projects / firefly-linux-kernel-4.4.55.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: f8fe273) | patch
HID: validate HID report id size
authorKees Cook <keescook@chromium.org>
Wed, 28 Aug 2013 20:29:55 +0000 (22:29 +0200)
committerBadhri Jagan Sridharan <Badhri@google.com>
Fri, 11 Jul 2014 18:19:18 +0000 (11:19 -0700)
commit2ca27aef6f907c33d85915df5f37ddee32a92742
treeb8c9c768655483307ac89698075c41ab7e14ffcftree | snapshot
parentf8fe2735daaf662876d1333075991997c04d5359commit | diff
HID: validate HID report id size

The "Report ID" field of a HID report is used to build indexes of
reports. The kernel's index of these is limited to 256 entries, so any
malicious device that sets a Report ID greater than 255 will trigger
memory corruption on the host:

[ 1347.156239] BUG: unable to handle kernel paging request at ffff88094958a878
[ 1347.156261] IP: [<ffffffff813e4da0>] hid_register_report+0x2a/0x8b

CVE-2013-2888

Signed-off-by: Kees Cook <keescook@chromium.org>
Cc: stable@kernel.org
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
drivers/hid/hid-core.c diff | blob | history
include/linux/hid.h diff | blob | history
Unnamed repository; edit this file 'description' to name the repository.