3.16-stable patches

added patches:
	hid-fix-a-couple-of-off-by-ones.patch
	hid-logitech-fix-bounds-checking-on-led-report-size.patch
	hid-logitech-perform-bounds-checking-on-device_id-early-enough.patch

diff --git a/queue-3.16/hid-fix-a-couple-of-off-by-ones.patch b/queue-3.16/hid-fix-a-couple-of-off-by-ones.patch
new file mode 100644 (file)
index 0000000..f143df5
--- /dev/null
+++ b/queue-3.16/hid-fix-a-couple-of-off-by-ones.patch
@@ -0,0 +1,100 @@
+From 4ab25786c87eb20857bbb715c3ae34ec8fd6a214 Mon Sep 17 00:00:00 2001
+From: Jiri Kosina <jkosina@suse.cz>
+Date: Thu, 21 Aug 2014 09:57:48 -0500
+Subject: HID: fix a couple of off-by-ones
+
+From: Jiri Kosina <jkosina@suse.cz>
+
+commit 4ab25786c87eb20857bbb715c3ae34ec8fd6a214 upstream.
+
+There are a few very theoretical off-by-one bugs in report descriptor size
+checking when performing a pre-parsing fixup. Fix those.
+
+Reported-by: Ben Hawkes <hawkes@google.com>
+Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hid/hid-cherry.c   |    2 +-
+ drivers/hid/hid-kye.c      |    2 +-
+ drivers/hid/hid-lg.c       |    4 ++--
+ drivers/hid/hid-monterey.c |    2 +-
+ drivers/hid/hid-petalynx.c |    2 +-
+ drivers/hid/hid-sunplus.c  |    2 +-
+ 6 files changed, 7 insertions(+), 7 deletions(-)
+
+--- a/drivers/hid/hid-cherry.c
++++ b/drivers/hid/hid-cherry.c
+@@ -28,7 +28,7 @@
+ static __u8 *ch_report_fixup(struct hid_device *hdev, __u8 *rdesc,
+               unsigned int *rsize)
+ {
+-      if (*rsize >= 17 && rdesc[11] == 0x3c && rdesc[12] == 0x02) {
++      if (*rsize >= 18 && rdesc[11] == 0x3c && rdesc[12] == 0x02) {
+               hid_info(hdev, "fixing up Cherry Cymotion report descriptor\n");
+               rdesc[11] = rdesc[16] = 0xff;
+               rdesc[12] = rdesc[17] = 0x03;
+--- a/drivers/hid/hid-kye.c
++++ b/drivers/hid/hid-kye.c
+@@ -300,7 +300,7 @@ static __u8 *kye_report_fixup(struct hid
+                *   - change the button usage range to 4-7 for the extra
+                *     buttons
+                */
+-              if (*rsize >= 74 &&
++              if (*rsize >= 75 &&
+                       rdesc[61] == 0x05 && rdesc[62] == 0x08 &&
+                       rdesc[63] == 0x19 && rdesc[64] == 0x08 &&
+                       rdesc[65] == 0x29 && rdesc[66] == 0x0f &&
+--- a/drivers/hid/hid-lg.c
++++ b/drivers/hid/hid-lg.c
+@@ -345,14 +345,14 @@ static __u8 *lg_report_fixup(struct hid_
+       struct usb_device_descriptor *udesc;
+       __u16 bcdDevice, rev_maj, rev_min;
+ 
+-      if ((drv_data->quirks & LG_RDESC) && *rsize >= 90 && rdesc[83] == 0x26 &&
++      if ((drv_data->quirks & LG_RDESC) && *rsize >= 91 && rdesc[83] == 0x26 &&
+                       rdesc[84] == 0x8c && rdesc[85] == 0x02) {
+               hid_info(hdev,
+                        "fixing up Logitech keyboard report descriptor\n");
+               rdesc[84] = rdesc[89] = 0x4d;
+               rdesc[85] = rdesc[90] = 0x10;
+       }
+-      if ((drv_data->quirks & LG_RDESC_REL_ABS) && *rsize >= 50 &&
++      if ((drv_data->quirks & LG_RDESC_REL_ABS) && *rsize >= 51 &&
+                       rdesc[32] == 0x81 && rdesc[33] == 0x06 &&
+                       rdesc[49] == 0x81 && rdesc[50] == 0x06) {
+               hid_info(hdev,
+--- a/drivers/hid/hid-monterey.c
++++ b/drivers/hid/hid-monterey.c
+@@ -24,7 +24,7 @@
+ static __u8 *mr_report_fixup(struct hid_device *hdev, __u8 *rdesc,
+               unsigned int *rsize)
+ {
+-      if (*rsize >= 30 && rdesc[29] == 0x05 && rdesc[30] == 0x09) {
++      if (*rsize >= 31 && rdesc[29] == 0x05 && rdesc[30] == 0x09) {
+               hid_info(hdev, "fixing up button/consumer in HID report descriptor\n");
+               rdesc[30] = 0x0c;
+       }
+--- a/drivers/hid/hid-petalynx.c
++++ b/drivers/hid/hid-petalynx.c
+@@ -25,7 +25,7 @@
+ static __u8 *pl_report_fixup(struct hid_device *hdev, __u8 *rdesc,
+               unsigned int *rsize)
+ {
+-      if (*rsize >= 60 && rdesc[39] == 0x2a && rdesc[40] == 0xf5 &&
++      if (*rsize >= 62 && rdesc[39] == 0x2a && rdesc[40] == 0xf5 &&
+                       rdesc[41] == 0x00 && rdesc[59] == 0x26 &&
+                       rdesc[60] == 0xf9 && rdesc[61] == 0x00) {
+               hid_info(hdev, "fixing up Petalynx Maxter Remote report descriptor\n");
+--- a/drivers/hid/hid-sunplus.c
++++ b/drivers/hid/hid-sunplus.c
+@@ -24,7 +24,7 @@
+ static __u8 *sp_report_fixup(struct hid_device *hdev, __u8 *rdesc,
+               unsigned int *rsize)
+ {
+-      if (*rsize >= 107 && rdesc[104] == 0x26 && rdesc[105] == 0x80 &&
++      if (*rsize >= 112 && rdesc[104] == 0x26 && rdesc[105] == 0x80 &&
+                       rdesc[106] == 0x03) {
+               hid_info(hdev, "fixing up Sunplus Wireless Desktop report descriptor\n");
+               rdesc[105] = rdesc[110] = 0x03;

