kobj, &tpkbd_attr_group_pointer)) { - hid_warn(hdev, "Could not create sysfs group\n"); -- -Jiri Kosina -SUSE Labs +1.8.3.1 + -- -To unsubscribe from this list: send the line "unsubscribe linux-input" in +To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html +Please read the FAQ at http://www.tux.org/lkml/ -Path: news.gmane.org!not-for-mail -From: Jiri Kosina -Newsgroups: gmane.linux.kernel.input -Subject: [PATCH 09/14] HID: logitech-dj: validate output report details -Date: Wed, 28 Aug 2013 22:31:18 +0200 (CEST) -Lines: 65 -Approved: news@gmane.org -Message-ID: -NNTP-Posting-Host: plane.gmane.org -Mime-Version: 1.0 -Content-Type: TEXT/PLAIN; charset=US-ASCII -X-Trace: ger.gmane.org 1377721883 10249 80.91.229.3 (28 Aug 2013 20:31:23 GMT) -X-Complaints-To: usenet@ger.gmane.org -NNTP-Posting-Date: Wed, 28 Aug 2013 20:31:23 +0000 (UTC) -Cc: Kees Cook , - Nestor Lopez Casado -To: linux-input@vger.kernel.org -Original-X-From: linux-input-owner@vger.kernel.org Wed Aug 28 22:31:25 2013 -Return-path: -Envelope-to: glki-linux-input-2@plane.gmane.org -Original-Received: from vger.kernel.org ([209.132.180.67]) - by plane.gmane.org with esmtp (Exim 4.69) - (envelope-from ) - id 1VEmOg-0000cl-O9 - for glki-linux-input-2@plane.gmane.org; Wed, 28 Aug 2013 22:31:23 +0200 -Original-Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand - id S1752780Ab3H1UbW (ORCPT ); - Wed, 28 Aug 2013 16:31:22 -0400 -Original-Received: from cantor2.suse.de ([195.135.220.15]:57976 "EHLO mx2.suse.de" +From linux-kernel-owner@vger.kernel.org Wed Sep 11 16:01:42 2013 +Delivered-To: jwboyer@gmail.com +Received: by 10.76.168.104 with SMTP id zv8csp11787oab; + Wed, 11 Sep 2013 13:01:42 -0700 (PDT) +X-Received: by 10.68.114.132 with SMTP id jg4mr3706613pbb.109.1378929702143; + Wed, 11 Sep 2013 13:01:42 -0700 (PDT) +Return-Path: +Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) + by mx.google.com with ESMTP id l10si3649592pav.4.1969.12.31.16.00.00; + Wed, 11 Sep 2013 13:01:42 -0700 (PDT) +Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; +Authentication-Results: mx.google.com; + spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mail=linux-kernel-owner@vger.kernel.org +Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand + id S1757311Ab3IKT5a (ORCPT + + 99 others); Wed, 11 Sep 2013 15:57:30 -0400 +Received: from mx1.redhat.com ([209.132.183.28]:43211 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP - id S1751971Ab3H1UbV (ORCPT ); - Wed, 28 Aug 2013 16:31:21 -0400 -Original-Received: from relay2.suse.de (unknown [195.135.220.254]) - by mx2.suse.de (Postfix) with ESMTP id D53F8A531D; - Wed, 28 Aug 2013 22:31:20 +0200 (CEST) -User-Agent: Alpine 2.00 (LNX 1167 2008-08-23) -Original-Sender: linux-input-owner@vger.kernel.org + id S1757287Ab3IKT51 (ORCPT ); + Wed, 11 Sep 2013 15:57:27 -0400 +Received: from int-mx02.intmail.prod.int.phx2.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12]) + by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id r8BJvHJA002860 + (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); + Wed, 11 Sep 2013 15:57:18 -0400 +Received: from t410.redhat.com (ovpn-116-31.ams2.redhat.com [10.36.116.31]) + by int-mx02.intmail.prod.int.