From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Tue, 26 Aug 2014 23:26:46 +0000 (-0700)
Subject: 3.16-stable patches
X-Git-Tag: v3.10.54~34
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=f52e6f461463d63d482059efb69ff26252238d02;p=thirdparty%2Fkernel%2Fstable-queue.git

3.16-stable patches

added patches:
	hid-fix-a-couple-of-off-by-ones.patch
	hid-logitech-fix-bounds-checking-on-led-report-size.patch
	hid-logitech-perform-bounds-checking-on-device_id-early-enough.patch
---

diff --git a/queue-3.16/hid-fix-a-couple-of-off-by-ones.patch b/queue-3.16/hid-fix-a-couple-of-off-by-ones.patch
new file mode 100644
index 00000000000..f143df54071
--- /dev/null
+++ b/queue-3.16/hid-fix-a-couple-of-off-by-ones.patch
@@ -0,0 +1,100 @@
+From 4ab25786c87eb20857bbb715c3ae34ec8fd6a214 Mon Sep 17 00:00:00 2001
+From: Jiri Kosina <jkosina@suse.cz>
+Date: Thu, 21 Aug 2014 09:57:48 -0500
+Subject: HID: fix a couple of off-by-ones
+
+From: Jiri Kosina <jkosina@suse.cz>
+
+commit 4ab25786c87eb20857bbb715c3ae34ec8fd6a214 upstream.
+
+There are a few very theoretical off-by-one bugs in report descriptor size
+checking when performing a pre-parsing fixup. Fix those.
+
+Reported-by: Ben Hawkes <hawkes@google.com>
+Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hid/hid-cherry.c   |    2 +-
+ drivers/hid/hid-kye.c      |    2 +-
+ drivers/hid/hid-lg.c       |    4 ++--
+ drivers/hid/hid-monterey.c |    2 +-
+ drivers/hid/hid-petalynx.c |    2 +-
+ drivers/hid/hid-sunplus.c  |    2 +-
+ 6 files changed, 7 insertions(+), 7 deletions(-)
+
+--- a/drivers/hid/hid-cherry.c
++++ b/drivers/hid/hid-cherry.c
+@@ -28,7 +28,7 @@
+ static __u8 *ch_report_fixup(struct hid_device *hdev, __u8 *rdesc,
+ 		unsigned int *rsize)
+ {
+-	if (*rsize >= 17 && rdesc[11] == 0x3c && rdesc[12] == 0x02) {
++	if (*rsize >= 18 && rdesc[11] == 0x3c && rdesc[12] == 0x02) {
+ 		hid_info(hdev, "fixing up Cherry Cymotion report descriptor\n");
+ 		rdesc[11] = rdesc[16] = 0xff;
+ 		rdesc[12] = rdesc[17] = 0x03;
+--- a/drivers/hid/hid-kye.c
++++ b/drivers/hid/hid-kye.c
+@@ -300,7 +300,7 @@ static __u8 *kye_report_fixup(struct hid
+ 		 *   - change the button usage range to 4-7 for the extra
+ 		 *     buttons
+ 		 */
+-		if (*rsize >= 74 &&
++		if (*rsize >= 75 &&
+ 			rdesc[61] == 0x05 && rdesc[62] == 0x08 &&
+ 			rdesc[63] == 0x19 && rdesc[64] == 0x08 &&
+ 			rdesc[65] == 0x29 && rdesc[66] == 0x0f &&
+--- a/drivers/hid/hid-lg.c
++++ b/drivers/hid/hid-lg.c
+@@ -345,14 +345,14 @@ static __u8 *lg_report_fixup(struct hid_
+ 	struct usb_device_descriptor *udesc;
+ 	__u16 bcdDevice, rev_maj, rev_min;
+ 
+-	if ((drv_data->quirks & LG_RDESC) && *rsize >= 90 && rdesc[83] == 0x26 &&
++	if ((drv_data->quirks & LG_RDESC) && *rsize >= 91 && rdesc[83] == 0x26 &&
+ 			rdesc[84] == 0x8c && rdesc[85] == 0x02) {
