tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

HID: zeroplus: validate output report details

The zeroplus HID driver was not checking the size of allocated values
in fields it used. A HID device could send a malicious output report
that would cause the driver to write beyond the output report allocation
during initialization, causing a heap overflow:

[ 1442.728680] usb 1-1: New USB device found, idVendor=0c12, idProduct=0005
...
[ 1466.243173] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten

CVE-2013-2889

Signed-off-by: Kees Cook <keescook@chromium.org>
Cc: stable@vger.kernel.org
Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>

authored by

Kees Cook and committed by
Jiri Kosina 78214e81 331415ff

+5 -13
+5 -13
drivers/hid/hid-zpff.c
··· 68 68 struct hid_report *report; 69 69 struct hid_input *hidinput = list_entry(hid->inputs.next, 70 70 struct hid_input, list); 71 - struct list_head *report_list = 72 - &hid->report_enum[HID_OUTPUT_REPORT].report_list; 73 71 struct input_dev *dev = hidinput->input; 74 - int error; 72 + int i, error; 75 73 76 - if (list_empty(report_list)) { 77 - hid_err(hid, "no output report found\n"); 78 - return -ENODEV; 79 - } 80 - 81 - report = list_entry(report_list->next, struct hid_report, list); 82 - 83 - if (report->maxfield < 4) { 84 - hid_err(hid, "not enough fields in report\n"); 85 - return -ENODEV; 74 + for (i = 0; i < 4; i++) { 75 + report = hid_validate_values(hid, HID_OUTPUT_REPORT, 0, i, 1); 76 + if (!report) 77 + return -ENODEV; 86 78 } 87 79 88 80 zpff = kzalloc(sizeof(struct zpff_device), GFP_KERNEL);