* [gentoo-commits] linux-patches r2527 - genpatches-2.6/trunk/3.10.7
@ 2013-09-25 15:19 Tom Wijsman (tomwij)
0 siblings, 0 replies; only message in thread
From: Tom Wijsman (tomwij) @ 2013-09-25 15:19 UTC (permalink / raw
To: gentoo-commits
Author: tomwij
Date: 2013-09-25 15:19:30 +0000 (Wed, 25 Sep 2013)
New Revision: 2527
Added:
genpatches-2.6/trunk/3.10.7/1500_CVE-2013-2888-HID-validate-HID-report-id-size.patch
genpatches-2.6/trunk/3.10.7/1500_CVE-2013-2889-HID-zeroplus-validate-output-report-details.patch
genpatches-2.6/trunk/3.10.7/1500_CVE-2013-2891-HID-steelseries-validate-output-report-details.patch
genpatches-2.6/trunk/3.10.7/1500_CVE-2013-2892-HID-pantherlord-validate-output-report-details.patch
genpatches-2.6/trunk/3.10.7/1500_CVE-2013-2894-HID-lenovo-tpkbd-validate-output-report-details.patch
genpatches-2.6/trunk/3.10.7/1500_CVE-2013-2895-HID-logitech-dj-validate-output-report-details.patch
genpatches-2.6/trunk/3.10.7/1500_CVE-2013-2896-HID-ntrig-validate-feature-report-details.patch
genpatches-2.6/trunk/3.10.7/1500_CVE-2013-2897-HID-multitouch-validate-indexes-details.patch
genpatches-2.6/trunk/3.10.7/1500_CVE-2013-2898-HID-sensor-hub-validate-feature-report-details.patch
genpatches-2.6/trunk/3.10.7/1500_CVE-2013-2899-HID-picolcd_core-validate-output-report-details.patch
genpatches-2.6/trunk/3.10.7/1500_HID-check-for-NULL-field-when-setting-values.patch
genpatches-2.6/trunk/3.10.7/1500_HID-provide-a-helper-for-validating-hid-reports.patch
Modified:
genpatches-2.6/trunk/3.10.7/0000_README
Log:
Added patches for HID security flaws for CVE-2013-2888 - CVE-2013-2899, see bug #482896 for more information.
Modified: genpatches-2.6/trunk/3.10.7/0000_README
===================================================================
--- genpatches-2.6/trunk/3.10.7/0000_README 2013-09-15 10:15:36 UTC (rev 2526)
+++ genpatches-2.6/trunk/3.10.7/0000_README 2013-09-25 15:19:30 UTC (rev 2527)
@@ -67,10 +67,58 @@
From: http://www.kernel.org
Desc: Linux 3.10.7
+Patch: 1500_CVE-2013-2888-HID-validate-HID-report-id-size.patch
+From: http://git.kernel.org/cgit/linux/kernel/git/stable/stable-queue.git/plain/queue-3.10/hid-validate-hid-report-id-size.patch
+Desc: CVE-2013-2888: HID: validate HID report id size
+
+Patch: 1500_CVE-2013-2889-HID-zeroplus-validate-output-report-details.patch
+From: http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/patch/?id=78214e81a1bf43740ce89bb5efda78eac2f8ef83
+Desc: CVE-2013-2889: HID: zeroplus: validate output report details
+
+Patch: 1500_CVE-2013-2891-HID-steelseries-validate-output-report-details.patch
+From: http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/patch/?id=41df7f6d43723deb7364340b44bc5d94bf717456
+Desc: CVE-2013-2891: HID: steelseries: validate output report details
+
+Patch: 1500_CVE-2013-2892-HID-pantherlord-validate-output-report-details.patch
+From: http://git.kernel.org/cgit/linux/kernel/git/stable/stable-queue.git/plain/queue-3.10/hid-pantherlord-validate-output-report-details.patch
+Desc: CVE-2013-2892: HID: pantherlord: validate output report details
+
+Patch: 1500_CVE-2013-2894-HID-lenovo-tpkbd-validate-output-report-details.patch
+From: http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/patch/?id=0a9cd0a80ac559357c6a90d26c55270ed752aa26
+Desc: CVE-2013-2894: HID: lenovo-tpkbd: validate output report details
+
+Patch: 1500_CVE-2013-2895-HID-logitech-dj-validate-output-report-details.patch
+From: http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/patch/?id=297502abb32e225fb23801fcdb0e4f6f8e17099a
+Desc: CVE-2013-2895: HID: logitech-dj: validate output report details
+
+Patch: 1500_CVE-2013-2896-HID-ntrig-validate-feature-report-details.patch
+From: http://git.kernel.org/cgit/linux/kernel/git/stable/stable-queue.git/plain/queue-3.10/hid-ntrig-validate-feature-report-details.patch
+Desc: CVE-2013-2896: HID: ntrig: validate feature report details
+
+Patch: 1500_CVE-2013-2897-HID-multitouch-validate-indexes-details.patch
