CVE-2016-5829 heap overflow in hiddev (rhbz 1350509 1350513)
This commit is contained in:
Josh Boyer
parent
94d37862fa
commit
b88c442b2e
|
|
@ -0,0 +1,44 @@
|
|||
From 93a2001bdfd5376c3dc2158653034c20392d15c5 Mon Sep 17 00:00:00 2001
|
||||
From: Scott Bauer <sbauer@plzdonthack.me>
|
||||
Date: Thu, 23 Jun 2016 08:59:47 -0600
|
||||
Subject: [PATCH] HID: hiddev: validate num_values for HIDIOCGUSAGES,
|
||||
HIDIOCSUSAGES commands
|
||||
|
||||
This patch validates the num_values parameter from userland during the
|
||||
HIDIOCGUSAGES and HIDIOCSUSAGES commands. Previously, if the report id was set
|
||||
to HID_REPORT_ID_UNKNOWN, we would fail to validate the num_values parameter
|
||||
leading to a heap overflow.
|
||||
|
||||
Cc: stable@vger.kernel.org
|
||||
Signed-off-by: Scott Bauer <sbauer@plzdonthack.me>
|
||||
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
|
||||
---
|
||||
drivers/hid/usbhid/hiddev.c | 10 +++++-----
|
||||
1 file changed, 5 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/drivers/hid/usbhid/hiddev.c b/drivers/hid/usbhid/hiddev.c
|
||||
index 2f1ddca6f2e0..700145b15088 100644
|
||||
--- a/drivers/hid/usbhid/hiddev.c
|
||||
+++ b/drivers/hid/usbhid/hiddev.c
|
||||
@@ -516,13 +516,13 @@ static noinline int hiddev_ioctl_usage(struct hiddev *hiddev, unsigned int cmd,
|
||||
goto inval;
|
||||
} else if (uref->usage_index >= field->report_count)
|
||||
goto inval;
|
||||
-
|
||||
- else if ((cmd == HIDIOCGUSAGES || cmd == HIDIOCSUSAGES) &&
|
||||
- (uref_multi->num_values > HID_MAX_MULTI_USAGES ||
|
||||
- uref->usage_index + uref_multi->num_values > field->report_count))
|
||||
- goto inval;
|
||||
}
|
||||
|
||||
+ if ((cmd == HIDIOCGUSAGES || cmd == HIDIOCSUSAGES) &&
|
||||
+ (uref_multi->num_values > HID_MAX_MULTI_USAGES ||
|
||||
+ uref->usage_index + uref_multi->num_values > field->report_count))
|
||||
+ goto inval;
|
||||
+
|
||||
switch (cmd) {
|
||||
case HIDIOCGUSAGE:
|
||||
uref->value = field->value[uref->usage_index];
|
||||
--
|
||||
2.5.5
|
||||
|
||||
|
|
@ -673,6 +673,9 @@ Patch728: hp-wmi-fix-wifi-cannot-be-hard-unblock.patch
|
|||
#CVE-2016-4998 rhbz 1349886 1350316
|
||||
Patch729: CVE-2016-4998.patch
|
||||
|
||||
#CVE-2016-5829 rhbz 1350509 1350513
|
||||
Patch826: HID-hiddev-validate-num_values-for-HIDIOCGUSAGES-HID.patch
|
||||
|
||||
# END OF PATCH DEFINITIONS
|
||||
|
||||
%endif
|
||||
|
|
@ -2190,7 +2193,10 @@ fi
|
|||
#
|
||||
#
|
||||
%changelog
|
||||
* Mon Jun 27 2016 Justin M. Forbes <jforbes@fedoraproject.org> 4.5.7-201
|
||||
* Mon Jun 27 2016 Josh Boyer <jwboyer@fedoraproject.org> - 4.5.7-201
|
||||
- CVE-2016-5829 heap overflow in hiddev (rhbz 1350509 1350513)
|
||||
|
||||
* Mon Jun 27 2016 Justin M. Forbes <jforbes@fedoraproject.org>
|
||||
- CVE-2016-4998 oob reads when processing IPT_SO_SET_REPLACE setsockopt (rhbz 1349886 1350316)
|
||||
|
||||
* Wed Jun 15 2016 Laura Abbott <labbott@fedoraproject.org>
|
||||
|
|
|
|||
Loading…
Reference in New Issue