From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Tue, 24 Sep 2013 15:05:53 +0000 (-0700)
Subject: 3.0-stable patches
X-Git-Tag: v3.0.97~13
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=9ceeb83963662f468f76b49db25e16a142579289;p=thirdparty%2Fkernel%2Fstable-queue.git

3.0-stable patches

added patches:
	hid-check-for-null-field-when-setting-values.patch
	hid-ntrig-validate-feature-report-details.patch
	hid-validate-hid-report-id-size.patch
---

diff --git a/queue-3.0/hid-check-for-null-field-when-setting-values.patch b/queue-3.0/hid-check-for-null-field-when-setting-values.patch
new file mode 100644
index 00000000000..be57123b294
--- /dev/null
+++ b/queue-3.0/hid-check-for-null-field-when-setting-values.patch
@@ -0,0 +1,35 @@
+From be67b68d52fa28b9b721c47bb42068f0c1214855 Mon Sep 17 00:00:00 2001
+From: Kees Cook <keescook@chromium.org>
+Date: Wed, 28 Aug 2013 22:32:01 +0200
+Subject: HID: check for NULL field when setting values
+
+From: Kees Cook <keescook@chromium.org>
+
+commit be67b68d52fa28b9b721c47bb42068f0c1214855 upstream.
+
+Defensively check that the field to be worked on is not NULL.
+
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hid/hid-core.c |    7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/drivers/hid/hid-core.c
++++ b/drivers/hid/hid-core.c
+@@ -993,7 +993,12 @@ EXPORT_SYMBOL_GPL(hid_output_report);
+ 
+ int hid_set_field(struct hid_field *field, unsigned offset, __s32 value)
+ {
+-	unsigned size = field->report_size;
++	unsigned size;
++
++	if (!field)
++		return -1;
++
++	size = field->report_size;
+ 
+ 	hid_dump_input(field->report->device, field->usage + offset, value);
+ 
diff --git a/queue-3.0/hid-ntrig-validate-feature-report-details.patch b/queue-3.0/hid-ntrig-validate-feature-report-details.patch
new file mode 100644
index 00000000000..8d95fde78e8
--- /dev/null
+++ b/queue-3.0/hid-ntrig-validate-feature-report-details.patch
@@ -0,0 +1,40 @@
+From 875b4e3763dbc941f15143dd1a18d10bb0be303b Mon Sep 17 00:00:00 2001
+From: Kees Cook <keescook@chromium.org>
+Date: Wed, 28 Aug 2013 22:31:28 +0200
+Subject: HID: ntrig: validate feature report details
+
+From: Kees Cook <keescook@chromium.org>
+
+commit 875b4e3763dbc941f15143dd1a18d10bb0be303b upstream.
+
+A HID device could send a malicious feature report that would cause the
+ntrig HID driver to trigger a NULL dereference during initialization:
+
+[57383.031190] usb 3-1: New USB device found, idVendor=1b96, idProduct=0001
+...
+[57383.315193] BUG: unable to handle kernel NULL pointer dereference at 0000000000000030
+[57383.315308] IP: [<ffffffffa08102de>] ntrig_probe+0x25e/0x420 [hid_ntrig]
+
+CVE-2013-2896
+
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Rafi Rubin <rafi@seas.upenn.edu>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hid/hid-ntrig.c |    3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/hid/hid-ntrig.c
++++ b/drivers/hid/hid-ntrig.c
+@@ -115,7 +115,8 @@ static inline int ntrig_get_mode(struct
+ 	struct hid_report *report = hdev->report_enum[HID_FEATURE_REPORT].
+ 				    report_id_hash[0x0d];
+ 
+-	if (!report)
++	if (!report || report->maxfield < 1 ||
++	    report->field[0]->report_count < 1)
+ 		return -EINVAL;
+ 
+ 	usbhid_submit_report(hdev, report, USB_DIR_IN);