+From: http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/patch/?id=8821f5dc187bdf16cfb32ef5aa8c3035273fa79a
+Desc: CVE-2013-2897: HID: multitouch: validate indexes details
+
+Patch: 1500_CVE-2013-2898-HID-sensor-hub-validate-feature-report-details.patch
+From: http://git.kernel.org/cgit/linux/kernel/git/stable/stable-queue.git/plain/queue-3.10/hid-sensor-hub-validate-feature-report-details.patch
+Desc: CVE-2013-2898: HID: sensor-hub: validate feature report details
+
+Patch: 1500_CVE-2013-2899-HID-picolcd_core-validate-output-report-details.patch
+From: http://git.kernel.org/cgit/linux/kernel/git/stable/stable-queue.git/plain/queue-3.10/hid-picolcd_core-validate-output-report-details.patch
+Desc: CVE-2013-2899: HID: picolcd_core: validate output report details
+
Patch: 1500_CVE-2013-4300-net-Check-the-correct-namespace-when-spoofing-pid-ov.patch
From: http://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/commit/?id=d661684cf6820331feae71146c35da83d794467e
Desc: CVE-2013-4300: PID Spoofing Privilege Escalation Vulnerability
+Patch: 1500_HID-check-for-NULL-field-when-setting-values.patch
+From: http://git.kernel.org/cgit/linux/kernel/git/stable/stable-queue.git/plain/queue-3.10/hid-check-for-null-field-when-setting-values.patch
+Desc: Additional patch for CVE-2013-2888 - CVE-2013-2899: HID: check for NULL field when setting values
+
+Patch: 1500_HID-provide-a-helper-for-validating-hid-reports.patch
+From: http://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/patch/?id=331415ff16a12147d57d5c953f3a961b7ede348b
+Desc: Helper for CVE-2013-2888 - CVE-2013-2899: HID: provide a helper for validating hid reports
+
Patch: 1500_task-mmu_fix-buffer-overflow-in-add_page_map.patch
From: http://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/commit/?id=f30d87b004dcb4b260dcb2667d5ef6998f4aac1f
Desc: fs/proc/task_mmu.c: fix buffer overflow in add_page_map() reported by stintel on IRC, backported from 3.10.8.
Added: genpatches-2.6/trunk/3.10.7/1500_CVE-2013-2888-HID-validate-HID-report-id-size.patch
===================================================================
--- genpatches-2.6/trunk/3.10.7/1500_CVE-2013-2888-HID-validate-HID-report-id-size.patch (rev 0)
+++ genpatches-2.6/trunk/3.10.7/1500_CVE-2013-2888-HID-validate-HID-report-id-size.patch 2013-09-25 15:19:30 UTC (rev 2527)
@@ -0,0 +1,77 @@
+From 43622021d2e2b82ea03d883926605bdd0525e1d1 Mon Sep 17 00:00:00 2001
+From: Kees Cook <keescook@chromium.org>
+Date: Wed, 28 Aug 2013 22:29:55 +0200
+Subject: HID: validate HID report id size
+
+From: Kees Cook <keescook@chromium.org>
+
+commit 43622021d2e2b82ea03d883926605bdd0525e1d1 upstream.
+
+The "Report ID" field of a HID report is used to build indexes of
+reports. The kernel's index of these is limited to 256 entries, so any
+malicious device that sets a Report ID greater than 255 will trigger
+memory corruption on the host:
+
+[ 1347.156239] BUG: unable to handle kernel paging request at ffff88094958a878
+[ 1347.156261] IP: [<ffffffff813e4da0>] hid_register_report+0x2a/0x8b
+
+CVE-2013-2888
+
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hid/hid-core.c | 10 +++++++---
+ include/linux/hid.h | 4 +++-
+ 2 files changed, 10 insertions(+), 4 deletions(-)
+
+--- a/drivers/hid/hid-core.c
++++ b/drivers/hid/hid-core.c
+@@ -63,6 +63,8 @@ struct hid_report *hid_register_report(s
+ struct hid_report_enum *report_enum = device->report_enum + type;
+ struct hid_report *report;
+
++ if (id >= HID_MAX_IDS)
++ return NULL;
+ if (report_enum->report_id_hash[id])
+ return report_enum->report_id_hash[id];
+
+@@ -404,8 +406,10 @@ static int hid_parser_global(struct hid_
+
+ case HID_GLOBAL_ITEM_TAG_REPORT_ID:
+ parser->global.report_id = item_udata(item);
+- if (parser->global.report_id == 0) {
+- hid_err(parser->device, "report_id 0 is invalid\n");
++ if (parser->global.report_id == 0 ||
++ parser->global.report_id >= HID_MAX_IDS) {
++ hid_err(parser->device, "report_id %u is invalid\n",
