| From 1e87a2456b0227ca4ab881e19a11bb99d164e792 Mon Sep 17 00:00:00 2001 |
| From: Kees Cook <keescook@chromium.org> |
| Date: Wed, 28 Aug 2013 22:31:52 +0200 |
| Subject: HID: picolcd_core: validate output report details |
| |
| From: Kees Cook <keescook@chromium.org> |
| |
| commit 1e87a2456b0227ca4ab881e19a11bb99d164e792 upstream. |
| |
| A HID device could send a malicious output report that would cause the |
| picolcd HID driver to trigger a NULL dereference during attr file writing. |
| |
| [jkosina@suse.cz: changed |
| |
| report->maxfield < 1 |
| |
| to |
| |
| report->maxfield != 1 |
| |
| as suggested by Bruno]. |
| |
| CVE-2013-2899 |
| |
| Signed-off-by: Kees Cook <keescook@chromium.org> |
| Reviewed-by: Bruno Prémont <bonbons@linux-vserver.org> |
| Acked-by: Bruno Prémont <bonbons@linux-vserver.org> |
| Signed-off-by: Jiri Kosina <jkosina@suse.cz> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| |
| --- |
| drivers/hid/hid-picolcd_core.c | 2 +- |
| 1 file changed, 1 insertion(+), 1 deletion(-) |
| |
| --- a/drivers/hid/hid-picolcd_core.c |
| +++ b/drivers/hid/hid-picolcd_core.c |
| @@ -290,7 +290,7 @@ static ssize_t picolcd_operation_mode_st |
| buf += 10; |
| cnt -= 10; |
| } |
| - if (!report) |
| + if (!report || report->maxfield != 1) |
| return -EINVAL; |
| |
| while (cnt > 0 && (buf[cnt-1] == '\n' || buf[cnt-1] == '\r')) |