FPII-2528 : Information disclosure vulnerability in kernel components CVE-2016-7915 A-30951261 In the hid_input_field function, there is a potential for an out-of-bounds read. The fix is designed to add additional bounds checks to prevent the potential out-of-bounds read. Change-Id: Idbb5466e9163e5ebb69d9d64729206ad5e7dedce

commit: fb452002e103319f9a4185d020697b3b646f2e08 [log] [tgz]
author: Jeron Susan <jeron.susan@hi-p.com> Tue Oct 18 11:53:54 2016 +0800
committer: Teemu Hukkanen <teemu@fairphone.com> Thu Nov 10 15:14:06 2016 +0100
tree: 9b6e4597ae41deeee8182b4995fe44c8e847179c
parent: 279b700f99b0af319f2cc2fb54bdfb87f0e5f7d6 [diff] [blame]
diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c
index 4da66b4..8e7b22e 100644
--- a/drivers/hid/hid-core.c
+++ b/drivers/hid/hid-core.c

@@ -921,6 +921,7 @@
 		/* Ignore report if ErrorRollOver */
 		if (!(field->flags & HID_MAIN_ITEM_VARIABLE) &&
 		    value[n] >= min && value[n] <= max &&
+		    value[n] - min < field->maxusage &&
 		    field->usage[value[n] - min].hid == HID_UP_KEYBOARD + 1)
 			goto exit;
 	}
@@ -933,11 +934,13 @@
 		}
 
 		if (field->value[n] >= min && field->value[n] <= max
+			&& field->value[n] - min < field->maxusage
 			&& field->usage[field->value[n] - min].hid
 			&& search(value, field->value[n], count))
 				hid_process_event(hid, field, &field->usage[field->value[n] - min], 0, interrupt);
 
 		if (value[n] >= min && value[n] <= max
+			&& value[n] - min < field->maxusage
 			&& field->usage[value[n] - min].hid
 			&& search(field->value, value[n], count))
 				hid_process_event(hid, field, &field->usage[value[n] - min], 1, interrupt);
commit	fb452002e103319f9a4185d020697b3b646f2e08	[log] [tgz]
author	Jeron Susan <jeron.susan@hi-p.com>	Tue Oct 18 11:53:54 2016 +0800
committer	Teemu Hukkanen <teemu@fairphone.com>	Thu Nov 10 15:14:06 2016 +0100
tree	9b6e4597ae41deeee8182b4995fe44c8e847179c
parent	279b700f99b0af319f2cc2fb54bdfb87f0e5f7d6 [diff] [blame]