++ parser->global.report_id);
+ return -1;
+ }
+ return 0;
+@@ -575,7 +579,7 @@ static void hid_close_report(struct hid_
+ for (i = 0; i < HID_REPORT_TYPES; i++) {
+ struct hid_report_enum *report_enum = device->report_enum + i;
+
+- for (j = 0; j < 256; j++) {
++ for (j = 0; j < HID_MAX_IDS; j++) {
+ struct hid_report *report = report_enum->report_id_hash[j];
+ if (report)
+ hid_free_report(report);
+--- a/include/linux/hid.h
++++ b/include/linux/hid.h
+@@ -393,10 +393,12 @@ struct hid_report {
+ struct hid_device *device; /* associated device */
+ };
+
++#define HID_MAX_IDS 256
++
+ struct hid_report_enum {
+ unsigned numbered;
+ struct list_head report_list;
+- struct hid_report *report_id_hash[256];
++ struct hid_report *report_id_hash[HID_MAX_IDS];
+ };
+
+ #define HID_REPORT_TYPES 3
Added: genpatches-2.6/trunk/3.10.7/1500_CVE-2013-2889-HID-zeroplus-validate-output-report-details.patch
===================================================================
--- genpatches-2.6/trunk/3.10.7/1500_CVE-2013-2889-HID-zeroplus-validate-output-report-details.patch (rev 0)
+++ genpatches-2.6/trunk/3.10.7/1500_CVE-2013-2889-HID-zeroplus-validate-output-report-details.patch 2013-09-25 15:19:30 UTC (rev 2527)
@@ -0,0 +1,54 @@
+From 78214e81a1bf43740ce89bb5efda78eac2f8ef83 Mon Sep 17 00:00:00 2001
+From: Kees Cook <keescook@chromium.org>
+Date: Wed, 11 Sep 2013 19:56:51 +0000
+Subject: HID: zeroplus: validate output report details
+
+The zeroplus HID driver was not checking the size of allocated values
+in fields it used. A HID device could send a malicious output report
+that would cause the driver to write beyond the output report allocation
+during initialization, causing a heap overflow:
+
+[ 1442.728680] usb 1-1: New USB device found, idVendor=0c12, idProduct=0005
+...
+[ 1466.243173] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten
+
+CVE-2013-2889
+
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Cc: stable@vger.kernel.org
+Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+---
+diff --git a/drivers/hid/hid-zpff.c b/drivers/hid/hid-zpff.c
+index 6ec28a3..a29756c 100644
+--- a/drivers/hid/hid-zpff.c
++++ b/drivers/hid/hid-zpff.c
+@@ -68,21 +68,13 @@ static int zpff_init(struct hid_device *hid)
+ struct hid_report *report;
+ struct hid_input *hidinput = list_entry(hid->inputs.next,
+ struct hid_input, list);
+- struct list_head *report_list =
+- &hid->report_enum[HID_OUTPUT_REPORT].report_list;
+ struct input_dev *dev = hidinput->input;
+- int error;
++ int i, error;
+
+- if (list_empty(report_list)) {
+- hid_err(hid, "no output report found\n");
+- return -ENODEV;
+- }
+-
+- report = list_entry(report_list->next, struct hid_report, list);
+-
+- if (report->maxfield < 4) {
+- hid_err(hid, "not enough fields in report\n");
+- return -ENODEV;
++ for (i = 0; i < 4; i++) {
++ report = hid_validate_values(hid, HID_OUTPUT_REPORT, 0, i, 1);
++ if (!report)
++ return -ENODEV;
+ }
+
+ zpff = kzalloc(sizeof(struct zpff_device), GFP_KERNEL);
+--
+cgit v0.9.2
Added: genpatches-2.6/trunk/3.10.7/1500_CVE-2013-2891-HID-steelseries-validate-output-report-details.patch
===================================================================
--- genpatches-2.6/trunk/3.10.7/1500_CVE-2013-2891-HID-steelseries-validate-output-report-details.patch (rev 0)
+++ genpatches-2.6/trunk/3.10.7/1500_CVE-2013-2891-HID-steelseries-validate-output-report-details.patch 2013-09-25 15:19:30 UTC (rev 2527)
@@ -0,0 +1,38 @@
+From 41df7f6d43723deb7364340b44bc5d94bf717456 Mon Sep 17 00:00:00 2001
+From: Kees Cook <keescook@chromium.org>
+Date: Wed, 11 Sep 2013 19:56:53 +0000
+Subject: HID: steelseries: validate output report details
+
+A HID device could send a malicious output report that would cause the
+steelseries HID driver to write beyond the output report allocation
+during initialization, causing a heap overflow:
+
+[ 167.981534] usb 1-1: New USB device found, idVendor=1038, idProduct=1410
+...