diff --git a/queue-3.16/hid-logitech-fix-bounds-checking-on-led-report-size.patch b/queue-3.16/hid-logitech-fix-bounds-checking-on-led-report-size.patch
new file mode 100644 (file)
index 0000000..f10540c
--- /dev/null
+++ b/queue-3.16/hid-logitech-fix-bounds-checking-on-led-report-size.patch
@@ -0,0 +1,38 @@
+From 51217e69697fba92a06e07e16f55c9a52d8e8945 Mon Sep 17 00:00:00 2001
+From: Jiri Kosina <jkosina@suse.cz>
+Date: Thu, 21 Aug 2014 09:56:47 -0500
+Subject: HID: logitech: fix bounds checking on LED report size
+
+From: Jiri Kosina <jkosina@suse.cz>
+
+commit 51217e69697fba92a06e07e16f55c9a52d8e8945 upstream.
+
+The check on report size for REPORT_TYPE_LEDS in logi_dj_ll_raw_request()
+is wrong; the current check doesn't make any sense -- the report allocated
+by HID core in hid_hw_raw_request() can be much larger than
+DJREPORT_SHORT_LENGTH, and currently logi_dj_ll_raw_request() doesn't
+handle this properly at all.
+
+Fix the check by actually trimming down the report size properly if it is
+too large.
+
+Reported-by: Ben Hawkes <hawkes@google.com>
+Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hid/hid-logitech-dj.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/hid/hid-logitech-dj.c
++++ b/drivers/hid/hid-logitech-dj.c
+@@ -557,7 +557,7 @@ static int logi_dj_ll_raw_request(struct
+       if (!out_buf)
+               return -ENOMEM;
+ 
+-      if (count < DJREPORT_SHORT_LENGTH - 2)
++      if (count > DJREPORT_SHORT_LENGTH - 2)
+               count = DJREPORT_SHORT_LENGTH - 2;
+ 
+       out_buf[0] = REPORT_ID_DJ_SHORT;