+ 		hid_info(hdev,
+ 			 "fixing up Logitech keyboard report descriptor\n");
+ 		rdesc[84] = rdesc[89] = 0x4d;
+ 		rdesc[85] = rdesc[90] = 0x10;
+ 	}
+-	if ((drv_data->quirks & LG_RDESC_REL_ABS) && *rsize >= 50 &&
++	if ((drv_data->quirks & LG_RDESC_REL_ABS) && *rsize >= 51 &&
+ 			rdesc[32] == 0x81 && rdesc[33] == 0x06 &&
+ 			rdesc[49] == 0x81 && rdesc[50] == 0x06) {
+ 		hid_info(hdev,
+--- a/drivers/hid/hid-monterey.c
++++ b/drivers/hid/hid-monterey.c
+@@ -24,7 +24,7 @@
+ static __u8 *mr_report_fixup(struct hid_device *hdev, __u8 *rdesc,
+ 		unsigned int *rsize)
+ {
+-	if (*rsize >= 30 && rdesc[29] == 0x05 && rdesc[30] == 0x09) {
++	if (*rsize >= 31 && rdesc[29] == 0x05 && rdesc[30] == 0x09) {
+ 		hid_info(hdev, "fixing up button/consumer in HID report descriptor\n");
+ 		rdesc[30] = 0x0c;
+ 	}
+--- a/drivers/hid/hid-petalynx.c
++++ b/drivers/hid/hid-petalynx.c
+@@ -25,7 +25,7 @@
+ static __u8 *pl_report_fixup(struct hid_device *hdev, __u8 *rdesc,
+ 		unsigned int *rsize)
+ {
+-	if (*rsize >= 60 && rdesc[39] == 0x2a && rdesc[40] == 0xf5 &&
++	if (*rsize >= 62 && rdesc[39] == 0x2a && rdesc[40] == 0xf5 &&
+ 			rdesc[41] == 0x00 && rdesc[59] == 0x26 &&
+ 			rdesc[60] == 0xf9 && rdesc[61] == 0x00) {
+ 		hid_info(hdev, "fixing up Petalynx Maxter Remote report descriptor\n");
+--- a/drivers/hid/hid-sunplus.c
++++ b/drivers/hid/hid-sunplus.c
+@@ -24,7 +24,7 @@
+ static __u8 *sp_report_fixup(struct hid_device *hdev, __u8 *rdesc,
+ 		unsigned int *rsize)
+ {
+-	if (*rsize >= 107 && rdesc[104] == 0x26 && rdesc[105] == 0x80 &&
++	if (*rsize >= 112 && rdesc[104] == 0x26 && rdesc[105] == 0x80 &&
+ 			rdesc[106] == 0x03) {
+ 		hid_info(hdev, "fixing up Sunplus Wireless Desktop report descriptor\n");
+ 		rdesc[105] = rdesc[110] = 0x03;
diff --git a/queue-3.16/hid-logitech-fix-bounds-checking-on-led-report-size.patch b/queue-3.16/hid-logitech-fix-bounds-checking-on-led-report-size.patch
new file mode 100644
index 00000000000..f10540c3f77
--- /dev/null
+++ b/queue-3.16/hid-logitech-fix-bounds-checking-on-led-report-size.patch
@@ -0,0 +1,38 @@
+From 51217e69697fba92a06e07e16f55c9a52d8e8945 Mon Sep 17 00:00:00 2001
+From: Jiri Kosina <jkosina@suse.cz>
+Date: Thu, 21 Aug 2014 09:56:47 -0500
+Subject: HID: logitech: fix bounds checking on LED report size
+
+From: Jiri Kosina <jkosina@suse.cz>
+
+commit 51217e69697fba92a06e07e16f55c9a52d8e8945 upstream.
+
+The check on report size for REPORT_TYPE_LEDS in logi_dj_ll_raw_request()
+is wrong; the current check doesn't make any sense -- the report allocated
+by HID core in hid_hw_raw_request() can be much larger than
+DJREPORT_SHORT_LENGTH, and currently logi_dj_ll_raw_request() doesn't
+handle this properly at all.
+
+Fix the check by actually trimming down the report size properly if it is
+too large.
