--- /dev/null
+From 6c2794a2984f4c17a58117a68703cc7640f01c5a Mon Sep 17 00:00:00 2001
+From: Jiri Kosina <jkosina@suse.cz>
+Date: Mon, 2 Sep 2013 13:43:00 +0200
+Subject: HID: battery: don't do DMA from stack
+
+From: Jiri Kosina <jkosina@suse.cz>
+
+commit 6c2794a2984f4c17a58117a68703cc7640f01c5a upstream.
+
+Instead of using data from stack for DMA in hidinput_get_battery_property(),
+allocate the buffer dynamically.
+
+Reported-by: Richard Ryniker <ryniker@alum.mit.edu>
+Reported-by: Alan Stern <stern@rowland.harvard.edu>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hid/hid-input.c | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+--- a/drivers/hid/hid-input.c
++++ b/drivers/hid/hid-input.c
+@@ -314,7 +314,7 @@ static int hidinput_get_battery_property
+ {
+ struct hid_device *dev = container_of(psy, struct hid_device, battery);
+ int ret = 0;
+- __u8 buf[2] = {};
++ __u8 *buf;
+
+ switch (prop) {
+ case POWER_SUPPLY_PROP_PRESENT:
+@@ -323,13 +323,20 @@ static int hidinput_get_battery_property
+ break;
+
+ case POWER_SUPPLY_PROP_CAPACITY:
++
++ buf = kmalloc(2 * sizeof(__u8), GFP_KERNEL);
++ if (!buf) {
++ ret = -ENOMEM;
++ break;
++ }
+ ret = dev->hid_get_raw_report(dev, dev->battery_report_id,
+- buf, sizeof(buf),
++ buf, 2,
+ dev->battery_report_type);
+
+ if (ret != 2) {
+ if (ret >= 0)
+ ret = -EINVAL;
++ kfree(buf);
+ break;
+ }
+
+@@ -338,6 +345,7 @@ static int hidinput_get_battery_property
+ buf[1] <= dev->battery_max)
+ val->intval = (100 * (buf[1] - dev->battery_min)) /
+ (dev->battery_max - dev->battery_min);
++ kfree(buf);
+ break;
+
+ case POWER_SUPPLY_PROP_MODEL_NAME:
--- /dev/null
+From be67b68d52fa28b9b721c47bb42068f0c1214855 Mon Sep 17 00:00:00 2001
+From: Kees Cook <keescook@chromium.org>
+Date: Wed, 28 Aug 2013 22:32:01 +0200
+Subject: HID: check for NULL field when setting values
+
+From: Kees Cook <keescook@chromium.org>
+
+commit be67b68d52fa28b9b721c47bb42068f0c1214855 upstream.
+
+Defensively check that the field to be worked on is not NULL.
+
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hid/hid-core.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/drivers/hid/hid-core.c
++++ b/drivers/hid/hid-core.c
+@@ -999,7 +999,12 @@ EXPORT_SYMBOL_GPL(hid_output_report);
+
+ int hid_set_field(struct hid_field *field, unsigned offset, __s32 value)
+ {
+- unsigned size = field->report_size;
++ unsigned size;
++
++ if (!field)
++ return -1;
++
++ size = field->report_size;
+
+ hid_dump_input(field->report->device, field->usage + offset, value);
+
--- /dev/null
+From 875b4e3763dbc941f15143dd1a18d10bb0be303b Mon Sep 17 00:00:00 2001
+From: Kees Cook <keescook@chromium.org>
+Date: Wed, 28 Aug 2013 22:31:28 +0200
+Subject: HID: ntrig: validate feature report details
+
+From: Kees Cook <keescook@chromium.org>
+
+commit 875b4e3763dbc941f15143dd1a18d10bb0be303b upstream.
+
+A HID device could send a malicious feature report that would cause the
+ntrig HID driver to trigger a NULL dereference during initialization:
+
+[57383.031190] usb 3-1: New USB device found, idVendor=1b96, idProduct=0001
+...
+[57383.315193] BUG: unable to handle kernel NULL pointer dereference at 0000000000000030
+[57383.315308] IP: [<ffffffffa08102de>] ntrig_probe+0x25e/0x420 [hid_ntrig]
+
+CVE-2013-2896
+
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Rafi Rubin <rafi@seas.upenn.edu>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hid/hid-ntrig.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/hid/hid-ntrig.c
++++ b/drivers/hid/hid-ntrig.c
+@@ -115,7 +115,8 @@ static inline int ntrig_get_mode(struct
+ struct hid_report *report = hdev->report_enum[HID_FEATURE_REPORT].
+ report_id_hash[0x0d];
+
+- if (!report)
++ if (!report || report->maxfield < 1 ||
++ report->field[0]->report_count < 1)
+ return -EINVAL;
+
+ usbhid_submit_report(hdev, report, USB_DIR_IN);
--- /dev/null
+From 9e0bf92c223dabe0789714f8f85f6e26f8f9cda4 Mon Sep 17 00:00:00 2001
+From: Vasily Titskiy <qehgt0@gmail.com>
+Date: Fri, 30 Aug 2013 18:25:04 -0400
+Subject: HID: usbhid: quirk for N-Trig DuoSense Touch Screen
+
+From: Vasily Titskiy <qehgt0@gmail.com>
+
+commit 9e0bf92c223dabe0789714f8f85f6e26f8f9cda4 upstream.
+
+The DuoSense touchscreen device causes a 10 second timeout. This fix
+removes the delay.
