diff options
| author | Benjamin Tissoires <benjamin.tissoires@redhat.com> | 2013-09-11 15:56:57 -0400 |
|---|---|---|
| committer | Jiri Kosina <jkosina@suse.cz> | 2013-09-13 09:13:22 -0400 |
| commit | cc6b54aa54bf40b762cab45a9fc8aa81653146eb (patch) | |
| tree | 311d5b5b18d0d59e2cda8b45146c8a6ab3cc5fee | |
| parent | 0a9cd0a80ac559357c6a90d26c55270ed752aa26 (diff) | |
HID: validate feature and input report details
When dealing with usage_index, be sure to properly use unsigned instead of
int to avoid overflows.
When working on report fields, always validate that their report_counts are
in bounds.
Without this, a HID device could report a malicious feature report that
could trick the driver into a heap overflow:
[ 634.885003] usb 1-1: New USB device found, idVendor=0596, idProduct=0500
...
[ 676.469629] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten
CVE-2013-2897
Cc: stable@vger.kernel.org
Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Acked-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
| -rw-r--r-- | drivers/hid/hid-core.c | 16 | ||||
| -rw-r--r-- | drivers/hid/hid-input.c | 11 |
2 files changed, 17 insertions, 10 deletions
diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c index be52c06dbe30..b8470b1a10fe 100644 --- a/drivers/hid/hid-core.c +++ b/drivers/hid/hid-core.c | |||
| @@ -94,7 +94,6 @@ EXPORT_SYMBOL_GPL(hid_register_report); | |||
| 94 | static struct hid_field *hid_register_field(struct hid_report *report, unsigned usages, unsigned values) | 94 | static struct hid_field *hid_register_field(struct hid_report *report, unsigned usages, unsigned values) |
| 95 | { | 95 | { |
| 96 | struct hid_field *field; | 96 | struct hid_field *field; |
| 97 | int i; | ||
| 98 | 97 | ||
| 99 | if (report->maxfield == HID_MAX_FIELDS) { | 98 | if (report->maxfield == HID_MAX_FIELDS) { |
| 100 | hid_err(report->device, "too many fields in report\n"); | 99 | hid_err(report->device, "too many fields in report\n"); |
| @@ -113,9 +112,6 @@ static struct hid_field *hid_register_field(struct hid_report *report, unsigned | |||
| 113 | field->value = (s32 *)(field->usage + usages); | 112 | field->value = (s32 *)(field->usage + usages); |
| 114 | field->report = report; | 113 | field->report = report; |
| 115 | 114 | ||
| 116 | for (i = 0; i < usages; i++) | ||
| 117 | field->usage[i].usage_index = i; | ||
| 118 | |||
| 119 | return field; | 115 | return field; |
| 120 | } | 116 | } |
| 121 | 117 | ||
| @@ -226,9 +222,9 @@ static int hid_add_field(struct hid_parser *parser, unsigned report_type, unsign | |||
| 226 | { | 222 | { |
| 227 | struct hid_report *report; | 223 | struct hid_report *report; |
| 228 | struct hid_field *field; | 224 | struct hid_field *field; |
| 229 | int usages; | 225 | unsigned usages; |
| 230 | unsigned offset; | 226 | unsigned offset; |
| 231 | int i; | 227 | unsigned i; |
| 232 | 228 | ||
| 233 | report = hid_register_report(parser->device, report_type, parser->global.report_id); | 229 | report = hid_register_report(parser->device, report_type, parser->global.report_id); |
| 234 | if (!report) { | 230 | if (!report) { |
| @@ -255,7 +251,8 @@ static int hid_add_field(struct hid_parser *parser, unsigned report_type, unsign | |||
| 255 | if (!parser->local.usage_index) /* Ignore padding fields */ | 251 | if (!parser->local.usage_index) /* Ignore padding fields */ |
| 256 | return 0; | 252 | return 0; |
| 257 | 253 | ||
| 258 | usages = max_t(int, parser->local.usage_index, parser->global.report_count); | 254 | usages = max_t(unsigned, parser->local.usage_index, |
| 255 | parser->global.report_count); | ||
| 259 | 256 | ||
| 260 | field = hid_register_field(report, usages, parser->global.report_count); | 257 | field = hid_register_field(report, usages, parser->global.report_count); |
| 261 | if (!field) | 258 | if (!field) |
| @@ -266,13 +263,14 @@ static int hid_add_field(struct hid_parser *parser, unsigned report_type, unsign | |||