+[ 182.050547] BUG kmalloc-256 (Tainted: G W ): Redzone overwritten
+
+CVE-2013-2891
+
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Cc: stable@vger.kernel.org
+Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+---
+diff --git a/drivers/hid/hid-steelseries.c b/drivers/hid/hid-steelseries.c
+index d164911..29f328f 100644
+--- a/drivers/hid/hid-steelseries.c
++++ b/drivers/hid/hid-steelseries.c
+@@ -249,6 +249,11 @@ static int steelseries_srws1_probe(struct hid_device *hdev,
+ goto err_free;
+ }
+
++ if (!hid_validate_values(hdev, HID_OUTPUT_REPORT, 0, 0, 16)) {
++ ret = -ENODEV;
++ goto err_free;
++ }
++
+ ret = hid_hw_start(hdev, HID_CONNECT_DEFAULT);
+ if (ret) {
+ hid_err(hdev, "hw start failed\n");
+--
+cgit v0.9.2
Added: genpatches-2.6/trunk/3.10.7/1500_CVE-2013-2892-HID-pantherlord-validate-output-report-details.patch
===================================================================
--- genpatches-2.6/trunk/3.10.7/1500_CVE-2013-2892-HID-pantherlord-validate-output-report-details.patch (rev 0)
+++ genpatches-2.6/trunk/3.10.7/1500_CVE-2013-2892-HID-pantherlord-validate-output-report-details.patch 2013-09-25 15:19:30 UTC (rev 2527)
@@ -0,0 +1,46 @@
+From 412f30105ec6735224535791eed5cdc02888ecb4 Mon Sep 17 00:00:00 2001
+From: Kees Cook <keescook@chromium.org>
+Date: Wed, 28 Aug 2013 22:30:49 +0200
+Subject: HID: pantherlord: validate output report details
+
+From: Kees Cook <keescook@chromium.org>
+
+commit 412f30105ec6735224535791eed5cdc02888ecb4 upstream.
+
+A HID device could send a malicious output report that would cause the
+pantherlord HID driver to write beyond the output report allocation
+during initialization, causing a heap overflow:
+
+[ 310.939483] usb 1-1: New USB device found, idVendor=0e8f, idProduct=0003
+...
+[ 315.980774] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten
+
+CVE-2013-2892
+
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hid/hid-pl.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+--- a/drivers/hid/hid-pl.c
++++ b/drivers/hid/hid-pl.c
+@@ -132,8 +132,14 @@ static int plff_init(struct hid_device *
+ strong = &report->field[0]->value[2];
+ weak = &report->field[0]->value[3];
+ debug("detected single-field device");
+- } else if (report->maxfield >= 4 && report->field[0]->maxusage == 1 &&
+- report->field[0]->usage[0].hid == (HID_UP_LED | 0x43)) {
++ } else if (report->field[0]->maxusage == 1 &&
++ report->field[0]->usage[0].hid ==
++ (HID_UP_LED | 0x43) &&
++ report->maxfield >= 4 &&
++ report->field[0]->report_count >= 1 &&
++ report->field[1]->report_count >= 1 &&
++ report->field[2]->report_count >= 1 &&
++ report->field[3]->report_count >= 1) {
+ report->field[0]->value[0] = 0x00;
+ report->field[1]->value[0] = 0x00;
+ strong = &report->field[2]->value[0];
Added: genpatches-2.6/trunk/3.10.7/1500_CVE-2013-2894-HID-lenovo-tpkbd-validate-output-report-details.patch
===================================================================
--- genpatches-2.6/trunk/3.10.7/1500_CVE-2013-2894-HID-lenovo-tpkbd-validate-output-report-details.patch (rev 0)
+++ genpatches-2.6/trunk/3.10.7/1500_CVE-2013-2894-HID-lenovo-tpkbd-validate-output-report-details.patch 2013-09-25 15:19:30 UTC (rev 2527)
@@ -0,0 +1,43 @@
+From 0a9cd0a80ac559357c6a90d26c55270ed752aa26 Mon Sep 17 00:00:00 2001
+From: Kees Cook <keescook@chromium.org>
+Date: Wed, 11 Sep 2013 19:56:55 +0000
+Subject: HID: lenovo-tpkbd: validate output report details
+
+A HID device could send a malicious output report that would cause the
+lenovo-tpkbd HID driver to write just beyond the output report allocation
+during initialization, causing a heap overflow:
+
+[ 76.109807] usb 1-1: New USB device found, idVendor=17ef, idProduct=6009
+...
