| From 9c0835a776f545c573e50f968b026e786f38f251 Mon Sep 17 00:00:00 2001 |
| From: Kees Cook <keescook@chromium.org> |
| Date: Wed, 28 Aug 2013 22:30:49 +0200 |
| Subject: [PATCH] HID: pantherlord: validate output report details |
| |
| commit 412f30105ec6735224535791eed5cdc02888ecb4 upstream. |
| |
| A HID device could send a malicious output report that would cause the |
| pantherlord HID driver to write beyond the output report allocation |
| during initialization, causing a heap overflow: |
| |
| [ 310.939483] usb 1-1: New USB device found, idVendor=0e8f, idProduct=0003 |
| ... |
| [ 315.980774] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten |
| |
| CVE-2013-2892 |
| |
| Signed-off-by: Kees Cook <keescook@chromium.org> |
| Signed-off-by: Jiri Kosina <jkosina@suse.cz> |
| Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> |
| --- |
| drivers/hid/hid-pl.c | 10 ++++++++-- |
| 1 file changed, 8 insertions(+), 2 deletions(-) |
| |
| diff --git a/drivers/hid/hid-pl.c b/drivers/hid/hid-pl.c |
| index 9f41e2bd8483..427f3a57aa23 100644 |
| --- a/drivers/hid/hid-pl.c |
| +++ b/drivers/hid/hid-pl.c |
| @@ -129,8 +129,14 @@ static int plff_init(struct hid_device *hid) |
| strong = &report->field[0]->value[2]; |
| weak = &report->field[0]->value[3]; |
| debug("detected single-field device"); |
| - } else if (report->maxfield >= 4 && report->field[0]->maxusage == 1 && |
| - report->field[0]->usage[0].hid == (HID_UP_LED | 0x43)) { |
| + } else if (report->field[0]->maxusage == 1 && |
| + report->field[0]->usage[0].hid == |
| + (HID_UP_LED | 0x43) && |
| + report->maxfield >= 4 && |
| + report->field[0]->report_count >= 1 && |
| + report->field[1]->report_count >= 1 && |
| + report->field[2]->report_count >= 1 && |
| + report->field[3]->report_count >= 1) { |
| report->field[0]->value[0] = 0x00; |
| report->field[1]->value[0] = 0x00; |
| strong = &report->field[2]->value[0]; |
| -- |
| 1.8.5.2 |
| |