+
+Reported-by: Ben Hawkes <hawkes@google.com>
+Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hid/hid-logitech-dj.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/hid/hid-logitech-dj.c
++++ b/drivers/hid/hid-logitech-dj.c
+@@ -557,7 +557,7 @@ static int logi_dj_ll_raw_request(struct
+ 	if (!out_buf)
+ 		return -ENOMEM;
+ 
+-	if (count < DJREPORT_SHORT_LENGTH - 2)
++	if (count > DJREPORT_SHORT_LENGTH - 2)
+ 		count = DJREPORT_SHORT_LENGTH - 2;
+ 
+ 	out_buf[0] = REPORT_ID_DJ_SHORT;
diff --git a/queue-3.16/hid-logitech-perform-bounds-checking-on-device_id-early-enough.patch b/queue-3.16/hid-logitech-perform-bounds-checking-on-device_id-early-enough.patch
new file mode 100644
index 00000000000..524aa0e51f9
--- /dev/null
+++ b/queue-3.16/hid-logitech-perform-bounds-checking-on-device_id-early-enough.patch
@@ -0,0 +1,60 @@
+From ad3e14d7c5268c2e24477c6ef54bbdf88add5d36 Mon Sep 17 00:00:00 2001
+From: Jiri Kosina <jkosina@suse.cz>
+Date: Thu, 21 Aug 2014 09:57:17 -0500
+Subject: HID: logitech: perform bounds checking on device_id early enough
+
+From: Jiri Kosina <jkosina@suse.cz>
+
+commit ad3e14d7c5268c2e24477c6ef54bbdf88add5d36 upstream.
+
+device_index is a char type and the size of paired_dj_deivces is 7
+elements, therefore proper bounds checking has to be applied to
+device_index before it is used.
+
+We are currently performing the bounds checking in
+logi_dj_recv_add_djhid_device(), which is too late, as malicious device
+could send REPORT_TYPE_NOTIF_DEVICE_UNPAIRED early enough and trigger the
+problem in one of the report forwarding functions called from
+logi_dj_raw_event().
+
+Fix this by performing the check at the earliest possible ocasion in
+logi_dj_raw_event().
+
+Reported-by: Ben Hawkes <hawkes@google.com>
+Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hid/hid-logitech-dj.c |   13 ++++++-------
+ 1 file changed, 6 insertions(+), 7 deletions(-)
+
+--- a/drivers/hid/hid-logitech-dj.c
++++ b/drivers/hid/hid-logitech-dj.c
+@@ -238,13 +238,6 @@ static void logi_dj_recv_add_djhid_devic
+ 		return;
+ 	}
+ 
+-	if ((dj_report->device_index < DJ_DEVICE_INDEX_MIN) ||
+-	    (dj_report->device_index > DJ_DEVICE_INDEX_MAX)) {
+-		dev_err(&djrcv_hdev->dev, "%s: invalid device index:%d\n",
+-			__func__, dj_report->device_index);
+-		return;
+-	}
+-
+ 	if (djrcv_dev->paired_dj_devices[dj_report->device_index]) {
+ 		/* The device is already known. No need to reallocate it. */
+ 		dbg_hid("%s: device is already known\n", __func__);
+@@ -690,6 +683,12 @@ static int logi_dj_raw_event(struct hid_
+ 	 * device (via hid_input_report() ) and return 1 so hid-core does not do
+ 	 * anything else with it.
+ 	 */
++	if ((dj_report->device_index < DJ_DEVICE_INDEX_MIN) ||
++	    (dj_report->device_index > DJ_DEVICE_INDEX_MAX)) {
++		dev_err(&hdev->dev, "%s: invalid device index:%d\n",
++				__func__, dj_report->device_index);
++		return false;
++	}
+ 
+ 	spin_lock_irqsave(&djrcv_dev->lock, flags);
+ 	if (dj_report->report_id == REPORT_ID_DJ_SHORT) {
diff --git a/queue-3.16/series b/queue-3.16/series
index 4a6e33765e2..df127cfae1a 100644
--- a/queue-3.16/series
+++ b/queue-3.16/series
@@ -1,2 +1,5 @@
 stable_kernel_rules-add-pointer-to-netdev-faq-for-network-patches.patch
 mips-math-emu-fix-instruction-decoding.patch
+hid-logitech-fix-bounds-checking-on-led-report-size.patch
+hid-logitech-perform-bounds-checking-on-device_id-early-enough.patch
+hid-fix-a-couple-of-off-by-ones.patch