diff --git a/queue-3.16/hid-logitech-perform-bounds-checking-on-device_id-early-enough.patch b/queue-3.16/hid-logitech-perform-bounds-checking-on-device_id-early-enough.patch
new file mode 100644 (file)
index 0000000..524aa0e
--- /dev/null
+++ b/queue-3.16/hid-logitech-perform-bounds-checking-on-device_id-early-enough.patch
@@ -0,0 +1,60 @@
+From ad3e14d7c5268c2e24477c6ef54bbdf88add5d36 Mon Sep 17 00:00:00 2001
+From: Jiri Kosina <jkosina@suse.cz>
+Date: Thu, 21 Aug 2014 09:57:17 -0500
+Subject: HID: logitech: perform bounds checking on device_id early enough
+
+From: Jiri Kosina <jkosina@suse.cz>
+
+commit ad3e14d7c5268c2e24477c6ef54bbdf88add5d36 upstream.
+
+device_index is a char type and the size of paired_dj_deivces is 7
+elements, therefore proper bounds checking has to be applied to
+device_index before it is used.
+
+We are currently performing the bounds checking in
+logi_dj_recv_add_djhid_device(), which is too late, as malicious device
+could send REPORT_TYPE_NOTIF_DEVICE_UNPAIRED early enough and trigger the
+problem in one of the report forwarding functions called from
+logi_dj_raw_event().
+
+Fix this by performing the check at the earliest possible ocasion in
+logi_dj_raw_event().
+
+Reported-by: Ben Hawkes <hawkes@google.com>
+Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hid/hid-logitech-dj.c |   13 ++++++-------
+ 1 file changed, 6 insertions(+), 7 deletions(-)
+
+--- a/drivers/hid/hid-logitech-dj.c
++++ b/drivers/hid/hid-logitech-dj.c
+@@ -238,13 +238,6 @@ static void logi_dj_recv_add_djhid_devic
+               return;
+       }
+ 
+-      if ((dj_report->device_index < DJ_DEVICE_INDEX_MIN) ||
+-          (dj_report->device_index > DJ_DEVICE_INDEX_MAX)) {
+-              dev_err(&djrcv_hdev->dev, "%s: invalid device index:%d\n",
+-                      __func__, dj_report->device_index);
+-              return;
+-      }
+-
+       if (djrcv_dev->paired_dj_devices[dj_report->device_index]) {
+               /* The device is already known. No need to reallocate it. */
+               dbg_hid("%s: device is already known\n", __func__);
+@@ -690,6 +683,12 @@ static int logi_dj_raw_event(struct hid_
+        * device (via hid_input_report() ) and return 1 so hid-core does not do
+        * anything else with it.
+        */
++      if ((dj_report->device_index < DJ_DEVICE_INDEX_MIN) ||
++          (dj_report->device_index > DJ_DEVICE_INDEX_MAX)) {
++              dev_err(&hdev->dev, "%s: invalid device index:%d\n",
++                              __func__, dj_report->device_index);
++              return false;
++      }
+ 
+       spin_lock_irqsave(&djrcv_dev->lock, flags);
+       if (dj_report->report_id == REPORT_ID_DJ_SHORT) {

diff --git a/queue-3.16/series b/queue-3.16/series
index 4a6e33765e23e194b45ba726f81361e939e4db51..df127cfae1a544a66d20414b4b2d3146c0e3d40f 100644 (file)
--- a/queue-3.16/series
+++ b/queue-3.16/series
@@ -1,2 +1,5 @@
 stable_kernel_rules-add-pointer-to-netdev-faq-for-network-patches.patch
 mips-math-emu-fix-instruction-decoding.patch
+hid-logitech-fix-bounds-checking-on-led-report-size.patch
+hid-logitech-perform-bounds-checking-on-device_id-early-enough.patch
+hid-fix-a-couple-of-off-by-ones.patch