| 266 | field->application = hid_lookup_collection(parser, HID_COLLECTION_APPLICATION); | 263 | field->application = hid_lookup_collection(parser, HID_COLLECTION_APPLICATION); |
| 267 | 264 | ||
| 268 | for (i = 0; i < usages; i++) { | 265 | for (i = 0; i < usages; i++) { |
| 269 | int j = i; | 266 | unsigned j = i; |
| 270 | /* Duplicate the last usage we parsed if we have excess values */ | 267 | /* Duplicate the last usage we parsed if we have excess values */ |
| 271 | if (i >= parser->local.usage_index) | 268 | if (i >= parser->local.usage_index) |
| 272 | j = parser->local.usage_index - 1; | 269 | j = parser->local.usage_index - 1; |
| 273 | field->usage[i].hid = parser->local.usage[j]; | 270 | field->usage[i].hid = parser->local.usage[j]; |
| 274 | field->usage[i].collection_index = | 271 | field->usage[i].collection_index = |
| 275 | parser->local.collection_index[j]; | 272 | parser->local.collection_index[j]; |
| 273 | field->usage[i].usage_index = i; | ||
| 276 | } | 274 | } |
| 277 | 275 | ||
| 278 | field->maxusage = usages; | 276 | field->maxusage = usages; |
| @@ -1354,7 +1352,7 @@ int hid_report_raw_event(struct hid_device *hid, int type, u8 *data, int size, | |||
| 1354 | goto out; | 1352 | goto out; |
| 1355 | } | 1353 | } |
| 1356 | 1354 | ||
| 1357 | if (hid->claimed != HID_CLAIMED_HIDRAW) { | 1355 | if (hid->claimed != HID_CLAIMED_HIDRAW && report->maxfield) { |
| 1358 | for (a = 0; a < report->maxfield; a++) | 1356 | for (a = 0; a < report->maxfield; a++) |
| 1359 | hid_input_field(hid, report->field[a], cdata, interrupt); | 1357 | hid_input_field(hid, report->field[a], cdata, interrupt); |
| 1360 | hdrv = hid->driver; | 1358 | hdrv = hid->driver; |
diff --git a/drivers/hid/hid-input.c b/drivers/hid/hid-input.c index b420f4a0fd28..8741d953dcc8 100644 --- a/drivers/hid/hid-input.c +++ b/drivers/hid/hid-input.c | |||
| @@ -485,6 +485,10 @@ static void hidinput_configure_usage(struct hid_input *hidinput, struct hid_fiel | |||
| 485 | if (field->flags & HID_MAIN_ITEM_CONSTANT) | 485 | if (field->flags & HID_MAIN_ITEM_CONSTANT) |
| 486 | goto ignore; | 486 | goto ignore; |
| 487 | 487 | ||
| 488 | /* Ignore if report count is out of bounds. */ | ||
| 489 | if (field->report_count < 1) | ||
| 490 | goto ignore; | ||
| 491 | |||
| 488 | /* only LED usages are supported in output fields */ | 492 | /* only LED usages are supported in output fields */ |
| 489 | if (field->report_type == HID_OUTPUT_REPORT && | 493 | if (field->report_type == HID_OUTPUT_REPORT && |
| 490 | (usage->hid & HID_USAGE_PAGE) != HID_UP_LED) { | 494 | (usage->hid & HID_USAGE_PAGE) != HID_UP_LED) { |
| @@ -1236,7 +1240,11 @@ static void report_features(struct hid_device *hid) | |||
| 1236 | 1240 | ||
| 1237 | rep_enum = &hid->report_enum[HID_FEATURE_REPORT]; | 1241 | rep_enum = &hid->report_enum[HID_FEATURE_REPORT]; |
| 1238 | list_for_each_entry(rep, &rep_enum->report_list, list) | 1242 | list_for_each_entry(rep, &rep_enum->report_list, list) |
| 1239 | for (i = 0; i < rep->maxfield; i++) | 1243 | for (i = 0; i < rep->maxfield; i++) { |
| 1244 | /* Ignore if report count is out of bounds. */ | ||
| 1245 | if (rep->field[i]->report_count < 1) | ||
| 1246 | continue; | ||
| 1247 | |||
| 1240 | for (j = 0; j < rep->field[i]->maxusage; j++) { | 1248 | for (j = 0; j < rep->field[i]->maxusage; j++) { |
| 1241 | /* Verify if Battery Strength feature is available */ | 1249 | /* Verify if Battery Strength feature is available */ |
| 1242 | hidinput_setup_battery(hid, HID_FEATURE_REPORT, rep->field[i]); | 1250 | hidinput_setup_battery(hid, HID_FEATURE_REPORT, rep->field[i]); |
| @@ -1245,6 +1253,7 @@ static void report_features(struct hid_device *hid) | |||
| 1245 | drv->feature_mapping(hid, rep->field[i], | 1253 | drv->feature_mapping(hid, rep->field[i], |
| 1246 | rep->field[i]->usage + j); | 1254 | rep->field[i]->usage + j); |
| 1247 | } | 1255 | } |
| 1256 | } | ||
| 1248 | } | 1257 | } |
| 1249 | 1258 | ||
| 1250 | static struct hid_input *hidinput_allocate(struct hid_device *hid) | 1259 | static struct hid_input *hidinput_allocate(struct hid_device *hid) |