]> git.ipfire.org Git - thirdparty/kernel/stable.git/commit
projects / thirdparty / kernel / stable.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: f9653a5) | patch
HID: validate HID report id size
authorKees Cook <keescook@chromium.org>
Wed, 28 Aug 2013 20:29:55 +0000 (20:29 +0000)
committerWilly Tarreau <w@1wt.eu>
Mon, 19 May 2014 05:53:27 +0000 (07:53 +0200)
commitdc4108776e19ac3f653c288138b1f23da655eb61
treec94c56d197852c6f3e99737af234373733ed4285tree
parentf9653a5ab3bba8a3ace8174df52776ee98239c4acommit | diff
HID: validate HID report id size

commit 43622021d2e2b82ea03d883926605bdd0525e1d1 upstream

The "Report ID" field of a HID report is used to build indexes of
reports. The kernel's index of these is limited to 256 entries, so any
malicious device that sets a Report ID greater than 255 will trigger
memory corruption on the host:

[ 1347.156239] BUG: unable to handle kernel paging request at ffff88094958a878
[ 1347.156261] IP: [<ffffffff813e4da0>] hid_register_report+0x2a/0x8b

CVE-2013-2888

Signed-off-by: Kees Cook <keescook@chromium.org>
Cc: stable@kernel.org
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
[jmm: backport to 2.6.32]
Signed-off-by: Willy Tarreau <w@1wt.eu>
drivers/hid/hid-core.c diff | blob | blame | history
include/linux/hid.h diff | blob | blame | history
Mirror https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git