| From 412f30105ec6735224535791eed5cdc02888ecb4 Mon Sep 17 00:00:00 2001 |
| From: Kees Cook <keescook@chromium.org> |
| Date: Wed, 28 Aug 2013 22:30:49 +0200 |
| Subject: HID: pantherlord: validate output report details |
| |
| From: Kees Cook <keescook@chromium.org> |
| |
| commit 412f30105ec6735224535791eed5cdc02888ecb4 upstream. |
| |
| A HID device could send a malicious output report that would cause the |
| pantherlord HID driver to write beyond the output report allocation |
| during initialization, causing a heap overflow: |
| |
| [ 310.939483] usb 1-1: New USB device found, idVendor=0e8f, idProduct=0003 |
| ... |
| [ 315.980774] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten |
| |
| CVE-2013-2892 |
| |
| Signed-off-by: Kees Cook <keescook@chromium.org> |
| Signed-off-by: Jiri Kosina <jkosina@suse.cz> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| |
| --- |
| drivers/hid/hid-pl.c | 10 ++++++++-- |
| 1 file changed, 8 insertions(+), 2 deletions(-) |
| |
| --- a/drivers/hid/hid-pl.c |
| +++ b/drivers/hid/hid-pl.c |
| @@ -128,8 +128,14 @@ static int plff_init(struct hid_device * |
| strong = &report->field[0]->value[2]; |
| weak = &report->field[0]->value[3]; |
| debug("detected single-field device"); |
| - } else if (report->maxfield >= 4 && report->field[0]->maxusage == 1 && |
| - report->field[0]->usage[0].hid == (HID_UP_LED | 0x43)) { |
| + } else if (report->field[0]->maxusage == 1 && |
| + report->field[0]->usage[0].hid == |
| + (HID_UP_LED | 0x43) && |
| + report->maxfield >= 4 && |
| + report->field[0]->report_count >= 1 && |
| + report->field[1]->report_count >= 1 && |
| + report->field[2]->report_count >= 1 && |
| + report->field[3]->report_count >= 1) { |
| report->field[0]->value[0] = 0x00; |
| report->field[1]->value[0] = 0x00; |
| strong = &report->field[2]->value[0]; |