From: Greg Kroah-Hartman Date: Fri, 27 Sep 2013 21:12:04 +0000 (-0700) Subject: 3.4-stable patches X-Git-Tag: v3.0.98~31 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=507999969f07550c70ba8a3510fa3d0b84839d83;p=thirdparty%2Fkernel%2Fstable-queue.git 3.4-stable patches added patches: hid-logitech-dj-validate-output-report-details.patch hid-zeroplus-validate-output-report-details.patch --- diff --git a/queue-3.4/hid-logitech-dj-validate-output-report-details.patch b/queue-3.4/hid-logitech-dj-validate-output-report-details.patch new file mode 100644 index 00000000000..acb62edd02e --- /dev/null +++ b/queue-3.4/hid-logitech-dj-validate-output-report-details.patch @@ -0,0 +1,62 @@ +From 297502abb32e225fb23801fcdb0e4f6f8e17099a Mon Sep 17 00:00:00 2001 +From: Kees Cook +Date: Wed, 11 Sep 2013 21:56:56 +0200 +Subject: HID: logitech-dj: validate output report details + +From: Kees Cook + +commit 297502abb32e225fb23801fcdb0e4f6f8e17099a upstream. + +A HID device could send a malicious output report that would cause the +logitech-dj HID driver to leak kernel memory contents to the device, or +trigger a NULL dereference during initialization: + +[ 304.424553] usb 1-1: New USB device found, idVendor=046d, idProduct=c52b +... +[ 304.780467] BUG: unable to handle kernel NULL pointer dereference at 0000000000000028 +[ 304.781409] IP: [] logi_dj_recv_send_report.isra.11+0x1a/0x90 + +CVE-2013-2895 + +Signed-off-by: Kees Cook +Signed-off-by: Benjamin Tissoires +Signed-off-by: Jiri Kosina +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hid/hid-logitech-dj.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +--- a/drivers/hid/hid-logitech-dj.c ++++ b/drivers/hid/hid-logitech-dj.c +@@ -454,7 +454,7 @@ static int logi_dj_recv_send_report(stru + struct hid_report *report; + struct hid_report_enum *output_report_enum; + u8 *data = (u8 *)(&dj_report->device_index); +- int i; ++ unsigned int i; + + output_report_enum = &hdev->report_enum[HID_OUTPUT_REPORT]; + report = output_report_enum->report_id_hash[REPORT_ID_DJ_SHORT]; +@@ -464,7 +464,7 @@ static int logi_dj_recv_send_report(stru + return -ENODEV; + } + +- for (i = 0; i < report->field[0]->report_count; i++) ++ for (i = 0; i < DJREPORT_SHORT_LENGTH - 1; i++) + report->field[0]->value[i] = data[i]; + + usbhid_submit_report(hdev, report, USB_DIR_OUT); +@@ -783,6 +783,12 @@ static int logi_dj_probe(struct hid_devi + goto hid_parse_fail; + } + ++ if (!hid_validate_values(hdev, HID_OUTPUT_REPORT, REPORT_ID_DJ_SHORT, ++ 0, DJREPORT_SHORT_LENGTH - 1)) { ++ retval = -ENODEV; ++ goto hid_parse_fail; ++ } ++ + /* Starts the usb device and connects to upper interfaces hiddev and + * hidraw */ + retval = hid_hw_start(hdev, HID_CONNECT_DEFAULT); diff --git a/queue-3.4/hid-zeroplus-validate-output-report-details.patch b/queue-3.4/hid-zeroplus-validate-output-report-details.patch new file mode 100644 index 00000000000..791bb6c3bac --- /dev/null +++ b/queue-3.4/hid-zeroplus-validate-output-report-details.patch @@ -0,0 +1,58 @@ +From 78214e81a1bf43740ce89bb5efda78eac2f8ef83 Mon Sep 17 00:00:00 2001 +From: Kees Cook +Date: Wed, 11 Sep 2013 21:56:51 +0200 +Subject: HID: zeroplus: validate output report details + +From: Kees Cook + +commit 78214e81a1bf43740ce89bb5efda78eac2f8ef83 upstream. + +The zeroplus HID driver was not checking the size of allocated values +in fields it used. A HID device could send a malicious output report +that would cause the driver to write beyond the output report allocation +during initialization, causing a heap overflow: + +[ 1442.728680] usb 1-1: New USB device found, idVendor=0c12, idProduct=0005 +... +[ 1466.243173] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten + +CVE-2013-2889 + +Signed-off-by: Kees Cook +Reviewed-by: Benjamin Tissoires +Signed-off-by: Jiri Kosina +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hid/hid-zpff.c | 18 +++++------------- + 1 file changed, 5 insertions(+), 13 deletions(-) + +--- a/drivers/hid/hid-zpff.c ++++ b/drivers/hid/hid-zpff.c +@@ -70,21 +70,13 @@ static int zpff_init(struct hid_device * + struct hid_report *report; + struct hid_input *hidinput = list_entry(hid->inputs.next, + struct hid_input, list); +- struct list_head *report_list = +- &hid->report_enum[HID_OUTPUT_REPORT].report_list; + struct input_dev *dev = hidinput->input; +- int error; ++ int i, error; + +- if (list_empty(report_list)) { +- hid_err(hid, "no output report found\n"); +- return -ENODEV; +- } +- +- report = list_entry(report_list->next, struct hid_report, list); +- +- if (report->maxfield < 4) { +- hid_err(hid, "not enough fields in report\n"); +- return -ENODEV; ++ for (i = 0; i < 4; i++) { ++ report = hid_validate_values(hid, HID_OUTPUT_REPORT, 0, i, 1); ++ if (!report) ++ return -ENODEV; + } + + zpff = kzalloc(sizeof(struct zpff_device), GFP_KERNEL); diff --git a/queue-3.4/series b/queue-3.4/series index b10b0bd7226..97feaea9afb 100644 --- a/queue-3.4/series +++ b/queue-3.4/series @@ -3,3 +3,5 @@ net-usb-cdc_ether-use-wwan-interface-for-telit-modules.patch rt2800-fix-wrong-tx-power-compensation.patch sched-fair-fix-small-race-where-child-se.parent-cfs_rq-might-point-to-invalid-ones.patch hid-provide-a-helper-for-validating-hid-reports.patch +hid-zeroplus-validate-output-report-details.patch +hid-logitech-dj-validate-output-report-details.patch