CVE-2014-3181 HID: OOB write in magicmouse driver (rhbz 1141173 1141179)
This commit is contained in:
Josh Boyer
parent
b3e4fef148
commit
eecfe9602d
|
|
@ -0,0 +1,51 @@
|
|||
From c54def7bd64d7c0b6993336abcffb8444795bf38 Mon Sep 17 00:00:00 2001
|
||||
From: Jiri Kosina <jkosina@suse.cz>
|
||||
Date: Wed, 27 Aug 2014 09:12:24 +0200
|
||||
Subject: [PATCH] HID: magicmouse: sanity check report size in raw_event()
|
||||
callback
|
||||
|
||||
The report passed to us from transport driver could potentially be
|
||||
arbitrarily large, therefore we better sanity-check it so that
|
||||
magicmouse_emit_touch() gets only valid values of raw_id.
|
||||
|
||||
Bugzilla: 1141179
|
||||
Upstream-status: 3.17 and CC'd stable
|
||||
|
||||
Cc: stable@vger.kernel.org
|
||||
Reported-by: Steven Vittitoe <scvitti@google.com>
|
||||
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
|
||||
---
|
||||
drivers/hid/hid-magicmouse.c | 10 ++++++++++
|
||||
1 file changed, 10 insertions(+)
|
||||
|
||||
diff --git a/drivers/hid/hid-magicmouse.c b/drivers/hid/hid-magicmouse.c
|
||||
index ecc2cbf300cc..29a74c1efcb8 100644
|
||||
--- a/drivers/hid/hid-magicmouse.c
|
||||
+++ b/drivers/hid/hid-magicmouse.c
|
||||
@@ -290,6 +290,11 @@ static int magicmouse_raw_event(struct hid_device *hdev,
|
||||
if (size < 4 || ((size - 4) % 9) != 0)
|
||||
return 0;
|
||||
npoints = (size - 4) / 9;
|
||||
+ if (npoints > 15) {
|
||||
+ hid_warn(hdev, "invalid size value (%d) for TRACKPAD_REPORT_ID\n",
|
||||
+ size);
|
||||
+ return 0;
|
||||
+ }
|
||||
msc->ntouches = 0;
|
||||
for (ii = 0; ii < npoints; ii++)
|
||||
magicmouse_emit_touch(msc, ii, data + ii * 9 + 4);
|
||||
@@ -307,6 +312,11 @@ static int magicmouse_raw_event(struct hid_device *hdev,
|
||||
if (size < 6 || ((size - 6) % 8) != 0)
|
||||
return 0;
|
||||
npoints = (size - 6) / 8;
|
||||
+ if (npoints > 15) {
|
||||
+ hid_warn(hdev, "invalid size value (%d) for MOUSE_REPORT_ID\n",
|
||||
+ size);
|
||||
+ return 0;
|
||||
+ }
|
||||
msc->ntouches = 0;
|
||||
for (ii = 0; ii < npoints; ii++)
|
||||
magicmouse_emit_touch(msc, ii, data + ii * 8 + 6);
|
||||
--
|
||||
2.1.0
|
||||
|
||||
|
|
@ -759,6 +759,9 @@ Patch25130: namespaces-remount-fixes.patch
|
|||
#CVE-2014-3631 rhbz 1116347
|
||||
Patch26020: KEYS-Fix-termination-condition-in-assoc-array-garbag.patch
|
||||
|
||||
#CVE-2014-3181 rhbz 1141179 1141173
|
||||
Patch26024: HID-magicmouse-sanity-check-report-size-in-raw_event.patch
|
||||
|
||||
# END OF PATCH DEFINITIONS
|
||||
|
||||
%endif
|
||||
|
|
@ -1460,6 +1463,9 @@ ApplyPatch namespaces-remount-fixes.patch
|
|||
#CVE-2014-3631 rhbz 1116347
|
||||
ApplyPatch KEYS-Fix-termination-condition-in-assoc-array-garbag.patch
|
||||
|
||||
#CVE-2014-3181 rhbz 1141179 1141173
|
||||
ApplyPatch HID-magicmouse-sanity-check-report-size-in-raw_event.patch
|
||||
|
||||
# END OF PATCH APPLICATIONS
|
||||
|
||||
%endif
|
||||
|
|
@ -2272,6 +2278,9 @@ fi
|
|||
# and build.
|
||||
|
||||
%changelog
|
||||
* Fri Sep 12 2014 Josh Boyer <jwboyer@fedoraproject.org>
|
||||
- CVE-2014-3181 HID: OOB write in magicmouse driver (rhbz 1141173 1141179)
|
||||
|
||||
* Wed Sep 10 2014 Josh Boyer <jwboyer@fedoraproject.org>
|
||||
- CVE-2014-3631 Add patch to fix oops on keyring gc (rhbz 1116347)
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue