From patchwork Fri Dec 6 09:46:02 2013 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Kefeng Wang X-Patchwork-Id: 3294151 X-Patchwork-Delegate: jikos@jikos.cz Return-Path: X-Original-To: patchwork-linux-input@patchwork.kernel.org Delivered-To: patchwork-parsemail@patchwork2.web.kernel.org Received: from mail.kernel.org (mail.kernel.org [198.145.19.201]) by patchwork2.web.kernel.org (Postfix) with ESMTP id A74E4C0D4A for ; Fri, 6 Dec 2013 09:47:51 +0000 (UTC) Received: from mail.kernel.org (localhost [127.0.0.1]) by mail.kernel.org (Postfix) with ESMTP id A606520461 for ; Fri, 6 Dec 2013 09:47:50 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 7169920503 for ; Fri, 6 Dec 2013 09:47:49 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1757330Ab3LFJrr (ORCPT ); Fri, 6 Dec 2013 04:47:47 -0500 Received: from szxga01-in.huawei.com ([119.145.14.64]:52341 "EHLO szxga01-in.huawei.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1757212Ab3LFJrl (ORCPT ); Fri, 6 Dec 2013 04:47:41 -0500 Received: from 172.24.2.119 (EHLO szxeml207-edg.china.huawei.com) ([172.24.2.119]) by szxrg01-dlp.huawei.com (MOS 4.3.7-GA FastPath queued) with ESMTP id BNX62362; Fri, 06 Dec 2013 17:47:02 +0800 (CST) Received: from SZXEML461-HUB.china.huawei.com (10.82.67.204) by szxeml207-edg.china.huawei.com (172.24.2.56) with Microsoft SMTP Server (TLS) id 14.3.158.1; Fri, 6 Dec 2013 17:46:43 +0800 Received: from localhost (10.135.68.221) by szxeml461-hub.china.huawei.com (10.82.67.204) with Microsoft SMTP Server id 14.3.158.1; Fri, 6 Dec 2013 17:46:37 +0800 From: Kefeng Wang To: Kees Cook , Jiri Kosina , "Greg Kroah-Hartman" CC: , , , Subject: [PATCH 3.4-stable][CVE] HID: picolcd_core: validate output report details Date: Fri, 6 Dec 2013 17:46:02 +0800 Message-ID: <1386323162-7676-1-git-send-email-wangkefeng.wang@huawei.com> X-Mailer: git-send-email 1.8.3.msysgit.0 MIME-Version: 1.0 X-Originating-IP: [10.135.68.221] X-CFilter-Loop: Reflected Sender: linux-input-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-input@vger.kernel.org X-Spam-Status: No, score=-7.1 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_HI, RP_MATCHES_RCVD, UNPARSEABLE_RELAY autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP From: Kees Cook Hi Kees, Jiri or Greg, This patch has been backported to 3.2 stable tree. It is a CVE bugfix, and looks applicable to stable-3.4. It prevents from triggering a NULL dereference during atrr file writing if a HID device send a malicious output report. NOTE: Rename file drivers/hid/hid-picolcd_core.c -> drivers/hid/hid-picolcd.c. =========== From: Kees Cook commit 1e87a2456b0227ca4ab881e19a11bb99d164e792 upstream. A HID device could send a malicious output report that would cause the picolcd HID driver to trigger a NULL dereference during attr file writing. [jkosina@suse.cz: changed report->maxfield < 1 to report->maxfield != 1 as suggested by Bruno]. CVE-2013-2899 Signed-off-by: Kees Cook Cc: stable@kernel.org Reviewed-by: Bruno Prémont Acked-by: Bruno Prémont Signed-off-by: Jiri Kosina [Kefeng: backported to stable 3.4: adjust filename] Signed-off-by: Kefeng Wang --- drivers/hid/hid-picolcd.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/hid/hid-picolcd.c b/drivers/hid/hid-picolcd.c index 45c3433..95f9047 100644 --- a/drivers/hid/hid-picolcd.c +++ b/drivers/hid/hid-picolcd.c @@ -1424,7 +1424,7 @@ static ssize_t picolcd_operation_mode_store(struct device *dev, buf += 10; cnt -= 10; } - if (!report) + if (!report || report->maxfield != 1) return -EINVAL; while (cnt > 0 && (buf[cnt-1] == '\n' || buf[cnt-1] == '\r'))