[CVE-2016-5829][Precise, Trusty, Vivid, Xenial] HID: hiddev: validate num_values for HIDIOCGUSAGES, HIDIOCSUSAGES commands

[Luis Henriques]

From: Scott Bauer <sbauer at plzdonthack.me>

This patch validates the num_values parameter from userland during the
HIDIOCGUSAGES and HIDIOCSUSAGES commands. Previously, if the report id was set
to HID_REPORT_ID_UNKNOWN, we would fail to validate the num_values parameter
leading to a heap overflow.

Cc: stable at vger.kernel.org
Signed-off-by: Scott Bauer <sbauer at plzdonthack.me>
Signed-off-by: Jiri Kosina <jkosina at suse.cz>
(cherry picked from commit 93a2001bdfd5376c3dc2158653034c20392d15c5)
CVE-2016-5829
Signed-off-by: Luis Henriques <luis.henriques at canonical.com>
---
 drivers/hid/usbhid/hiddev.c | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/drivers/hid/usbhid/hiddev.c b/drivers/hid/usbhid/hiddev.c
index 4ef02b269a71..1378ae0d1376 100644
--- a/drivers/hid/usbhid/hiddev.c
+++ b/drivers/hid/usbhid/hiddev.c
@@ -515,13 +515,13 @@ static noinline int hiddev_ioctl_usage(struct hiddev *hiddev, unsigned int cmd,
 					goto inval;
 			} else if (uref->usage_index >= field->report_count)
 				goto inval;
-
-			else if ((cmd == HIDIOCGUSAGES || cmd == HIDIOCSUSAGES) &&
-				 (uref_multi->num_values > HID_MAX_MULTI_USAGES ||
-				  uref->usage_index + uref_multi->num_values > field->report_count))
-				goto inval;
 		}
 
+		if ((cmd == HIDIOCGUSAGES || cmd == HIDIOCSUSAGES) &&
+		    (uref_multi->num_values > HID_MAX_MULTI_USAGES ||
+		     uref->usage_index + uref_multi->num_values > field->report_count))
+			goto inval;
+
 		switch (cmd) {
 		case HIDIOCGUSAGE:
 			uref->value = field->value[uref->usage_index];