+[ 80.462540] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten
+
+CVE-2013-2894
+
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Cc: stable@vger.kernel.org
+Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+---
+diff --git a/drivers/hid/hid-lenovo-tpkbd.c b/drivers/hid/hid-lenovo-tpkbd.c
+index 07837f5..762d988 100644
+--- a/drivers/hid/hid-lenovo-tpkbd.c
++++ b/drivers/hid/hid-lenovo-tpkbd.c
+@@ -339,7 +339,15 @@ static int tpkbd_probe_tp(struct hid_device *hdev)
+ struct tpkbd_data_pointer *data_pointer;
+ size_t name_sz = strlen(dev_name(dev)) + 16;
+ char *name_mute, *name_micmute;
+- int ret;
++ int i, ret;
++
++ /* Validate required reports. */
++ for (i = 0; i < 4; i++) {
++ if (!hid_validate_values(hdev, HID_FEATURE_REPORT, 4, i, 1))
++ return -ENODEV;
++ }
++ if (!hid_validate_values(hdev, HID_OUTPUT_REPORT, 3, 0, 2))
++ return -ENODEV;
+
+ if (sysfs_create_group(&hdev->dev.kobj,
+ &tpkbd_attr_group_pointer)) {
+--
+cgit v0.9.2
Added: genpatches-2.6/trunk/3.10.7/1500_CVE-2013-2895-HID-logitech-dj-validate-output-report-details.patch
===================================================================
--- genpatches-2.6/trunk/3.10.7/1500_CVE-2013-2895-HID-logitech-dj-validate-output-report-details.patch (rev 0)
+++ genpatches-2.6/trunk/3.10.7/1500_CVE-2013-2895-HID-logitech-dj-validate-output-report-details.patch 2013-09-25 15:19:30 UTC (rev 2527)
@@ -0,0 +1,58 @@
+From 297502abb32e225fb23801fcdb0e4f6f8e17099a Mon Sep 17 00:00:00 2001
+From: Kees Cook <keescook@chromium.org>
+Date: Wed, 11 Sep 2013 19:56:56 +0000
+Subject: HID: logitech-dj: validate output report details
+
+A HID device could send a malicious output report that would cause the
+logitech-dj HID driver to leak kernel memory contents to the device, or
+trigger a NULL dereference during initialization:
+
+[ 304.424553] usb 1-1: New USB device found, idVendor=046d, idProduct=c52b
+...
+[ 304.780467] BUG: unable to handle kernel NULL pointer dereference at 0000000000000028
+[ 304.781409] IP: [<ffffffff815d50aa>] logi_dj_recv_send_report.isra.11+0x1a/0x90
+
+CVE-2013-2895
+
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Cc: stable@vger.kernel.org
+Signed-off-by: Benjamin Tissoires <benjamin.tissoires@gmail.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+---
+diff --git a/drivers/hid/hid-logitech-dj.c b/drivers/hid/hid-logitech-dj.c
+index 7800b14..2e53024 100644
+--- a/drivers/hid/hid-logitech-dj.c
++++ b/drivers/hid/hid-logitech-dj.c
+@@ -461,7 +461,7 @@ static int logi_dj_recv_send_report(struct dj_receiver_dev *djrcv_dev,
+ struct hid_report *report;
+ struct hid_report_enum *output_report_enum;
+ u8 *data = (u8 *)(&dj_report->device_index);
+- int i;
++ unsigned int i;
+
+ output_report_enum = &hdev->report_enum[HID_OUTPUT_REPORT];
+ report = output_report_enum->report_id_hash[REPORT_ID_DJ_SHORT];
+@@ -471,7 +471,7 @@ static int logi_dj_recv_send_report(struct dj_receiver_dev *djrcv_dev,
+ return -ENODEV;
+ }
+
+- for (i = 0; i < report->field[0]->report_count; i++)
++ for (i = 0; i < DJREPORT_SHORT_LENGTH - 1; i++)
+ report->field[0]->value[i] = data[i];
+
+ hid_hw_request(hdev, report, HID_REQ_SET_REPORT);
+@@ -791,6 +791,12 @@ static int logi_dj_probe(struct hid_device *hdev,
+ goto hid_parse_fail;
+ }
+
++ if (!hid_validate_values(hdev, HID_OUTPUT_REPORT, REPORT_ID_DJ_SHORT,
++ 0, DJREPORT_SHORT_LENGTH - 1)) {
++ retval = -ENODEV;
++ goto hid_parse_fail;
++ }
++
+ /* Starts the usb device and connects to upper interfaces hiddev and
+ * hidraw */
+ retval = hid_hw_start(hdev, HID_CONNECT_DEFAULT);
+--
+cgit v0.9.2
Added: genpatches-2.6/trunk/3.10.7/1500_CVE-2013-2896-HID-ntrig-validate-feature-report-details.patch
===================================================================
--- genpatches-2.6/trunk/3.10.7/1500_CVE-2013-2896-HID-ntrig-validate-feature-report-details.patch (rev 0)
+++ genpatches-2.6/trunk/3.10.7/1500_CVE-2013-2896-HID-ntrig-validate-feature-report-details.patch 2013-09-25 15:19:30 UTC (rev 2527)
@@ -0,0 +1,40 @@
+From 875b4e3763dbc941f15143dd1a18d10bb0be303b Mon Sep 17 00:00:00 2001
+From: Kees Cook <keescook@chromium.org>
+Date: Wed, 28 Aug 2013 22:31:28 +0200
+Subject: HID: ntrig: validate feature report details
+
+From: Kees Cook <keescook@chromium.org>
+
+commit 875b4e3763dbc941f15143dd1a18d10bb0be303b upstream.
+
+A HID device could send a malicious feature report that would cause the
+ntrig HID driver to trigger a NULL dereference during initialization:
+
+[57383.031190] usb 3-1: New USB device found, idVendor=1b96, idProduct=0001
+...