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id r8BJv0jd020673; + Wed, 11 Sep 2013 15:57:16 -0400 +From: Benjamin Tissoires +To: Benjamin Tissoires , + Kees Cook , + Henrik Rydberg , + Jiri Kosina , linux-input@vger.kernel.org, + linux-kernel@vger.kernel.org +Subject: [PATCH v3 07/10] HID: logitech-dj: validate output report details +Date: Wed, 11 Sep 2013 21:56:56 +0200 +Message-Id: <1378929419-6269-8-git-send-email-benjamin.tissoires@redhat.com> +In-Reply-To: <1378929419-6269-1-git-send-email-benjamin.tissoires@redhat.com> +References: <1378929419-6269-1-git-send-email-benjamin.tissoires@redhat.com> +X-Scanned-By: MIMEDefang 2.67 on 10.5.11.12 +Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk -List-ID: -X-Mailing-List: linux-input@vger.kernel.org -Xref: news.gmane.org gmane.linux.kernel.input:31660 -Archived-At: +List-ID: +X-Mailing-List: linux-kernel@vger.kernel.org +Status: RO +Content-Length: 2335 +Lines: 66 From: Kees Cook @@ -787,13 +867,17 @@ trigger a NULL dereference during initialization: CVE-2013-2895 Signed-off-by: Kees Cook -Cc: stable@kernel.org +Cc: stable@vger.kernel.org +Signed-off-by: Benjamin Tissoires --- - drivers/hid/hid-logitech-dj.c | 12 ++++++++++-- - 1 file changed, 10 insertions(+), 2 deletions(-) +v3: + - check for the whole size of the DJ report, as per the spec + + drivers/hid/hid-logitech-dj.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/drivers/hid/hid-logitech-dj.c b/drivers/hid/hid-logitech-dj.c -index cd33084..7b99c2a 100644 +index 7800b14..2e53024 100644 --- a/drivers/hid/hid-logitech-dj.c +++ b/drivers/hid/hid-logitech-dj.c @@ -461,7 +461,7 @@ static int logi_dj_recv_send_report(struct dj_receiver_dev *djrcv_dev, @@ -801,27 +885,25 @@ index cd33084..7b99c2a 100644 struct hid_report_enum *output_report_enum; u8 *data = (u8 *)(&dj_report->device_index); - int i; -+ unsigned int i, length; ++ unsigned int i; output_report_enum = &hdev->report_enum[HID_OUTPUT_REPORT]; report = output_report_enum->report_id_hash[REPORT_ID_DJ_SHORT]; -@@ -471,7 +471,9 @@ static int logi_dj_recv_send_report(struct dj_receiver_dev *djrcv_dev, +@@ -471,7 +471,7 @@ static int logi_dj_recv_send_report(struct dj_receiver_dev *djrcv_dev, return -ENODEV; } - for (i = 0; i < report->field[0]->report_count; i++) -+ length = min_t(size_t, sizeof(*dj_report) - 1, -+ report->field[0]->report_count); -+ for (i = 0; i < length; i++) ++ for (i = 0; i < DJREPORT_SHORT_LENGTH - 1; i++) report->field[0]->value[i] = data[i]; hid_hw_request(hdev, report, HID_REQ_SET_REPORT); -@@ -783,6 +785,12 @@ static int logi_dj_probe(struct hid_device *hdev, +@@ -791,6 +791,12 @@ static int logi_dj_probe(struct hid_device *hdev, goto hid_parse_fail; } -+ if (!hid_validate_report(hdev, HID_OUTPUT_REPORT, REPORT_ID_DJ_SHORT, -+ 1, 3)) { ++ if (!hid_validate_values(hdev, HID_OUTPUT_REPORT, REPORT_ID_DJ_SHORT, ++ 0, DJREPORT_SHORT_LENGTH - 1)) { + retval = -ENODEV; + goto hid_parse_fail; + } @@ -829,63 +911,67 @@ index cd33084..7b99c2a 100644 /* Starts the usb device and connects to upper interfaces hiddev and * hidraw */ retval = hid_hw_start(hdev, HID_CONNECT_DEFAULT); - -- -Jiri Kosina -SUSE Labs +1.8.3.1 + -- -To unsubscribe from this list: send the line "unsubscribe linux-input" in +To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html +Please read the FAQ at http://www.tux.org/lkml/ - -Path: news.gmane.org!not-for-mail -From: Jiri Kosina -Newsgroups: gmane.linux.kernel.input -Subject: [PATCH 11/14] HID: multitouch: validate feature report details -Date: Wed, 28 Aug 2013 22:31:37 +0200 (CEST) -Lines: 77 -Approved: news@gmane.org -Message-ID: -NNTP-Posting-Host: plane.gmane.org -Mime-Version: 1.0 -Content-Type: TEXT/PLAIN; charset=US-ASCII -X-Trace: ger.gmane.org 1377721900 10409 80.91.229.3 (28 Aug 2013 20:31:40 GMT) -X-Complaints-To: usenet@ger.gmane.org -NNTP-Posting-Date: Wed, 28 Aug 2013 20:31:40 +0000 (UTC) -Cc: Kees Cook , - Henrik Rydberg , - Benjamin Tissoires -To: linux-input@vger.kernel.org -Original-X-From: linux-input-owner@vger.kernel.org Wed Aug 28 22:31:42 2013 -Return-path: -Envelope-to: glki-linux-input-2@plane.gmane.org -Original-Received: from vger.kernel.org ([209.132.180.67]) - by plane.gmane.org with esmtp (Exim 4.69) - (envelope-from ) - id 1VEmOz-0000cl-Ku - for glki-linux-input-2@plane.gmane.org; Wed, 28 Aug 2013 22:31:42 +0200 -Original-Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand - id S1754253Ab3H1Ubl (ORCPT ); - Wed, 28 Aug 2013 16:31:41 -0400 -Original-Received: from cantor2.suse.de ([195.135.220.15]:57991 "EHLO mx2.suse.de" +From linux-kernel-owner@vger.kernel.org Wed Sep 11 16:05:44 2013 +Delivered-To: jwboyer@gmail.com +Received: by 10.76.168.104 with SMTP id zv8csp11807oab; + Wed, 11 Sep 2013 13:05:44 -0700 (PDT) +X-Received: by 10.66.217.166 with SMTP id oz6mr5752976pac.22.1378929944218; + Wed, 11 Sep 2013 13:05:44 -0700 (PDT) +Return-Path: +Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) + by mx.google.com with ESMTP id ar2si22935873pbc.82.1969.12.31.16.00.00; + Wed, 11 Sep 2013 13:05:44 -0700 (PDT) +Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; +Authentication-Results: mx.google.com; + spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mail=linux-kernel-owner@vger.kernel.org +Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand + id S1757288Ab3IKT51 (ORCPT + + 99 others); Wed, 11 Sep 2013 15:57:27 -0400 +Received: from mx1.redhat.com ([209.132.183.28]:2642 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP - id S1754222Ab3H1Ubk (ORCPT ); - Wed, 28 Aug 2013 16:31:40 -0400 -Original-Received: from relay1.suse.de (unknown [195.135.220.254]) - by mx2.suse.de (Postfix) with ESMTP id BA511A535B; - Wed, 28 Aug 2013 22:31:39 +0200 (CEST) -User-Agent: Alpine 2.00 (LNX 1167 2008-08-23) -Original-Sender: linux-input-owner@vger.kernel.org + id S1756944Ab3IKT5Z (ORCPT ); + Wed, 11 Sep 2013 15:57:25 -0400 +Received: from int-mx02.intmail.prod.int.phx2.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12]) + by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id r8BJvJjC028198 + (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); + Wed, 11 Sep 2013 15:57:19 -0400 +Received: from t410.redhat.com (ovpn-116-31.ams2.redhat.com [10.36.116.31]) + by int-mx02.intmail.prod.int.