+
+Signed-off-by: Vasily Titskiy <qehgt0@gmail.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hid/hid-ids.h | 1 +
+ drivers/hid/usbhid/hid-quirks.c | 2 ++
+ 2 files changed, 3 insertions(+)
+
+--- a/drivers/hid/hid-ids.h
++++ b/drivers/hid/hid-ids.h
+@@ -595,6 +595,7 @@
+ #define USB_DEVICE_ID_NTRIG_TOUCH_SCREEN_16 0x0012
+ #define USB_DEVICE_ID_NTRIG_TOUCH_SCREEN_17 0x0013
+ #define USB_DEVICE_ID_NTRIG_TOUCH_SCREEN_18 0x0014
++#define USB_DEVICE_ID_NTRIG_DUOSENSE 0x1500
+
+ #define USB_VENDOR_ID_ONTRAK 0x0a07
+ #define USB_DEVICE_ID_ONTRAK_ADU100 0x0064
+--- a/drivers/hid/usbhid/hid-quirks.c
++++ b/drivers/hid/usbhid/hid-quirks.c
+@@ -103,6 +103,8 @@ static const struct hid_blacklist {
+ { USB_VENDOR_ID_SIGMA_MICRO, USB_DEVICE_ID_SIGMA_MICRO_KEYBOARD, HID_QUIRK_NO_INIT_REPORTS },
+ { USB_VENDOR_ID_KYE, USB_DEVICE_ID_KYE_MOUSEPEN_I608X, HID_QUIRK_MULTI_INPUT },
+ { USB_VENDOR_ID_KYE, USB_DEVICE_ID_KYE_EASYPEN_M610X, HID_QUIRK_MULTI_INPUT },
++ { USB_VENDOR_ID_NTRIG, USB_DEVICE_ID_NTRIG_DUOSENSE, HID_QUIRK_NO_INIT_REPORTS },
++
+ { 0, 0 }
+ };
+
--- /dev/null
+From 43622021d2e2b82ea03d883926605bdd0525e1d1 Mon Sep 17 00:00:00 2001
+From: Kees Cook <keescook@chromium.org>
+Date: Wed, 28 Aug 2013 22:29:55 +0200
+Subject: HID: validate HID report id size
+
+From: Kees Cook <keescook@chromium.org>
+
+commit 43622021d2e2b82ea03d883926605bdd0525e1d1 upstream.
+
+The "Report ID" field of a HID report is used to build indexes of
+reports. The kernel's index of these is limited to 256 entries, so any
+malicious device that sets a Report ID greater than 255 will trigger
+memory corruption on the host:
+
+[ 1347.156239] BUG: unable to handle kernel paging request at ffff88094958a878
+[ 1347.156261] IP: [<ffffffff813e4da0>] hid_register_report+0x2a/0x8b
+
+CVE-2013-2888
+
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hid/hid-core.c | 10 +++++++---
+ include/linux/hid.h | 4 +++-
+ 2 files changed, 10 insertions(+), 4 deletions(-)
+
+--- a/drivers/hid/hid-core.c
++++ b/drivers/hid/hid-core.c
+@@ -63,6 +63,8 @@ struct hid_report *hid_register_report(s
+ struct hid_report_enum *report_enum = device->report_enum + type;
+ struct hid_report *report;
+
++ if (id >= HID_MAX_IDS)
++ return NULL;
+ if (report_enum->report_id_hash[id])
+ return report_enum->report_id_hash[id];
+
+@@ -385,8 +387,10 @@ static int hid_parser_global(struct hid_
+
+ case HID_GLOBAL_ITEM_TAG_REPORT_ID:
+ parser->global.report_id = item_udata(item);
+- if (parser->global.report_id == 0) {
+- hid_err(parser->device, "report_id 0 is invalid\n");
++ if (parser->global.report_id == 0 ||
++ parser->global.report_id >= HID_MAX_IDS) {
++ hid_err(parser->device, "report_id %u is invalid\n",
++ parser->global.report_id);
+ return -1;
+ }
+ return 0;
+@@ -557,7 +561,7 @@ static void hid_device_release(struct de
+ for (i = 0; i < HID_REPORT_TYPES; i++) {
+ struct hid_report_enum *report_enum = device->report_enum + i;
+
+- for (j = 0; j < 256; j++) {
++ for (j = 0; j < HID_MAX_IDS; j++) {
+ struct hid_report *report = report_enum->report_id_hash[j];
+ if (report)
+ hid_free_report(report);
+--- a/include/linux/hid.h
++++ b/include/linux/hid.h
+@@ -420,10 +420,12 @@ struct hid_report {
+ struct hid_device *device; /* associated device */
+ };
+
++#define HID_MAX_IDS 256
++
+ struct hid_report_enum {
+ unsigned numbered;
+ struct list_head report_list;
+- struct hid_report *report_id_hash[256];
++ struct hid_report *report_id_hash[HID_MAX_IDS];
+ };
+
+ #define HID_REPORT_TYPES 3
ath9k-avoid-accessing-mrc-registers-on-single-chain-devices.patch
hid-pantherlord-validate-output-report-details.patch
hid-fix-speedlink-vad-cezanne-support-for-some-devices.patch
+hid-validate-hid-report-id-size.patch
+hid-ntrig-validate-feature-report-details.patch
+hid-battery-don-t-do-dma-from-stack.patch
+hid-check-for-null-field-when-setting-values.patch
+hid-usbhid-quirk-for-n-trig-duosense-touch-screen.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
