[ 3.8.y.z extended stable ] Patch "HID: picolcd_core: validate output report details" has been added to staging queue
Kamal Mostafa
kamal at canonical.com
Fri Sep 20 00:36:25 UTC 2013
This is a note to let you know that I have just added a patch titled
HID: picolcd_core: validate output report details
to the linux-3.8.y-queue branch of the 3.8.y.z extended stable tree
which can be found at:
http://kernel.ubuntu.com/git?p=ubuntu/linux.git;a=shortlog;h=refs/heads/linux-3.8.y-queue
This patch is scheduled to be released in version 3.8.13.10.
If you, or anyone else, feels it should not be added to this tree, please
reply to this email.
For more information about the 3.8.y.z tree, see
https://wiki.ubuntu.com/Kernel/Dev/ExtendedStable
Thanks.
-Kamal
------
>From ab4bbacb976e1d42d7ec314ae0a0ddc75a07fbfe Mon Sep 17 00:00:00 2001
From: Kees Cook <keescook at chromium.org>
Date: Wed, 28 Aug 2013 22:31:52 +0200
Subject: HID: picolcd_core: validate output report details
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
commit 1e87a2456b0227ca4ab881e19a11bb99d164e792 upstream.
A HID device could send a malicious output report that would cause the
picolcd HID driver to trigger a NULL dereference during attr file writing.
[jkosina at suse.cz: changed
report->maxfield < 1
to
report->maxfield != 1
as suggested by Bruno].
CVE-2013-2899
Signed-off-by: Kees Cook <keescook at chromium.org>
Reviewed-by: Bruno Prémont <bonbons at linux-vserver.org>
Acked-by: Bruno Prémont <bonbons at linux-vserver.org>
Signed-off-by: Jiri Kosina <jkosina at suse.cz>
Signed-off-by: Kamal Mostafa <kamal at canonical.com>
---
drivers/hid/hid-picolcd_core.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/hid/hid-picolcd_core.c b/drivers/hid/hid-picolcd_core.c
index 86df26e..775252d 100644
--- a/drivers/hid/hid-picolcd_core.c
+++ b/drivers/hid/hid-picolcd_core.c
@@ -292,7 +292,7 @@ static ssize_t picolcd_operation_mode_store(struct device *dev,
buf += 10;
cnt -= 10;
}
- if (!report)
+ if (!report || report->maxfield != 1)
return -EINVAL;
while (cnt > 0 && (buf[cnt-1] == '\n' || buf[cnt-1] == '\r'))
--
1.8.1.2
More information about the kernel-team
mailing list