3.4-stable patches

added patches:
	hid-logitech-dj-validate-output-report-details.patch
	hid-zeroplus-validate-output-report-details.patch

diff --git a/queue-3.4/hid-logitech-dj-validate-output-report-details.patch b/queue-3.4/hid-logitech-dj-validate-output-report-details.patch
new file mode 100644 (file)
index 0000000..acb62ed
--- /dev/null
+++ b/queue-3.4/hid-logitech-dj-validate-output-report-details.patch
@@ -0,0 +1,62 @@
+From 297502abb32e225fb23801fcdb0e4f6f8e17099a Mon Sep 17 00:00:00 2001
+From: Kees Cook <keescook@chromium.org>
+Date: Wed, 11 Sep 2013 21:56:56 +0200
+Subject: HID: logitech-dj: validate output report details
+
+From: Kees Cook <keescook@chromium.org>
+
+commit 297502abb32e225fb23801fcdb0e4f6f8e17099a upstream.
+
+A HID device could send a malicious output report that would cause the
+logitech-dj HID driver to leak kernel memory contents to the device, or
+trigger a NULL dereference during initialization:
+
+[  304.424553] usb 1-1: New USB device found, idVendor=046d, idProduct=c52b
+...
+[  304.780467] BUG: unable to handle kernel NULL pointer dereference at 0000000000000028
+[  304.781409] IP: [<ffffffff815d50aa>] logi_dj_recv_send_report.isra.11+0x1a/0x90
+
+CVE-2013-2895
+
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Benjamin Tissoires <benjamin.tissoires@gmail.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hid/hid-logitech-dj.c |   10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+--- a/drivers/hid/hid-logitech-dj.c
++++ b/drivers/hid/hid-logitech-dj.c
+@@ -454,7 +454,7 @@ static int logi_dj_recv_send_report(stru
+       struct hid_report *report;
+       struct hid_report_enum *output_report_enum;
+       u8 *data = (u8 *)(&dj_report->device_index);
+-      int i;
++      unsigned int i;
+ 
+       output_report_enum = &hdev->report_enum[HID_OUTPUT_REPORT];
+       report = output_report_enum->report_id_hash[REPORT_ID_DJ_SHORT];
+@@ -464,7 +464,7 @@ static int logi_dj_recv_send_report(stru
+               return -ENODEV;
+       }
+ 
+-      for (i = 0; i < report->field[0]->report_count; i++)
++      for (i = 0; i < DJREPORT_SHORT_LENGTH - 1; i++)
+               report->field[0]->value[i] = data[i];
+ 
+       usbhid_submit_report(hdev, report, USB_DIR_OUT);
+@@ -783,6 +783,12 @@ static int logi_dj_probe(struct hid_devi
+               goto hid_parse_fail;
+       }
+ 
++      if (!hid_validate_values(hdev, HID_OUTPUT_REPORT, REPORT_ID_DJ_SHORT,
++                               0, DJREPORT_SHORT_LENGTH - 1)) {
++              retval = -ENODEV;
++              goto hid_parse_fail;
++      }
++
+       /* Starts the usb device and connects to upper interfaces hiddev and
+        * hidraw */
+       retval = hid_hw_start(hdev, HID_CONNECT_DEFAULT);

diff --git a/queue-3.4/hid-zeroplus-validate-output-report-details.patch b/queue-3.4/hid-zeroplus-validate-output-report-details.patch
new file mode 100644 (file)
index 0000000..791bb6c
--- /dev/null
+++ b/queue-3.4/hid-zeroplus-validate-output-report-details.patch
@@ -0,0 +1,58 @@
+From 78214e81a1bf43740ce89bb5efda78eac2f8ef83 Mon Sep 17 00:00:00 2001
+From: Kees Cook <keescook@chromium.org>
+Date: Wed, 11 Sep 2013 21:56:51 +0200
+Subject: HID: zeroplus: validate output report details
+
+From: Kees Cook <keescook@chromium.org>
+
+commit 78214e81a1bf43740ce89bb5efda78eac2f8ef83 upstream.
+
+The zeroplus HID driver was not checking the size of allocated values
+in fields it used. A HID device could send a malicious output report
+that would cause the driver to write beyond the output report allocation
+during initialization, causing a heap overflow:
+
+[ 1442.728680] usb 1-1: New USB device found, idVendor=0c12, idProduct=0005
+...
+[ 1466.243173] BUG kmalloc-192 (Tainted: G        W   ): Redzone overwritten
+
+CVE-2013-2889
+
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hid/hid-zpff.c |   18 +++++-------------
+ 1 file changed, 5 insertions(+), 13 deletions(-)
+
+--- a/drivers/hid/hid-zpff.c
++++ b/drivers/hid/hid-zpff.c
+@@ -70,21 +70,13 @@ static int zpff_init(struct hid_device *
+       struct hid_report *report;
+       struct hid_input *hidinput = list_entry(hid->inputs.next,
+                                               struct hid_input, list);
+-      struct list_head *report_list =
+-                      &hid->report_enum[HID_OUTPUT_REPORT].report_list;
+       struct input_dev *dev = hidinput->input;
+-      int error;
++      int i, error;
+ 
+-      if (list_empty(report_list)) {
+-              hid_err(hid, "no output report found\n");
+-              return -ENODEV;
+-      }
+-
+-      report = list_entry(report_list->next, struct hid_report, list);
+-
+-      if (report->maxfield < 4) {
+-              hid_err(hid, "not enough fields in report\n");
+-              return -ENODEV;
++      for (i = 0; i < 4; i++) {
++              report = hid_validate_values(hid, HID_OUTPUT_REPORT, 0, i, 1);
++              if (!report)
++                      return -ENODEV;
+       }
+ 
+       zpff = kzalloc(sizeof(struct zpff_device), GFP_KERNEL);

diff --git a/queue-3.4/series b/queue-3.4/series
index b10b0bd7226fd767e49ea72acaab0502d2f73132..97feaea9afb742964956f494a4713d5801caf612 100644 (file)
--- a/queue-3.4/series
+++ b/queue-3.4/series
@@ -3,3 +3,5 @@ net-usb-cdc_ether-use-wwan-interface-for-telit-modules.patch
 rt2800-fix-wrong-tx-power-compensation.patch
 sched-fair-fix-small-race-where-child-se.parent-cfs_rq-might-point-to-invalid-ones.patch
 hid-provide-a-helper-for-validating-hid-reports.patch
+hid-zeroplus-validate-output-report-details.patch
+hid-logitech-dj-validate-output-report-details.patch