CVE-2014-3186 HID: memory corruption via OOB write (rhbz 1141407 1141410)
This commit is contained in:
Josh Boyer
parent
c9aabf1787
commit
dc255383ad
41
HID-picolcd-sanity-check-report-size-in-raw_event-ca.patch
Normal file
41
HID-picolcd-sanity-check-report-size-in-raw_event-ca.patch
Normal file
@ -0,0 +1,41 @@
|
||||
From 844817e47eef14141cf59b8d5ac08dd11c0a9189 Mon Sep 17 00:00:00 2001
|
||||
From: Jiri Kosina <jkosina@suse.cz>
|
||||
Date: Wed, 27 Aug 2014 09:13:15 +0200
|
||||
Subject: [PATCH] HID: picolcd: sanity check report size in raw_event()
|
||||
callback
|
||||
|
||||
The report passed to us from transport driver could potentially be
|
||||
arbitrarily large, therefore we better sanity-check it so that raw_data
|
||||
that we hold in picolcd_pending structure are always kept within proper
|
||||
bounds.
|
||||
|
||||
Bugzilla: 1141410
|
||||
Upstream-status: 3.17 and CC'd to stable
|
||||
|
||||
Cc: stable@vger.kernel.org
|
||||
Reported-by: Steven Vittitoe <scvitti@google.com>
|
||||
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
|
||||
---
|
||||
drivers/hid/hid-picolcd_core.c | 6 ++++++
|
||||
1 file changed, 6 insertions(+)
|
||||
|
||||
diff --git a/drivers/hid/hid-picolcd_core.c b/drivers/hid/hid-picolcd_core.c
|
||||
index acbb021065ec..020df3c2e8b4 100644
|
||||
--- a/drivers/hid/hid-picolcd_core.c
|
||||
+++ b/drivers/hid/hid-picolcd_core.c
|
||||
@@ -350,6 +350,12 @@ static int picolcd_raw_event(struct hid_device *hdev,
|
||||
if (!data)
|
||||
return 1;
|
||||
|
||||
+ if (size > 64) {
|
||||
+ hid_warn(hdev, "invalid size value (%d) for picolcd raw event\n",
|
||||
+ size);
|
||||
+ return 0;
|
||||
+ }
|
||||
+
|
||||
if (report->id == REPORT_KEY_STATE) {
|
||||
if (data->input_keys)
|
||||
ret = picolcd_raw_keypad(data, report, raw_data+1, size-1);
|
||||
--
|
||||
2.1.0
|
||||
|
||||
@ -762,6 +762,9 @@ Patch26020: KEYS-Fix-termination-condition-in-assoc-array-garbag.patch
|
||||
#CVE-2014-3181 rhbz 1141179 1141173
|
||||
Patch26024: HID-magicmouse-sanity-check-report-size-in-raw_event.patch
|
||||
|
||||
#CVE-2014-3186 rhbz 1141407 1141410
|
||||
Patch26025: HID-picolcd-sanity-check-report-size-in-raw_event-ca.patch
|
||||
|
||||
# END OF PATCH DEFINITIONS
|
||||
|
||||
%endif
|
||||
@ -1466,6 +1469,9 @@ ApplyPatch KEYS-Fix-termination-condition-in-assoc-array-garbag.patch
|
||||
#CVE-2014-3181 rhbz 1141179 1141173
|
||||
ApplyPatch HID-magicmouse-sanity-check-report-size-in-raw_event.patch
|
||||
|
||||
#CVE-2014-3186 rhbz 1141407 1141410
|
||||
ApplyPatch HID-picolcd-sanity-check-report-size-in-raw_event-ca.patch
|
||||
|
||||
# END OF PATCH APPLICATIONS
|
||||
|
||||
%endif
|
||||
@ -2278,6 +2284,9 @@ fi
|
||||
# and build.
|
||||
|
||||
%changelog
|
||||
* Mon Sep 15 2014 Josh Boyer <jwboyer@fedoraproject.org>
|
||||
- CVE-2014-3186 HID: memory corruption via OOB write (rhbz 1141407 1141410)
|
||||
|
||||
* Fri Sep 12 2014 Josh Boyer <jwboyer@fedoraproject.org>
|
||||
- CVE-2014-3181 HID: OOB write in magicmouse driver (rhbz 1141173 1141179)
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user