diff --git a/queue-3.0/hid-validate-hid-report-id-size.patch b/queue-3.0/hid-validate-hid-report-id-size.patch
new file mode 100644
index 00000000000..b2e9adf9ec4
--- /dev/null
+++ b/queue-3.0/hid-validate-hid-report-id-size.patch
@@ -0,0 +1,79 @@
+From 43622021d2e2b82ea03d883926605bdd0525e1d1 Mon Sep 17 00:00:00 2001
+From: Kees Cook <keescook@chromium.org>
+Date: Wed, 28 Aug 2013 22:29:55 +0200
+Subject: HID: validate HID report id size
+
+From: Kees Cook <keescook@chromium.org>
+
+commit 43622021d2e2b82ea03d883926605bdd0525e1d1 upstream.
+
+The "Report ID" field of a HID report is used to build indexes of
+reports. The kernel's index of these is limited to 256 entries, so any
+malicious device that sets a Report ID greater than 255 will trigger
+memory corruption on the host:
+
+[ 1347.156239] BUG: unable to handle kernel paging request at ffff88094958a878
+[ 1347.156261] IP: [<ffffffff813e4da0>] hid_register_report+0x2a/0x8b
+
+CVE-2013-2888
+
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hid/hid-core.c |   12 ++++++++----
+ include/linux/hid.h    |    4 +++-
+ 2 files changed, 11 insertions(+), 5 deletions(-)
+
+--- a/drivers/hid/hid-core.c
++++ b/drivers/hid/hid-core.c
+@@ -58,6 +58,8 @@ struct hid_report *hid_register_report(s
+ 	struct hid_report_enum *report_enum = device->report_enum + type;
+ 	struct hid_report *report;
+ 
++	if (id >= HID_MAX_IDS)
++		return NULL;
+ 	if (report_enum->report_id_hash[id])
+ 		return report_enum->report_id_hash[id];
+ 
+@@ -379,9 +381,11 @@ static int hid_parser_global(struct hid_
+ 
+ 	case HID_GLOBAL_ITEM_TAG_REPORT_ID:
+ 		parser->global.report_id = item_udata(item);
+-		if (parser->global.report_id == 0) {
+-			dbg_hid("report_id 0 is invalid\n");
+-			return -1;
++		if (parser->global.report_id == 0 ||
++		    parser->global.report_id >= HID_MAX_IDS) {
++			hid_err(parser->device, "report_id %u is invalid\n",
++				parser->global.report_id);
++ 			return -1;
+ 		}
+ 		return 0;
+ 
+@@ -551,7 +555,7 @@ static void hid_device_release(struct de
+ 	for (i = 0; i < HID_REPORT_TYPES; i++) {
+ 		struct hid_report_enum *report_enum = device->report_enum + i;
+ 
+-		for (j = 0; j < 256; j++) {
++		for (j = 0; j < HID_MAX_IDS; j++) {
+ 			struct hid_report *report = report_enum->report_id_hash[j];
+ 			if (report)
+ 				hid_free_report(report);
+--- a/include/linux/hid.h
++++ b/include/linux/hid.h
+@@ -414,10 +414,12 @@ struct hid_report {
+ 	struct hid_device *device;			/* associated device */
+ };
+ 
++#define HID_MAX_IDS 256
++
+ struct hid_report_enum {
+ 	unsigned numbered;
+ 	struct list_head report_list;
+-	struct hid_report *report_id_hash[256];
++	struct hid_report *report_id_hash[HID_MAX_IDS];
+ };
+ 
+ #define HID_REPORT_TYPES 3
diff --git a/queue-3.0/series b/queue-3.0/series
index b5736b85d1f..1994f1dcbee 100644
--- a/queue-3.0/series
+++ b/queue-3.0/series
@@ -16,3 +16,6 @@ alsa-hda-add-toshiba-satellite-c870-to-msi-blacklist.patch
 ath9k-always-clear-ps-filter-bit-on-new-assoc.patch
 ath9k-avoid-accessing-mrc-registers-on-single-chain-devices.patch
 hid-pantherlord-validate-output-report-details.patch
+hid-validate-hid-report-id-size.patch
+hid-ntrig-validate-feature-report-details.patch
+hid-check-for-null-field-when-setting-values.patch