+[57383.315193] BUG: unable to handle kernel NULL pointer dereference at 0000000000000030
+[57383.315308] IP: [<ffffffffa08102de>] ntrig_probe+0x25e/0x420 [hid_ntrig]
+
+CVE-2013-2896
+
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Rafi Rubin <rafi@seas.upenn.edu>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hid/hid-ntrig.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/hid/hid-ntrig.c
++++ b/drivers/hid/hid-ntrig.c
+@@ -115,7 +115,8 @@ static inline int ntrig_get_mode(struct
+ struct hid_report *report = hdev->report_enum[HID_FEATURE_REPORT].
+ report_id_hash[0x0d];
+
+- if (!report)
++ if (!report || report->maxfield < 1 ||
++ report->field[0]->report_count < 1)
+ return -EINVAL;
+
+ hid_hw_request(hdev, report, HID_REQ_GET_REPORT);
Added: genpatches-2.6/trunk/3.10.7/1500_CVE-2013-2897-HID-multitouch-validate-indexes-details.patch
===================================================================
--- genpatches-2.6/trunk/3.10.7/1500_CVE-2013-2897-HID-multitouch-validate-indexes-details.patch (rev 0)
+++ genpatches-2.6/trunk/3.10.7/1500_CVE-2013-2897-HID-multitouch-validate-indexes-details.patch 2013-09-25 15:19:30 UTC (rev 2527)
@@ -0,0 +1,81 @@
+From 8821f5dc187bdf16cfb32ef5aa8c3035273fa79a Mon Sep 17 00:00:00 2001
+From: Benjamin Tissoires <benjamin.tissoires@redhat.com>
+Date: Wed, 11 Sep 2013 19:56:58 +0000
+Subject: HID: multitouch: validate indexes details
+
+When working on report indexes, always validate that they are in bounds.
+Without this, a HID device could report a malicious feature report that
+could trick the driver into a heap overflow:
+
+[ 634.885003] usb 1-1: New USB device found, idVendor=0596, idProduct=0500
+...
+[ 676.469629] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten
+
+Note that we need to change the indexes from s8 to s16 as they can
+be between -1 and 255.
+
+CVE-2013-2897
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
+Acked-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+---
+diff --git a/drivers/hid/hid-multitouch.c b/drivers/hid/hid-multitouch.c
+index ac28f08..5e5fe1b 100644
+--- a/drivers/hid/hid-multitouch.c
++++ b/drivers/hid/hid-multitouch.c
+@@ -101,9 +101,9 @@ struct mt_device {
+ unsigned last_slot_field; /* the last field of a slot */
+ unsigned mt_report_id; /* the report ID of the multitouch device */
+ unsigned pen_report_id; /* the report ID of the pen device */
+- __s8 inputmode; /* InputMode HID feature, -1 if non-existent */
+- __s8 inputmode_index; /* InputMode HID feature index in the report */
+- __s8 maxcontact_report_id; /* Maximum Contact Number HID feature,
++ __s16 inputmode; /* InputMode HID feature, -1 if non-existent */
++ __s16 inputmode_index; /* InputMode HID feature index in the report */
++ __s16 maxcontact_report_id; /* Maximum Contact Number HID feature,
+ -1 if non-existent */
+ __u8 num_received; /* how many contacts we received */
+ __u8 num_expected; /* expected last contact index */
+@@ -312,20 +312,18 @@ static void mt_feature_mapping(struct hid_device *hdev,
+ struct hid_field *field, struct hid_usage *usage)
+ {
+ struct mt_device *td = hid_get_drvdata(hdev);
+- int i;
+
+ switch (usage->hid) {
+ case HID_DG_INPUTMODE:
+- td->inputmode = field->report->id;
+- td->inputmode_index = 0; /* has to be updated below */
+-
+- for (i=0; i < field->maxusage; i++) {
+- if (field->usage[i].hid == usage->hid) {
+- td->inputmode_index = i;
+- break;
+- }
++ /* Ignore if value index is out of bounds. */
++ if (usage->usage_index >= field->report_count) {
++ dev_err(&hdev->dev, "HID_DG_INPUTMODE out of range\n");
++ break;
+ }
+
++ td->inputmode = field->report->id;
++ td->inputmode_index = usage->usage_index;
++
+ break;
+ case HID_DG_CONTACTMAX:
+ td->maxcontact_report_id = field->report->id;
+@@ -511,6 +509,10 @@ static int mt_touch_input_mapping(struct hid_device *hdev, struct hid_input *hi,
+ mt_store_field(usage, td, hi);
+ return 1;
+ case HID_DG_CONTACTCOUNT:
++ /* Ignore if indexes are out of bounds. */
++ if (field->index >= field->report->maxfield ||
++ usage->usage_index >= field->report_count)
++ return 1;
+ td->cc_index = field->index;
+ td->cc_value_index = usage->usage_index;
+ return 1;
+--
+cgit v0.9.2
Added: genpatches-2.6/trunk/3.10.7/1500_CVE-2013-2898-HID-sensor-hub-validate-feature-report-details.patch
===================================================================
--- genpatches-2.6/trunk/3.10.7/1500_CVE-2013-2898-HID-sensor-hub-validate-feature-report-details.patch (rev 0)
+++ genpatches-2.6/trunk/3.10.7/1500_CVE-2013-2898-HID-sensor-hub-validate-feature-report-details.patch 2013-09-25 15:19:30 UTC (rev 2527)
@@ -0,0 +1,36 @@
+From 9e8910257397372633e74b333ef891f20c800ee4 Mon Sep 17 00:00:00 2001
+From: Kees Cook <keescook@chromium.org>
+Date: Wed, 28 Aug 2013 22:31:44 +0200
+Subject: HID: sensor-hub: validate feature report details
+
+From: Kees Cook <keescook@chromium.org>
+
+commit 9e8910257397372633e74b333ef891f20c800ee4 upstream.
