| From 9e8910257397372633e74b333ef891f20c800ee4 Mon Sep 17 00:00:00 2001 |
| From: Kees Cook <keescook@chromium.org> |
| Date: Wed, 28 Aug 2013 22:31:44 +0200 |
| Subject: HID: sensor-hub: validate feature report details |
| |
| From: Kees Cook <keescook@chromium.org> |
| |
| commit 9e8910257397372633e74b333ef891f20c800ee4 upstream. |
| |
| A HID device could send a malicious feature report that would cause the |
| sensor-hub HID driver to read past the end of heap allocation, leaking |
| kernel memory contents to the caller. |
| |
| CVE-2013-2898 |
| |
| Signed-off-by: Kees Cook <keescook@chromium.org> |
| Reviewed-by: Mika Westerberg <mika.westerberg@linux.intel.com> |
| Signed-off-by: Jiri Kosina <jkosina@suse.cz> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| |
| --- |
| drivers/hid/hid-sensor-hub.c | 3 ++- |
| 1 file changed, 2 insertions(+), 1 deletion(-) |
| |
| --- a/drivers/hid/hid-sensor-hub.c |
| +++ b/drivers/hid/hid-sensor-hub.c |
| @@ -221,7 +221,8 @@ int sensor_hub_get_feature(struct hid_se |
| |
| mutex_lock(&data->mutex); |
| report = sensor_hub_report(report_id, hsdev->hdev, HID_FEATURE_REPORT); |
| - if (!report || (field_index >= report->maxfield)) { |
| + if (!report || (field_index >= report->maxfield) || |
| + report->field[field_index]->report_count < 1) { |
| ret = -EINVAL; |
| goto done_proc; |
| } |