Gitiles
Code Review Sign In
gerrit-public.fairphone.software / kernel / msm / 886ee9abfa472ed5514b1c97c1a92165df0d5614
commit886ee9abfa472ed5514b1c97c1a92165df0d5614[log] [tgz]
authorKees Cook <keescook@chromium.org>Wed Aug 28 22:29:55 2013 +0200
committerchrmhoffmann <chrmhoffmann@gmail.com>Sun Apr 05 10:18:50 2020 +0200
treed2a38861c1d4f8e581b205773c957d6e0b82f5a4
parent785b05f348c84c98d90f91f01654815346a31994 [diff]
HID: validate HID report id size

commit 43622021d2e2b82ea03d883926605bdd0525e1d1 upstream.

The "Report ID" field of a HID report is used to build indexes of
reports. The kernel's index of these is limited to 256 entries, so any
malicious device that sets a Report ID greater than 255 will trigger
memory corruption on the host:

[ 1347.156239] BUG: unable to handle kernel paging request at ffff88094958a878
[ 1347.156261] IP: [<ffffffff813e4da0>] hid_register_report+0x2a/0x8b

CVE-2013-2888

Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2 files changed
tree: d2a38861c1d4f8e581b205773c957d6e0b82f5a4
  1. arch/
  2. block/
  3. crypto/
  4. Documentation/
  5. drivers/
  6. firmware/
  7. fs/
  8. include/
  9. init/
  10. ipc/
  11. kernel/
  12. lib/
  13. mm/
  14. net/
  15. samples/
  16. scripts/
  17. security/
  18. sound/
  19. tools/
  20. usr/
  21. virt/
  22. .gitignore
  23. .mailmap
  24. AndroidKernel.mk
  25. COPYING
  26. CREDITS
  27. Kbuild
  28. Kconfig
  29. MAINTAINERS
  30. Makefile
  31. README
  32. REPORTING-BUGS