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id r8BJv0je020673; + Wed, 11 Sep 2013 15:57:18 -0400 +From: Benjamin Tissoires +To: Benjamin Tissoires , + Kees Cook , + Henrik Rydberg , + Jiri Kosina , linux-input@vger.kernel.org, + linux-kernel@vger.kernel.org +Subject: [PATCH v3 08/10] HID: validate feature and input report details +Date: Wed, 11 Sep 2013 21:56:57 +0200 +Message-Id: <1378929419-6269-9-git-send-email-benjamin.tissoires@redhat.com> +In-Reply-To: <1378929419-6269-1-git-send-email-benjamin.tissoires@redhat.com> +References: <1378929419-6269-1-git-send-email-benjamin.tissoires@redhat.com> +X-Scanned-By: MIMEDefang 2.67 on 10.5.11.12 +Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk -List-ID: -X-Mailing-List: linux-input@vger.kernel.org -Xref: news.gmane.org gmane.linux.kernel.input:31662 -Archived-At: +List-ID: +X-Mailing-List: linux-kernel@vger.kernel.org +Status: RO +Content-Length: 4930 +Lines: 138 -From: Kees Cook +When dealing with usage_index, be sure to properly use unsigned instead of +int to avoid overflows. -When working on report indexes, always validate that they are in bounds. +When working on report fields, always validate that their report_counts are +in bounds. Without this, a HID device could report a malicious feature report that could trick the driver into a heap overflow: @@ -895,67 +981,374 @@ could trick the driver into a heap overflow: CVE-2013-2897 -Signed-off-by: Kees Cook -Cc: stable@kernel.org +Cc: stable@vger.kernel.org +Signed-off-by: Benjamin Tissoires --- - drivers/hid/hid-multitouch.c | 25 ++++++++++++++++++++----- - 1 file changed, 20 insertions(+), 5 deletions(-) +v3: + - new patch: extract from the hid-multitouch patch, the generic checks so that + every hid drivers will benefit from them -diff --git a/drivers/hid/hid-multitouch.c b/drivers/hid/hid-multitouch.c -index cb0e361..2aa275e 100644 ---- a/drivers/hid/hid-multitouch.c -+++ b/drivers/hid/hid-multitouch.c -@@ -330,9 +330,18 @@ static void mt_feature_mapping(struct hid_device *hdev, - break; - } - } -+ /* Ignore if value index is out of bounds. */ -+ if (td->inputmode_index < 0 || -+ td->inputmode_index >= field->report_count) { -+ dev_err(&hdev->dev, "HID_DG_INPUTMODE out of range\n"); -+ td->inputmode = -1; -+ } + drivers/hid/hid-core.c | 16 +++++++--------- + drivers/hid/hid-input.c | 11 ++++++++++- + 2 files changed, 17 insertions(+), 10 deletions(-) + +diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c +index 44b6c68..329e24e 100644 +--- a/drivers/hid/hid-core.c ++++ b/drivers/hid/hid-core.c +@@ -94,7 +94,6 @@ EXPORT_SYMBOL_GPL(hid_register_report); + static struct hid_field *hid_register_field(struct hid_report *report, unsigned usages, unsigned values) + { + struct hid_field *field; +- int i; - break; - case HID_DG_CONTACTMAX: -+ /* Ignore if value count is out of bounds. */ -+ if (field->report_count < 1) -+ break; - td->maxcontact_report_id = field->report->id; - td->maxcontacts = field->value[0]; - if (!td->maxcontacts && -@@ -743,15 +752,21 @@ static void mt_touch_report(struct hid_device *hid, struct hid_report *report) - unsigned count; - int r, n; + if (report->maxfield == HID_MAX_FIELDS) { + hid_err(report->device, "too many fields in report\n"); +@@ -113,9 +112,6 @@ static struct hid_field *hid_register_field(struct hid_report *report, unsigned + field->value = (s32 *)(field->usage + usages); + field->report = report; -+ if (report->maxfield == 0) -+ return; -+ - /* - * Includes multi-packet support where subsequent - * packets are sent with zero contactcount. - */ -- if (td->cc_index >= 0) { -- struct hid_field *field = report->field[td->cc_index]; -- int value = field->value[td->cc_value_index]; -- if (value) -- td->num_expected = value; -+ if (td->cc_index >= 0 && td->cc_index < report->maxfield) { -+ field = report->field[td->cc_index]; -+ if (td->cc_value_index >= 0 && -+ td->cc_value_index < field->report_count) { -+ int value = field->value[td->cc_value_index]; -+ if (value) -+ td->num_expected = value; -+ } +- for (i = 0; i < usages; i++) +- field->usage[i].usage_index = i; +- + return field; + } + +@@ -226,9 +222,9 @@ static int hid_add_field(struct hid_parser *parser, unsigned report_type, unsign + { + struct hid_report *report; + struct hid_field *field; +- int usages; ++ unsigned usages; + unsigned offset; +- int i; ++ unsigned i; + + report = hid_register_report(parser->device, report_type, parser->global.report_id); + if (!report) { +@@ -255,7 +251,8 @@ static int hid_add_field(struct hid_parser *parser, unsigned report_type, unsign + if (!parser->local.usage_index) /* Ignore padding fields */ + return 0; + +- usages = max_t(int, parser->local.usage_index, parser->global.report_count); ++ usages = max_t(unsigned, parser->local.usage_index, ++ parser->global.report_count); + + field = hid_register_field(report, usages, parser->global.report_count); + if (!field) +@@ -266,13 +263,14 @@ static int hid_add_field(struct hid_parser *parser, unsigned report_type, unsign + field->application = hid_lookup_collection(parser, HID_COLLECTION_APPLICATION); + + for (i = 0; i < usages; i++) { +- int j = i; ++ unsigned j = i; + /* Duplicate the last usage we parsed if we have excess values */ + if (i >= parser->local.usage_index) + j = parser->local.usage_index - 1; + field->usage[i].hid = parser->local.usage[j]; + field->usage[i].collection_index = + parser->local.collection_index[j]; ++ field->usage[i].usage_index = i; } - for (r = 0; r < report->maxfield; r++) { - + field->maxusage = usages; +@@ -1354,7 +1352,7 @@ int hid_report_raw_event(struct hid_device *hid, int type, u8 *data, int size, + goto out; + } + +- if (hid->claimed != HID_CLAIMED_HIDRAW) { ++ if (hid->claimed != HID_CLAIMED_HIDRAW && report->maxfield) { + for (a = 0; a < report->maxfield; a++) + hid_input_field(hid, report->field[a], cdata, interrupt); + hdrv = hid->driver; +diff --git a/drivers/hid/hid-input.c b/drivers/hid/hid-input.c +index b420f4a..8741d95 100644 +--- a/drivers/hid/hid-input.c ++++ b/drivers/hid/hid-input.c +@@ -485,6 +485,10 @@ static void hidinput_configure_usage(struct hid_input *hidinput, struct hid_fiel + if (field->flags & HID_MAIN_ITEM_CONSTANT) + goto ignore; + ++ /* Ignore if report count is out of bounds. */ ++ if (field->report_count < 1) ++ goto ignore; ++ + /* only LED usages are supported in output fields */ + if (field->report_type == HID_OUTPUT_REPORT && + (usage->hid & HID_USAGE_PAGE) != HID_UP_LED) { +@@ -1236,7 +1240,11 @@ static void report_features(struct hid_device *hid) + + rep_enum = &hid->report_enum[HID_FEATURE_REPORT]; + list_for_each_entry(rep, &rep_enum->report_list, list) +- for (i = 0; i < rep->maxfield; i++) ++ for (i = 0; i < rep->maxfield; i++) { ++ /* Ignore if report count is out of bounds. */ ++ if (rep->field[i]->report_count < 1) ++ continue; ++ + for (j = 0; j < rep->field[i]->maxusage; j++) { + /* Verify if Battery Strength