[kernel] r22497 - in dists/squeeze-security/linux-2.6/debian: . patches/bugfix/all patches/series
Ben Hutchings
benh at moszumanska.debian.org
Sun Apr 12 17:08:28 UTC 2015
Author: benh
Date: Sun Apr 12 17:08:27 2015
New Revision: 22497
Log:
HID: fix a couple of off-by-ones (CVE-2014-3184)
Added:
dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/hid-fix-a-couple-of-off-by-ones.patch
Modified:
dists/squeeze-security/linux-2.6/debian/changelog
dists/squeeze-security/linux-2.6/debian/patches/series/48squeeze12
Modified: dists/squeeze-security/linux-2.6/debian/changelog
==============================================================================
--- dists/squeeze-security/linux-2.6/debian/changelog Sun Apr 12 16:34:03 2015 (r22496)
+++ dists/squeeze-security/linux-2.6/debian/changelog Sun Apr 12 17:08:27 2015 (r22497)
@@ -6,6 +6,7 @@
(CVE-2014-8159)
* eCryptfs: Remove buggy and unnecessary write in file name decode routine
(CVE-2014-9683)
+ * HID: fix a couple of off-by-ones (CVE-2014-3184)
-- Ben Hutchings <ben at decadent.org.uk> Sun, 12 Apr 2015 17:12:31 +0100
Added: dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/hid-fix-a-couple-of-off-by-ones.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/hid-fix-a-couple-of-off-by-ones.patch Sun Apr 12 17:08:27 2015 (r22497)
@@ -0,0 +1,102 @@
+From: Jiri Kosina <jkosina at suse.cz>
+Date: Thu, 21 Aug 2014 09:57:48 -0500
+Subject: HID: fix a couple of off-by-ones
+Origin: https://git.kernel.org/linus/4ab25786c87eb20857bbb715c3ae34ec8fd6a214
+
+There are a few very theoretical off-by-one bugs in report descriptor size
+checking when performing a pre-parsing fixup. Fix those.
+
+Cc: stable at vger.kernel.org
+Reported-by: Ben Hawkes <hawkes at google.com>
+Reviewed-by: Benjamin Tissoires <benjamin.tissoires at redhat.com>
+Signed-off-by: Jiri Kosina <jkosina at suse.cz>
+[bwh: Backported to 2.6.32:
+ - Adjust context
+ - Drop change to a quirk in hid-lg.c that doesn't exist here]
+---
+ drivers/hid/hid-cherry.c | 2 +-
+ drivers/hid/hid-kye.c | 2 +-
+ drivers/hid/hid-lg.c | 4 ++--
+ drivers/hid/hid-monterey.c | 2 +-
+ drivers/hid/hid-petalynx.c | 2 +-
+ drivers/hid/hid-sunplus.c | 2 +-
+ 6 files changed, 7 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/hid/hid-cherry.c b/drivers/hid/hid-cherry.c
+index 1bdcccc..f745d2c 100644
+--- a/drivers/hid/hid-cherry.c
++++ b/drivers/hid/hid-cherry.c
+@@ -29,7 +29,7 @@
+ static void ch_report_fixup(struct hid_device *hdev, __u8 *rdesc,
+ unsigned int rsize)
+ {
+- if (rsize >= 17 && rdesc[11] == 0x3c && rdesc[12] == 0x02) {
++ if (rsize >= 18 && rdesc[11] == 0x3c && rdesc[12] == 0x02) {
+ dev_info(&hdev->dev, "fixing up Cherry Cymotion report "
+ "descriptor\n");
+ rdesc[11] = rdesc[16] = 0xff;
+diff --git a/drivers/hid/hid-kye.c b/drivers/hid/hid-kye.c
+index e776963..b92bf01 100644
+--- a/drivers/hid/hid-kye.c
++++ b/drivers/hid/hid-kye.c
+@@ -26,7 +26,7 @@ static __u8 *kye_report_fixup(struct hid_device *hdev, __u8 *rdesc,
+ static void kye_report_fixup(struct hid_device *hdev, __u8 *rdesc,
+ unsigned int rsize)
+ {
+- if (rsize >= 74 &&
++ if (rsize >= 75 &&
+ rdesc[61] == 0x05 && rdesc[62] == 0x08 &&
+ rdesc[63] == 0x19 && rdesc[64] == 0x08 &&
+ rdesc[65] == 0x29 && rdesc[66] == 0x0f &&
+diff --git a/drivers/hid/hid-lg.c b/drivers/hid/hid-lg.c
+index a976f48..f91ff14 100644
+--- a/drivers/hid/hid-lg.c
++++ b/drivers/hid/hid-lg.c
+@@ -44,7 +44,7 @@ static __u8 *lg_report_fixup(struct hid_device *hdev, __u8 *rdesc,
+ {
+ unsigned long quirks = (unsigned long)hid_get_drvdata(hdev);
+
+- if ((quirks & LG_RDESC) && rsize >= 90 && rdesc[83] == 0x26 &&
++ if ((quirks & LG_RDESC) && rsize >= 91 && rdesc[83] == 0x26 &&
+ rdesc[84] == 0x8c && rdesc[85] == 0x02) {
+ dev_info(&hdev->dev, "fixing up Logitech keyboard report "
+ "descriptor\n");
+diff --git a/drivers/hid/hid-monterey.c b/drivers/hid/hid-monterey.c
+index 9e14c00..25daf28 100644
+--- a/drivers/hid/hid-monterey.c
++++ b/drivers/hid/hid-monterey.c
+@@ -25,7 +25,7 @@
+ static void mr_report_fixup(struct hid_device *hdev, __u8 *rdesc,
+ unsigned int rsize)
+ {
+- if (rsize >= 30 && rdesc[29] == 0x05 && rdesc[30] == 0x09) {
++ if (rsize >= 31 && rdesc[29] == 0x05 && rdesc[30] == 0x09) {
+ dev_info(&hdev->dev, "fixing up button/consumer in HID report "
+ "descriptor\n");
+ rdesc[30] = 0x0c;
+diff --git a/drivers/hid/hid-petalynx.c b/drivers/hid/hid-petalynx.c
+index 736b250..6aca4f2 100644
+--- a/drivers/hid/hid-petalynx.c
++++ b/drivers/hid/hid-petalynx.c
+@@ -26,7 +26,7 @@
+ static void pl_report_fixup(struct hid_device *hdev, __u8 *rdesc,
+ unsigned int rsize)
+ {
+- if (rsize >= 60 && rdesc[39] == 0x2a && rdesc[40] == 0xf5 &&
++ if (rsize >= 62 && rdesc[39] == 0x2a && rdesc[40] == 0xf5 &&
+ rdesc[41] == 0x00 && rdesc[59] == 0x26 &&
+ rdesc[60] == 0xf9 && rdesc[61] == 0x00) {
+ dev_info(&hdev->dev, "fixing up Petalynx Maxter Remote report "
+diff --git a/drivers/hid/hid-sunplus.c b/drivers/hid/hid-sunplus.c
+index 87fc91e..91072fa 100644
+--- a/drivers/hid/hid-sunplus.c
++++ b/drivers/hid/hid-sunplus.c
+@@ -25,7 +25,7 @@
+ static void sp_report_fixup(struct hid_device *hdev, __u8 *rdesc,
+ unsigned int rsize)
+ {
+- if (rsize >= 107 && rdesc[104] == 0x26 && rdesc[105] == 0x80 &&
++ if (rsize >= 112 && rdesc[104] == 0x26 && rdesc[105] == 0x80 &&
+ rdesc[106] == 0x03) {
+ dev_info(&hdev->dev, "fixing up Sunplus Wireless Desktop "
+ "report descriptor\n");
Modified: dists/squeeze-security/linux-2.6/debian/patches/series/48squeeze12
==============================================================================
--- dists/squeeze-security/linux-2.6/debian/patches/series/48squeeze12 Sun Apr 12 16:34:03 2015 (r22496)
+++ dists/squeeze-security/linux-2.6/debian/patches/series/48squeeze12 Sun Apr 12 17:08:27 2015 (r22497)
@@ -2,3 +2,4 @@
+ bugfix/all/netlink-fix-possible-spoofing-from-non-root-processe.patch
+ bugfix/all/ib-core-prevent-integer-overflow-in-ib_umem_get.patch
+ bugfix/all/ecryptfs-remove-buggy-and-unnecessary-write-in-file-.patch
++ bugfix/all/hid-fix-a-couple-of-off-by-ones.patch
More information about the Kernel-svn-changes
mailing list