[linux] 02/02: HID: hiddev: validate num_values for HIDIOCGUSAGES, HIDIOCSUSAGES commands (CVE-2016-5829)
debian-kernel at lists.debian.org
debian-kernel at lists.debian.org
Sun Jul 3 14:26:08 UTC 2016
This is an automated email from the git hooks/post-receive script.
benh pushed a commit to branch wheezy-security
in repository linux.
commit 25f9a78de358c581ca621577dca9f8a8a5112ffb
Author: Ben Hutchings <ben at decadent.org.uk>
Date: Sun Jul 3 16:25:28 2016 +0200
HID: hiddev: validate num_values for HIDIOCGUSAGES, HIDIOCSUSAGES commands (CVE-2016-5829)
---
debian/changelog | 2 ++
...validate-num_values-for-hidiocgusages-hid.patch | 39 ++++++++++++++++++++++
debian/patches/series | 1 +
3 files changed, 42 insertions(+)
diff --git a/debian/changelog b/debian/changelog
index eca05a3..de8c233 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -3,6 +3,8 @@ linux (3.2.81-2) UNRELEASED; urgency=medium
* linux-source: Fix build failure for non-modular configurations (Closes: #827561;
regression in 3.2.81-1)
* KEYS: potential uninitialized variable (CVE-2016-4470)
+ * HID: hiddev: validate num_values for HIDIOCGUSAGES, HIDIOCSUSAGES commands
+ (CVE-2016-5829)
-- Ben Hutchings <ben at decadent.org.uk> Fri, 17 Jun 2016 23:35:41 +0100
diff --git a/debian/patches/bugfix/all/hid-hiddev-validate-num_values-for-hidiocgusages-hid.patch b/debian/patches/bugfix/all/hid-hiddev-validate-num_values-for-hidiocgusages-hid.patch
new file mode 100644
index 0000000..7c9e8df
--- /dev/null
+++ b/debian/patches/bugfix/all/hid-hiddev-validate-num_values-for-hidiocgusages-hid.patch
@@ -0,0 +1,39 @@
+From: Scott Bauer <sbauer at plzdonthack.me>
+Date: Thu, 23 Jun 2016 08:59:47 -0600
+Subject: HID: hiddev: validate num_values for HIDIOCGUSAGES, HIDIOCSUSAGES
+ commands
+Origin: https://git.kernel.org/linus/93a2001bdfd5376c3dc2158653034c20392d15c5
+
+This patch validates the num_values parameter from userland during the
+HIDIOCGUSAGES and HIDIOCSUSAGES commands. Previously, if the report id was set
+to HID_REPORT_ID_UNKNOWN, we would fail to validate the num_values parameter
+leading to a heap overflow.
+
+Cc: stable at vger.kernel.org
+Signed-off-by: Scott Bauer <sbauer at plzdonthack.me>
+Signed-off-by: Jiri Kosina <jkosina at suse.cz>
+---
+ drivers/hid/usbhid/hiddev.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+--- a/drivers/hid/usbhid/hiddev.c
++++ b/drivers/hid/usbhid/hiddev.c
+@@ -515,13 +515,13 @@ static noinline int hiddev_ioctl_usage(s
+ goto inval;
+ } else if (uref->usage_index >= field->report_count)
+ goto inval;
+-
+- else if ((cmd == HIDIOCGUSAGES || cmd == HIDIOCSUSAGES) &&
+- (uref_multi->num_values > HID_MAX_MULTI_USAGES ||
+- uref->usage_index + uref_multi->num_values > field->report_count))
+- goto inval;
+ }
+
++ if ((cmd == HIDIOCGUSAGES || cmd == HIDIOCSUSAGES) &&
++ (uref_multi->num_values > HID_MAX_MULTI_USAGES ||
++ uref->usage_index + uref_multi->num_values > field->report_count))
++ goto inval;
++
+ switch (cmd) {
+ case HIDIOCGUSAGE:
+ uref->value = field->value[uref->usage_index];
diff --git a/debian/patches/series b/debian/patches/series
index d8900a1..4b7a0cb 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1115,6 +1115,7 @@ bugfix/all/rds-fix-an-infoleak-in-rds_inc_info_copy.patch
bugfix/all/ecryptfs-fix-handling-of-directory-opening.patch
bugfix/all/ecryptfs-forbid-opening-files-without-mmap-handler.patch
bugfix/all/keys-potential-uninitialized-variable.patch
+bugfix/all/hid-hiddev-validate-num_values-for-hidiocgusages-hid.patch
# ABI maintenance
debian/perf-hide-abi-change-in-3.2.30.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git
More information about the Kernel-svn-changes
mailing list