feature is available */ + hidinput_setup_battery(hid, HID_FEATURE_REPORT, rep->field[i]); +@@ -1245,6 +1253,7 @@ static void report_features(struct hid_device *hid) + drv->feature_mapping(hid, rep->field[i], + rep->field[i]->usage + j); + } ++ } + } + + static struct hid_input *hidinput_allocate(struct hid_device *hid) -- -Jiri Kosina -SUSE Labs +1.8.3.1 + -- -To unsubscribe from this list: send the line "unsubscribe linux-input" in +To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html +Please read the FAQ at http://www.tux.org/lkml/ + +From linux-kernel-owner@vger.kernel.org Wed Sep 11 16:01:25 2013 +Delivered-To: jwboyer@gmail.com +Received: by 10.76.168.104 with SMTP id zv8csp11783oab; + Wed, 11 Sep 2013 13:01:25 -0700 (PDT) +X-Received: by 10.67.1.228 with SMTP id bj4mr5448135pad.157.1378929685422; + Wed, 11 Sep 2013 13:01:25 -0700 (PDT) +Return-Path: +Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) + by mx.google.com with ESMTP id pi7si3124468pbc.51.1969.12.31.16.00.00; + Wed, 11 Sep 2013 13:01:25 -0700 (PDT) +Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; +Authentication-Results: mx.google.com; + spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mail=linux-kernel-owner@vger.kernel.org +Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand + id S1757329Ab3IKT5c (ORCPT + + 99 others); Wed, 11 Sep 2013 15:57:32 -0400 +Received: from mx1.redhat.com ([209.132.183.28]:55015 "EHLO mx1.redhat.com" + rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP + id S1756944Ab3IKT52 (ORCPT ); + Wed, 11 Sep 2013 15:57:28 -0400 +Received: from int-mx02.intmail.prod.int.phx2.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12]) + by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id r8BJvLrf002879 + (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); + Wed, 11 Sep 2013 15:57:21 -0400 +Received: from t410.redhat.com (ovpn-116-31.ams2.redhat.com [10.36.116.31]) + by int-mx02.intmail.prod.int.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id r8BJv0jf020673; + Wed, 11 Sep 2013 15:57:20 -0400 +From: Benjamin Tissoires +To: Benjamin Tissoires , + Kees Cook , + Henrik Rydberg , + Jiri Kosina , linux-input@vger.kernel.org, + linux-kernel@vger.kernel.org +Subject: [PATCH v3 09/10] HID: multitouch: validate indexes details +Date: Wed, 11 Sep 2013 21:56:58 +0200 +Message-Id: <1378929419-6269-10-git-send-email-benjamin.tissoires@redhat.com> +In-Reply-To: <1378929419-6269-1-git-send-email-benjamin.tissoires@redhat.com> +References: <1378929419-6269-1-git-send-email-benjamin.tissoires@redhat.com> +X-Scanned-By: MIMEDefang 2.67 on 10.5.11.12 +Sender: linux-kernel-owner@vger.kernel.org +Precedence: bulk +List-ID: +X-Mailing-List: linux-kernel@vger.kernel.org +Status: RO +Content-Length: 3416 +Lines: 90 + +When working on report indexes, always validate that they are in bounds. +Without this, a HID device could report a malicious feature report that +could trick the driver into a heap overflow: + +[ 634.885003] usb 1-1: New USB device found, idVendor=0596, idProduct=0500 +... +[ 676.469629] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten + +Note that we need to change the indexes from s8 to s16 as they can +be between -1 and 255. + +CVE-2013-2897 + +Cc: stable@vger.kernel.org +Signed-off-by: Benjamin Tissoires +--- +v3: + - extract from hid-multitouch the generic checks so that every hid drivers will + benefit from them + - change __s8 index declarations into __s16 + - use usage_index for the input_mode index instead of a half working code + - check the indexes validities only once + + drivers/hid/hid-multitouch.c | 26 ++++++++++++++------------ + 1 file changed, 14 insertions(+), 12 deletions(-) + +diff --git a/drivers/hid/hid-multitouch.c b/drivers/hid/hid-multitouch.c +index ac28f08..5e5fe1b 100644 +--- a/drivers/hid/hid-multitouch.c ++++ b/drivers/hid/hid-multitouch.c +@@ -101,9 +101,9 @@ struct mt_device { + unsigned last_slot_field; /* the last field of a slot */ + unsigned mt_report_id; /* the report ID of the multitouch device */ + unsigned pen_report_id; /* the report ID of the pen device */ +- __s8 inputmode; /* InputMode HID feature, -1 if non-existent */ +- __s8 inputmode_index; /* InputMode HID feature index in the report */ +- __s8 maxcontact_report_id; /* Maximum Contact Number HID feature, ++ __s16 inputmode; /* InputMode HID feature, -1 if non-existent */ ++ __s16 inputmode_index; /* InputMode HID feature index in the report */ ++ __s16 maxcontact_report_id; /* Maximum Contact Number HID feature, + -1 if non-existent */ + __u8 num_received; /* how many contacts we received */ + __u8 num_expected; /* expected last contact index */ +@@ -312,20 +312,18 @@ static void mt_feature_mapping(struct hid_device *hdev, + struct hid_field *field, struct hid_usage *usage) + { + struct mt_device *td = hid_get_drvdata(hdev); +- int i; + + switch (usage->hid) { + case HID_DG_INPUTMODE: +- td->inputmode = field->report->id; +- td->inputmode_index = 0; /* has to be updated below */ +- +- for (i=0; i < field->maxusage; i++) { +- if (field->usage[i].hid == usage->hid) { +- td->inputmode_index = i; +- break; +- } ++ /* Ignore if value index is out of bounds. */ ++ if (usage->usage_index >= field->report_count) { ++ dev_err(&hdev->dev, "HID_DG_INPUTMODE out of range\n"); ++ break; + } + ++ td->inputmode = field->report->id; ++ td->inputmode_index = usage->usage_index; ++ + break; + case HID_DG_CONTACTMAX: + td->maxcontact_report_id = field->report->id; +@@ -511,6 +509,10 @@ static int mt_touch_input_mapping(struct hid_device *hdev, struct hid_input *hi, + mt_store_field(usage, td, hi); + return 1; + case HID_DG_CONTACTCOUNT: ++ /* Ignore if indexes are out of bounds. */ ++ if (field->index >= field->report->maxfield || ++ usage->usage_index >= field->report_count) ++ return 1; + td->cc_index = field->index; + td->cc_value_index = usage->usage_index; + return 1; +-- +1.8.3.1 + +-- +To unsubscribe from this list: send the line "unsubscribe linux-kernel" in +the body of a message to majordomo@vger.kernel.org +More majordomo info at http://vger.kernel.org/majordomo-info.html +Please read the FAQ at http://www.tux.org/lkml/ + +From linux-kernel-owner@vger.kernel.org Wed Sep 11 16:02:04 2013 +Delivered-To: jwboyer@gmail.com +Received: by 10.76.168.104 with SMTP id zv8csp11788oab; + Wed, 11 Sep 2013 13:02:04 -0700 (PDT) +X-Received: by 10.66.158.72 with SMTP id ws8mr5663660pab.39.1378929724125; + Wed, 11 Sep 2013 13:02:04 -0700 (PDT) +Return-Path: +Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) + by mx.google.com