| From 875b4e3763dbc941f15143dd1a18d10bb0be303b Mon Sep 17 00:00:00 2001 |
| From: Kees Cook <keescook@chromium.org> |
| Date: Wed, 28 Aug 2013 22:31:28 +0200 |
| Subject: HID: ntrig: validate feature report details |
| |
| From: Kees Cook <keescook@chromium.org> |
| |
| commit 875b4e3763dbc941f15143dd1a18d10bb0be303b upstream. |
| |
| A HID device could send a malicious feature report that would cause the |
| ntrig HID driver to trigger a NULL dereference during initialization: |
| |
| [57383.031190] usb 3-1: New USB device found, idVendor=1b96, idProduct=0001 |
| ... |
| [57383.315193] BUG: unable to handle kernel NULL pointer dereference at 0000000000000030 |
| [57383.315308] IP: [<ffffffffa08102de>] ntrig_probe+0x25e/0x420 [hid_ntrig] |
| |
| CVE-2013-2896 |
| |
| Signed-off-by: Kees Cook <keescook@chromium.org> |
| Signed-off-by: Rafi Rubin <rafi@seas.upenn.edu> |
| Signed-off-by: Jiri Kosina <jkosina@suse.cz> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| |
| --- |
| drivers/hid/hid-ntrig.c | 3 ++- |
| 1 file changed, 2 insertions(+), 1 deletion(-) |
| |
| --- a/drivers/hid/hid-ntrig.c |
| +++ b/drivers/hid/hid-ntrig.c |
| @@ -115,7 +115,8 @@ static inline int ntrig_get_mode(struct |
| struct hid_report *report = hdev->report_enum[HID_FEATURE_REPORT]. |
| report_id_hash[0x0d]; |
| |
| - if (!report) |
| + if (!report || report->maxfield < 1 || |
| + report->field[0]->report_count < 1) |
| return -EINVAL; |
| |
| hid_hw_request(hdev, report, HID_REQ_GET_REPORT); |