+
+A HID device could send a malicious feature report that would cause the
+sensor-hub HID driver to read past the end of heap allocation, leaking
+kernel memory contents to the caller.
+
+CVE-2013-2898
+
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Reviewed-by: Mika Westerberg <mika.westerberg@linux.intel.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hid/hid-sensor-hub.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/hid/hid-sensor-hub.c
++++ b/drivers/hid/hid-sensor-hub.c
+@@ -221,7 +221,8 @@ int sensor_hub_get_feature(struct hid_se
+
+ mutex_lock(&data->mutex);
+ report = sensor_hub_report(report_id, hsdev->hdev, HID_FEATURE_REPORT);
+- if (!report || (field_index >= report->maxfield)) {
++ if (!report || (field_index >= report->maxfield) ||
++ report->field[field_index]->report_count < 1) {
+ ret = -EINVAL;
+ goto done_proc;
+ }
Added: genpatches-2.6/trunk/3.10.7/1500_CVE-2013-2899-HID-picolcd_core-validate-output-report-details.patch
===================================================================
--- genpatches-2.6/trunk/3.10.7/1500_CVE-2013-2899-HID-picolcd_core-validate-output-report-details.patch (rev 0)
+++ genpatches-2.6/trunk/3.10.7/1500_CVE-2013-2899-HID-picolcd_core-validate-output-report-details.patch 2013-09-25 15:19:30 UTC (rev 2527)
@@ -0,0 +1,45 @@
+From 1e87a2456b0227ca4ab881e19a11bb99d164e792 Mon Sep 17 00:00:00 2001
+From: Kees Cook <keescook@chromium.org>
+Date: Wed, 28 Aug 2013 22:31:52 +0200
+Subject: HID: picolcd_core: validate output report details
+
+From: Kees Cook <keescook@chromium.org>
+
+commit 1e87a2456b0227ca4ab881e19a11bb99d164e792 upstream.
+
+A HID device could send a malicious output report that would cause the
+picolcd HID driver to trigger a NULL dereference during attr file writing.
+
+[jkosina@suse.cz: changed
+
+ report->maxfield < 1
+
+to
+
+ report->maxfield != 1
+
+as suggested by Bruno].
+
+CVE-2013-2899
+
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Reviewed-by: Bruno Prémont <bonbons@linux-vserver.org>
+Acked-by: Bruno Prémont <bonbons@linux-vserver.org>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hid/hid-picolcd_core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/hid/hid-picolcd_core.c
++++ b/drivers/hid/hid-picolcd_core.c
+@@ -290,7 +290,7 @@ static ssize_t picolcd_operation_mode_st
+ buf += 10;
+ cnt -= 10;
+ }
+- if (!report)
++ if (!report || report->maxfield != 1)
+ return -EINVAL;
+
+ while (cnt > 0 && (buf[cnt-1] == '\n' || buf[cnt-1] == '\r'))
Added: genpatches-2.6/trunk/3.10.7/1500_HID-check-for-NULL-field-when-setting-values.patch
===================================================================
--- genpatches-2.6/trunk/3.10.7/1500_HID-check-for-NULL-field-when-setting-values.patch (rev 0)
+++ genpatches-2.6/trunk/3.10.7/1500_HID-check-for-NULL-field-when-setting-values.patch 2013-09-25 15:19:30 UTC (rev 2527)
@@ -0,0 +1,35 @@
+From be67b68d52fa28b9b721c47bb42068f0c1214855 Mon Sep 17 00:00:00 2001
+From: Kees Cook <keescook@chromium.org>
+Date: Wed, 28 Aug 2013 22:32:01 +0200
+Subject: HID: check for NULL field when setting values
+
+From: Kees Cook <keescook@chromium.org>
+
+commit be67b68d52fa28b9b721c47bb42068f0c1214855 upstream.
+
+Defensively check that the field to be worked on is not NULL.
