[Lucid][CVE 1/2] HID: add usage_index in struct hid_usage.

Luis Henriques luis.henriques at canonical.com
Thu Oct 10 13:48:09 UTC 2013 

From: Benjamin Tissoires <benjamin.tissoires at gmail.com>

BugLink: http://bugs.launchpad.net/bugs/1220205

CVE-2013-2897

Currently, there is no way to know the index of the current field
in the .input_mapping and .event callbacks  when this field is inside
an array of HID fields.
This patch adds this index to the struct hid_usage so that this
information is available to input_mapping and event callbacks.

Signed-off-by: Benjamin Tissoires <benjamin.tissoires at gmail.com>
Acked-by: Jiri Kosina <jkosina at suse.cz>
Signed-off-by: Jiri Kosina <jkosina at suse.cz>
(cherry picked from commit f262d1fa2c651a5e2f92b6aee8779597631cd5d4)
Signed-off-by: Luis Henriques <luis.henriques at canonical.com>
---
 drivers/hid/hid-core.c | 4 ++++
 include/linux/hid.h    | 1 +
 2 files changed, 5 insertions(+)

diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c
index 011e4a1..0fb4906 100644
--- a/drivers/hid/hid-core.c
+++ b/drivers/hid/hid-core.c
@@ -87,6 +87,7 @@ static struct hid_report *hid_register_report(struct hid_device *device, unsigne
 static struct hid_field *hid_register_field(struct hid_report *report, unsigned usages, unsigned values)
 {
 	struct hid_field *field;
+	int i;
 
 	if (report->maxfield == HID_MAX_FIELDS) {
 		dbg_hid("too many fields in report\n");
@@ -102,6 +103,9 @@ static struct hid_field *hid_register_field(struct hid_report *report, unsigned
 	field->value = (s32 *)(field->usage + usages);
 	field->report = report;
 
+	for (i = 0; i < usages; i++)
+		field->usage[i].usage_index = i;
+
 	return field;
 }
 
diff --git a/include/linux/hid.h b/include/linux/hid.h
index e5db8e5..b441d08 100644
--- a/include/linux/hid.h
+++ b/include/linux/hid.h
@@ -363,6 +363,7 @@ struct hid_collection {
 struct hid_usage {
 	unsigned  hid;			/* hid usage code */
 	unsigned  collection_index;	/* index into collection array */
+	unsigned  usage_index;		/* index into usage array */
 	/* hidinput data */
 	__u16     code;			/* input driver code */
 	__u8      type;			/* input driver type */
-- 
1.8.3.2

More information about the kernel-team mailing list