CVE-2016-5829 heap overflow in hiddev (rhbz 1350509 1350513)

2016-06-27 11:57:34 -04:00 · 2016-06-27 11:57:34 -04:00 · b76c98ddd6
parent f340e962e7
commit b76c98ddd6
2 changed files with 53 additions and 0 deletions
--- a/HID-hiddev-validate-num_values-for-HIDIOCGUSAGES-HID.patch
+++ b/HID-hiddev-validate-num_values-for-HIDIOCGUSAGES-HID.patch
@ -0,0 +1,44 @@
+From 93a2001bdfd5376c3dc2158653034c20392d15c5 Mon Sep 17 00:00:00 2001
+From: Scott Bauer <sbauer@plzdonthack.me>
+Date: Thu, 23 Jun 2016 08:59:47 -0600
+Subject: [PATCH] HID: hiddev: validate num_values for HIDIOCGUSAGES,
+ HIDIOCSUSAGES commands
+
+This patch validates the num_values parameter from userland during the
+HIDIOCGUSAGES and HIDIOCSUSAGES commands. Previously, if the report id was set
+to HID_REPORT_ID_UNKNOWN, we would fail to validate the num_values parameter
+leading to a heap overflow.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Scott Bauer <sbauer@plzdonthack.me>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+---
+ drivers/hid/usbhid/hiddev.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/hid/usbhid/hiddev.c b/drivers/hid/usbhid/hiddev.c
+index 2f1ddca6f2e0..700145b15088 100644
+--- a/drivers/hid/usbhid/hiddev.c
+++ b/drivers/hid/usbhid/hiddev.c
+@@ -516,13 +516,13 @@ static noinline int hiddev_ioctl_usage(struct hiddev *hiddev, unsigned int cmd,
+ 					goto inval;
+ 			} else if (uref->usage_index >= field->report_count)
+ 				goto inval;
+-
+-			else if ((cmd == HIDIOCGUSAGES || cmd == HIDIOCSUSAGES) &&
+-				 (uref_multi->num_values > HID_MAX_MULTI_USAGES ||
+-				  uref->usage_index + uref_multi->num_values > field->report_count))
+-				goto inval;
+ 		}
+ 
+		if ((cmd == HIDIOCGUSAGES || cmd == HIDIOCSUSAGES) &&
+		    (uref_multi->num_values > HID_MAX_MULTI_USAGES ||
+		     uref->usage_index + uref_multi->num_values > field->report_count))
+			goto inval;
+
+ 		switch (cmd) {
+ 		case HIDIOCGUSAGE:
+ 			uref->value = field->value[uref->usage_index];
+-- 
+2.5.5
+
--- a/kernel.spec
+++ b/kernel.spec
@ -650,6 +650,9 @@ Patch727: KEYS-potential-uninitialized-variable.patch
 #rhbz 1338025
 Patch728: hp-wmi-fix-wifi-cannot-be-hard-unblock.patch

+#CVE-2016-5829 rhbz 1350509 1350513
+Patch826: HID-hiddev-validate-num_values-for-HIDIOCGUSAGES-HID.patch
+
 # END OF PATCH DEFINITIONS
 %endif

@ -1361,6 +1364,9 @@ ApplyPatch KEYS-potential-uninitialized-variable.patch
 #rhbz 1338025
 ApplyPatch hp-wmi-fix-wifi-cannot-be-hard-unblock.patch

+#CVE-2016-5829 rhbz 1350509 1350513
+ApplyPatch HID-hiddev-validate-num_values-for-HIDIOCGUSAGES-HID.patch
+
 # END OF PATCH APPLICATIONS

 %endif
@ -2210,6 +2216,9 @@ fi
 #
 # 
 %changelog
+* Mon Jun 27 2016 Josh Boyer <jwboyer@fedoraproject.org>
+- CVE-2016-5829 heap overflow in hiddev (rhbz 1350509 1350513)
+
 * Fri Jun 24 2016 Laura Abbott <labbott@fedoraproject.org> - 4.4.14-200
 - Linux v4.4.14