+
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hid/hid-core.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/drivers/hid/hid-core.c
++++ b/drivers/hid/hid-core.c
+@@ -1156,7 +1156,12 @@ EXPORT_SYMBOL_GPL(hid_output_report);
+
+ int hid_set_field(struct hid_field *field, unsigned offset, __s32 value)
+ {
+- unsigned size = field->report_size;
++ unsigned size;
++
++ if (!field)
++ return -1;
++
++ size = field->report_size;
+
+ hid_dump_input(field->report->device, field->usage + offset, value);
+
Added: genpatches-2.6/trunk/3.10.7/1500_HID-provide-a-helper-for-validating-hid-reports.patch
===================================================================
--- genpatches-2.6/trunk/3.10.7/1500_HID-provide-a-helper-for-validating-hid-reports.patch (rev 0)
+++ genpatches-2.6/trunk/3.10.7/1500_HID-provide-a-helper-for-validating-hid-reports.patch 2013-09-25 15:19:30 UTC (rev 2527)
@@ -0,0 +1,101 @@
+From 331415ff16a12147d57d5c953f3a961b7ede348b Mon Sep 17 00:00:00 2001
+From: Kees Cook <keescook@chromium.org>
+Date: Wed, 11 Sep 2013 19:56:50 +0000
+Subject: HID: provide a helper for validating hid reports
+
+Many drivers need to validate the characteristics of their HID report
+during initialization to avoid misusing the reports. This adds a common
+helper to perform validation of the report exisitng, the field existing,
+and the expected number of values within the field.
+
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Cc: stable@vger.kernel.org
+Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+---
+diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c
+index ae88a97..be52c06 100644
+--- a/drivers/hid/hid-core.c
++++ b/drivers/hid/hid-core.c
+@@ -801,6 +801,64 @@ int hid_parse_report(struct hid_device *hid, __u8 *start, unsigned size)
+ }
+ EXPORT_SYMBOL_GPL(hid_parse_report);
+
++static const char * const hid_report_names[] = {
++ "HID_INPUT_REPORT",
++ "HID_OUTPUT_REPORT",
++ "HID_FEATURE_REPORT",
++};
++/**
++ * hid_validate_values - validate existing device report's value indexes
++ *
++ * @device: hid device
++ * @type: which report type to examine
++ * @id: which report ID to examine (0 for first)
++ * @field_index: which report field to examine
++ * @report_counts: expected number of values
++ *
++ * Validate the number of values in a given field of a given report, after
++ * parsing.
++ */
++struct hid_report *hid_validate_values(struct hid_device *hid,
++ unsigned int type, unsigned int id,
++ unsigned int field_index,
++ unsigned int report_counts)
++{
++ struct hid_report *report;
++
++ if (type > HID_FEATURE_REPORT) {
++ hid_err(hid, "invalid HID report type %u\n", type);
++ return NULL;
++ }
++
++ if (id >= HID_MAX_IDS) {
++ hid_err(hid, "invalid HID report id %u\n", id);
++ return NULL;
++ }
++
++ /*
++ * Explicitly not using hid_get_report() here since it depends on
++ * ->numbered being checked, which may not always be the case when
++ * drivers go to access report values.
++ */
++ report = hid->report_enum[type].report_id_hash[id];
++ if (!report) {
++ hid_err(hid, "missing %s %u\n", hid_report_names[type], id);
++ return NULL;
++ }
++ if (report->maxfield <= field_index) {
++ hid_err(hid, "not enough fields in %s %u\n",
++ hid_report_names[type], id);
++ return NULL;
++ }
++ if (report->field[field_index]->report_count < report_counts) {
++ hid_err(hid, "not enough values in %s %u field %u\n",
++ hid_report_names[type], id, field_index);
++ return NULL;
++ }
++ return report;
++}
++EXPORT_SYMBOL_GPL(hid_validate_values);
++
+ /**
+ * hid_open_report - open a driver-specific device report
+ *
+diff --git a/include/linux/hid.h b/include/linux/hid.h
+index ee1ffc5..31b9d29 100644
+--- a/include/linux/hid.h
++++ b/include/linux/hid.h
+@@ -756,6 +756,10 @@ u8 *hid_alloc_report_buf(struct hid_report *report, gfp_t flags);
+ struct hid_device *hid_allocate_device(void);
+ struct hid_report *hid_register_report(struct hid_device *device, unsigned type, unsigned id);
+ int hid_parse_report(struct hid_device *hid, __u8 *start, unsigned size);
++struct hid_report *hid_validate_values(struct hid_device *hid,
++ unsigned int type, unsigned int id,
++ unsigned int field_index,
++ unsigned int report_counts);
+ int hid_open_report(struct hid_device *device);
+ int hid_check_keys_pressed(struct hid_device *hid);
+ int hid_connect(struct hid_device *hid, unsigned int connect_mask);
+--
+cgit v0.9.2
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2013-09-25 15:19 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2013-09-25 15:19 [gentoo-commits] linux-patches r2527 - genpatches-2.6/trunk/3.10.7 Tom Wijsman (tomwij)
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox