[linux] 02/03: HID: hiddev: validate num_values for HIDIOCGUSAGES, HIDIOCSUSAGES commands (CVE-2016-5829)
debian-kernel at lists.debian.org
debian-kernel at lists.debian.org
Sat Jul 2 10:04:40 UTC 2016
This is an automated email from the git hooks/post-receive script.
benh pushed a commit to branch jessie-security
in repository linux.
commit 8a42855d80074321574d041c9fab0adc38dd5e89
Author: Ben Hutchings <ben at decadent.org.uk>
Date: Sat Jul 2 11:58:13 2016 +0200
HID: hiddev: validate num_values for HIDIOCGUSAGES, HIDIOCSUSAGES commands (CVE-2016-5829)
---
debian/changelog | 2 ++
...validate-num_values-for-hidiocgusages-hid.patch | 41 ++++++++++++++++++++++
debian/patches/series | 1 +
3 files changed, 44 insertions(+)
diff --git a/debian/changelog b/debian/changelog
index 4d5ee50..0dbde44 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -12,6 +12,8 @@ linux (3.16.7-ckt25-2+deb8u3) UNRELEASED; urgency=medium
(CVE-2016-5728)
* [powerpc*] tm: Always reclaim in start_thread() for exec() class syscalls
(CVE-2016-5828)
+ * HID: hiddev: validate num_values for HIDIOCGUSAGES, HIDIOCSUSAGES commands
+ (CVE-2016-5829)
-- Salvatore Bonaccorso <carnil at debian.org> Sat, 02 Jul 2016 11:22:39 +0200
diff --git a/debian/patches/bugfix/all/hid-hiddev-validate-num_values-for-hidiocgusages-hid.patch b/debian/patches/bugfix/all/hid-hiddev-validate-num_values-for-hidiocgusages-hid.patch
new file mode 100644
index 0000000..be2f2f1
--- /dev/null
+++ b/debian/patches/bugfix/all/hid-hiddev-validate-num_values-for-hidiocgusages-hid.patch
@@ -0,0 +1,41 @@
+From: Scott Bauer <sbauer at plzdonthack.me>
+Date: Thu, 23 Jun 2016 08:59:47 -0600
+Subject: HID: hiddev: validate num_values for HIDIOCGUSAGES, HIDIOCSUSAGES
+ commands
+Origin: https://git.kernel.org/linus/93a2001bdfd5376c3dc2158653034c20392d15c5
+
+This patch validates the num_values parameter from userland during the
+HIDIOCGUSAGES and HIDIOCSUSAGES commands. Previously, if the report id was set
+to HID_REPORT_ID_UNKNOWN, we would fail to validate the num_values parameter
+leading to a heap overflow.
+
+Cc: stable at vger.kernel.org
+Signed-off-by: Scott Bauer <sbauer at plzdonthack.me>
+Signed-off-by: Jiri Kosina <jkosina at suse.cz>
+---
+ drivers/hid/usbhid/hiddev.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/hid/usbhid/hiddev.c b/drivers/hid/usbhid/hiddev.c
+index 2f1ddca6f2e0..700145b15088 100644
+--- a/drivers/hid/usbhid/hiddev.c
++++ b/drivers/hid/usbhid/hiddev.c
+@@ -516,13 +516,13 @@ static noinline int hiddev_ioctl_usage(struct hiddev *hiddev, unsigned int cmd,
+ goto inval;
+ } else if (uref->usage_index >= field->report_count)
+ goto inval;
+-
+- else if ((cmd == HIDIOCGUSAGES || cmd == HIDIOCSUSAGES) &&
+- (uref_multi->num_values > HID_MAX_MULTI_USAGES ||
+- uref->usage_index + uref_multi->num_values > field->report_count))
+- goto inval;
+ }
+
++ if ((cmd == HIDIOCGUSAGES || cmd == HIDIOCSUSAGES) &&
++ (uref_multi->num_values > HID_MAX_MULTI_USAGES ||
++ uref->usage_index + uref_multi->num_values > field->report_count))
++ goto inval;
++
+ switch (cmd) {
+ case HIDIOCGUSAGE:
+ uref->value = field->value[uref->usage_index];
diff --git a/debian/patches/series b/debian/patches/series
index 836c84a..e8f0f1f 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -727,3 +727,4 @@ bugfix/all/Revert-netfilter-ensure-number-of-counters-is-0-in-d.patch
bugfix/all/alsa-compress-fix-an-integer-overflow-check.patch
bugfix/x86/misc-mic-fix-for-double-fetch-security-bug-in-vop-dr.patch
bugfix/powerpc/powerpc-tm-always-reclaim-in-start_thread-for-exec-c.patch
+bugfix/all/hid-hiddev-validate-num_values-for-hidiocgusages-hid.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git
More information about the Kernel-svn-changes
mailing list