with ESMTP id rt3si22933801pbc.113.1969.12.31.16.00.00; + Wed, 11 Sep 2013 13:02:04 -0700 (PDT) +Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; +Authentication-Results: mx.google.com; + spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mail=linux-kernel-owner@vger.kernel.org +Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand + id S1757009Ab3IKT55 (ORCPT + + 99 others); Wed, 11 Sep 2013 15:57:57 -0400 +Received: from mx1.redhat.com ([209.132.183.28]:25059 "EHLO mx1.redhat.com" + rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP + id S1757308Ab3IKT53 (ORCPT ); + Wed, 11 Sep 2013 15:57:29 -0400 +Received: from int-mx02.intmail.prod.int.phx2.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12]) + by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id r8BJvNSJ001923 + (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); + Wed, 11 Sep 2013 15:57:23 -0400 +Received: from t410.redhat.com (ovpn-116-31.ams2.redhat.com [10.36.116.31]) + by int-mx02.intmail.prod.int.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id r8BJv0jg020673; + Wed, 11 Sep 2013 15:57:22 -0400 +From: Benjamin Tissoires +To: Benjamin Tissoires , + Kees Cook , + Henrik Rydberg , + Jiri Kosina , linux-input@vger.kernel.org, + linux-kernel@vger.kernel.org +Subject: [PATCH v3 10/10] HID: lenovo-tpkbd: fix leak if tpkbd_probe_tp fails +Date: Wed, 11 Sep 2013 21:56:59 +0200 +Message-Id: <1378929419-6269-11-git-send-email-benjamin.tissoires@redhat.com> +In-Reply-To: <1378929419-6269-1-git-send-email-benjamin.tissoires@redhat.com> +References: <1378929419-6269-1-git-send-email-benjamin.tissoires@redhat.com> +X-Scanned-By: MIMEDefang 2.67 on 10.5.11.12 +Sender: linux-kernel-owner@vger.kernel.org +Precedence: bulk +List-ID: +X-Mailing-List: linux-kernel@vger.kernel.org +Status: RO +Content-Length: 1436 +Lines: 60 + +If tpkbd_probe_tp() bails out, the probe() function return an error, +but hid_hw_stop() is never called. + +fixes: +https://bugzilla.redhat.com/show_bug.cgi?id=1003998 + +Cc: stable@vger.kernel.org +Signed-off-by: Benjamin Tissoires +--- +v3: + - new patch + + drivers/hid/hid-lenovo-tpkbd.c | 15 ++++++++++----- + 1 file changed, 10 insertions(+), 5 deletions(-) + +diff --git a/drivers/hid/hid-lenovo-tpkbd.c b/drivers/hid/hid-lenovo-tpkbd.c +index 762d988..31cf29a 100644 +--- a/drivers/hid/hid-lenovo-tpkbd.c ++++ b/drivers/hid/hid-lenovo-tpkbd.c +@@ -414,22 +414,27 @@ static int tpkbd_probe(struct hid_device *hdev, + ret = hid_parse(hdev); + if (ret) { + hid_err(hdev, "hid_parse failed\n"); +- goto err_free; ++ goto err; + } + + ret = hid_hw_start(hdev, HID_CONNECT_DEFAULT); + if (ret) { + hid_err(hdev, "hid_hw_start failed\n"); +- goto err_free; ++ goto err; + } + + uhdev = (struct usbhid_device *) hdev->driver_data; + +- if (uhdev->ifnum == 1) +- return tpkbd_probe_tp(hdev); ++ if (uhdev->ifnum == 1) { ++ ret = tpkbd_probe_tp(hdev); ++ if (ret) ++ goto err_hid; ++ } + + return 0; +-err_free: ++err_hid: ++ hid_hw_stop(hdev); ++err: + return ret; + } + +-- +1.8.3.1 + +-- +To unsubscribe from this list: send the line "unsubscribe linux-kernel" in +the body of a message to majordomo@vger.kernel.org +More majordomo info at http://vger.kernel.org/majordomo-info.html +Please read the FAQ at http://www.tux.org/lkml/ +