Add some security fixes that have been applied upstream

svn path=/dists/sid/linux/; revision=20589

debian/changelog

@@ -74,6 +74,13 @@ linux (3.10.11-1) UNRELEASED; urgency=low
   * [x86] amd64_edac: Fix single-channel setups (Closes: #717473)
   * [x86] efi: Ensure efi-pstore is loaded on EFI systems
   * bug script: Prompt to include crash logs from pstore
+  * ipv6: remove max_addresses check from ipv6_create_tempaddr (CVE-2013-0343)
+  * HID: validate HID report id size (CVE-2013-2888)
+  * HID: pantherlord: validate output report details (CVE-2013-2892)
+  * HID: ntrig: validate feature report details (CVE-2013-2896)
+  * HID: sensor-hub: validate feature report details (CVE-2013-2898)
+  * HID: picolcd_core: validate output report details (CVE-2013-2899)
+  * HID: check for NULL field when setting values
 
   [ Ian Campbell ]
   * [armel]: Enable MVMDIO and USB_EHCI_HCD_ORION on Kirkwood and Orion

debian/patches/bugfix/all/HID-check-for-NULL-field-when-setting-values.patch

@@ -0,0 +1,30 @@
+From: Kees Cook <keescook@chromium.org>
+Date: Wed, 28 Aug 2013 22:32:01 +0200
+Subject: [6/6] HID: check for NULL field when setting values
+Origin: https://git.kernel.org/linus/be67b68d52fa28b9b721c47bb42068f0c1214855
+
+Defensively check that the field to be worked on is not NULL.
+
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Cc: stable@kernel.org
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+---
+ drivers/hid/hid-core.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/drivers/hid/hid-core.c
++++ b/drivers/hid/hid-core.c
+@@ -1156,7 +1156,12 @@ EXPORT_SYMBOL_GPL(hid_output_report);
+ 
+ int hid_set_field(struct hid_field *field, unsigned offset, __s32 value)
+ {
+-	unsigned size = field->report_size;
++	unsigned size;
++
++	if (!field)
++		return -1;
++
++	size = field->report_size;
+ 
+ 	hid_dump_input(field->report->device, field->usage + offset, value);
+ 

debian/patches/bugfix/all/HID-ntrig-validate-feature-report-details.patch

@@ -0,0 +1,37 @@
+From: Kees Cook <keescook@chromium.org>
+Date: Wed, 28 Aug 2013 22:31:28 +0200
+Subject: [3/6] HID: ntrig: validate feature report details
+Origin: https://git.kernel.org/linus/875b4e3763dbc941f15143dd1a18d10bb0be303b
+
+A HID device could send a malicious feature report that would cause the
+ntrig HID driver to trigger a NULL dereference during initialization:
+
+[57383.031190] usb 3-1: New USB device found, idVendor=1b96, idProduct=0001
+...
+[57383.315193] BUG: unable to handle kernel NULL pointer dereference at 0000000000000030
+[57383.315308] IP: [<ffffffffa08102de>] ntrig_probe+0x25e/0x420 [hid_ntrig]
+
+CVE-2013-2896
+
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Cc: stable@kernel.org
+Signed-off-by: Rafi Rubin <rafi@seas.upenn.edu>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+---
+ drivers/hid/hid-ntrig.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/hid/hid-ntrig.c b/drivers/hid/hid-ntrig.c
+index 98d1fdf..600f207 100644
+--- a/drivers/hid/hid-ntrig.c
++++ b/drivers/hid/hid-ntrig.c
+@@ -115,7 +115,8 @@ static inline int ntrig_get_mode(struct hid_device *hdev)
+ 	struct hid_report *report = hdev->report_enum[HID_FEATURE_REPORT].
+ 				    report_id_hash[0x0d];
+ 
+-	if (!report)
++	if (!report || report->maxfield < 1 ||
++	    report->field[0]->report_count < 1)
+ 		return -EINVAL;
+ 
+ 	hid_hw_request(hdev, report, HID_REQ_GET_REPORT);

debian/patches/bugfix/all/HID-pantherlord-validate-output-report-details.patch

@@ -0,0 +1,43 @@
+From: Kees Cook <keescook@chromium.org>
+Date: Wed, 28 Aug 2013 22:30:49 +0200
+Subject: [2/6] HID: pantherlord: validate output report details
+Origin: https://git.kernel.org/linus/412f30105ec6735224535791eed5cdc02888ecb4
+
+A HID device could send a malicious output report that would cause the
+pantherlord HID driver to write beyond the output report allocation
+during initialization, causing a heap overflow:
+
+[  310.939483] usb 1-1: New USB device found, idVendor=0e8f, idProduct=0003
+...
+[  315.980774] BUG kmalloc-192 (Tainted: G        W   ): Redzone overwritten
+
+CVE-2013-2892
+
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Cc: stable@kernel.org
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+---
+ drivers/hid/hid-pl.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/hid/hid-pl.c b/drivers/hid/hid-pl.c
+index d29112f..2dcd7d9 100644
+--- a/drivers/hid/hid-pl.c
++++ b/drivers/hid/hid-pl.c
+@@ -132,8 +132,14 @@ static int plff_init(struct hid_device *hid)
+ 			strong = &report->field[0]->value[2];
+ 			weak = &report->field[0]->value[3];
+ 			debug("detected single-field device");
+-		} else if (report->maxfield >= 4 && report->field[0]->maxusage == 1 &&
+-				report->field[0]->usage[0].hid == (HID_UP_LED | 0x43)) {
++		} else if (report->field[0]->maxusage == 1 &&
++			   report->field[0]->usage[0].hid ==
++				(HID_UP_LED | 0x43) &&
++			   report->maxfield >= 4 &&
++			   report->field[0]->report_count >= 1 &&
++			   report->field[1]->report_count >= 1 &&
++			   report->field[2]->report_count >= 1 &&
++			   report->field[3]->report_count >= 1) {
+ 			report->field[0]->value[0] = 0x00;
+ 			report->field[1]->value[0] = 0x00;
+ 			strong = &report->field[2]->value[0];

debian/patches/bugfix/all/HID-picolcd_core-validate-output-report-details.patch

@@ -0,0 +1,45 @@
+From: Kees Cook <keescook@chromium.org>
+Date: Wed, 28 Aug 2013 22:31:52 +0200
+Subject: [5/6] HID: picolcd_core: validate output report details
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+Origin: https://git.kernel.org/linus/1e87a2456b0227ca4ab881e19a11bb99d164e792
+
+A HID device could send a malicious output report that would cause the
+picolcd HID driver to trigger a NULL dereference during attr file writing.
+
+[jkosina@suse.cz: changed
+
+	report->maxfield < 1
+
+to
+
+	report->maxfield != 1
+
+as suggested by Bruno].
+
+CVE-2013-2899
+
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Cc: stable@kernel.org
+Reviewed-by: Bruno Prémont <bonbons@linux-vserver.org>
+Acked-by: Bruno Prémont <bonbons@linux-vserver.org>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+---
+ drivers/hid/hid-picolcd_core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/hid/hid-picolcd_core.c b/drivers/hid/hid-picolcd_core.c
+index b48092d..acbb0210 100644
+--- a/drivers/hid/hid-picolcd_core.c
++++ b/drivers/hid/hid-picolcd_core.c
+@@ -290,7 +290,7 @@ static ssize_t picolcd_operation_mode_store(struct device *dev,
+ 		buf += 10;
+ 		cnt -= 10;
+ 	}
+-	if (!report)
++	if (!report || report->maxfield != 1)
+ 		return -EINVAL;
+ 
+ 	while (cnt > 0 && (buf[cnt-1] == '\n' || buf[cnt-1] == '\r'))

debian/patches/bugfix/all/HID-sensor-hub-validate-feature-report-details.patch

@@ -0,0 +1,33 @@
+From: Kees Cook <keescook@chromium.org>
+Date: Wed, 28 Aug 2013 22:31:44 +0200
+Subject: [4/6] HID: sensor-hub: validate feature report details
+Origin: https://git.kernel.org/linus/9e8910257397372633e74b333ef891f20c800ee4
+
+A HID device could send a malicious feature report that would cause the
+sensor-hub HID driver to read past the end of heap allocation, leaking
+kernel memory contents to the caller.
+
+CVE-2013-2898
+
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Cc: stable@kernel.org
+Reviewed-by: Mika Westerberg <mika.westerberg@linux.intel.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+---
+ drivers/hid/hid-sensor-hub.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/hid/hid-sensor-hub.c b/drivers/hid/hid-sensor-hub.c
+index ffc80cf..6fca30e 100644
+--- a/drivers/hid/hid-sensor-hub.c
++++ b/drivers/hid/hid-sensor-hub.c
+@@ -221,7 +221,8 @@ int sensor_hub_get_feature(struct hid_sensor_hub_device *hsdev, u32 report_id,
+ 
+ 	mutex_lock(&data->mutex);
+ 	report = sensor_hub_report(report_id, hsdev->hdev, HID_FEATURE_REPORT);
+-	if (!report || (field_index >=  report->maxfield)) {
++	if (!report || (field_index >=  report->maxfield) ||
++	    report->field[field_index]->report_count < 1) {
+ 		ret = -EINVAL;
+ 		goto done_proc;
+ 	}

debian/patches/bugfix/all/HID-validate-HID-report-id-size.patch

@@ -0,0 +1,57 @@
+From: Kees Cook <keescook@chromium.org>
+Date: Wed, 28 Aug 2013 22:29:55 +0200
+Subject: [1/6] HID: validate HID report id size
+Origin: https://git.kernel.org/linus/43622021d2e2b82ea03d883926605bdd0525e1d1
+
+The "Report ID" field of a HID report is used to build indexes of
+reports. The kernel's index of these is limited to 256 entries, so any
+malicious device that sets a Report ID greater than 255 will trigger
+memory corruption on the host:
+
+[ 1347.156239] BUG: unable to handle kernel paging request at ffff88094958a878
+[ 1347.156261] IP: [<ffffffff813e4da0>] hid_register_report+0x2a/0x8b
+
+CVE-2013-2888
+
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Cc: stable@kernel.org
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+---
+ drivers/hid/hid-core.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c
+index 36668d1..5ea7d51 100644
+--- a/drivers/hid/hid-core.c
++++ b/drivers/hid/hid-core.c
+@@ -63,6 +63,8 @@ struct hid_report *hid_register_report(struct hid_device *device, unsigned type,
+ 	struct hid_report_enum *report_enum = device->report_enum + type;
+ 	struct hid_report *report;
+ 
++	if (id >= HID_MAX_IDS)
++		return NULL;
+ 	if (report_enum->report_id_hash[id])
+ 		return report_enum->report_id_hash[id];
+ 
+@@ -404,8 +406,10 @@ static int hid_parser_global(struct hid_parser *parser, struct hid_item *item)
+ 
+ 	case HID_GLOBAL_ITEM_TAG_REPORT_ID:
+ 		parser->global.report_id = item_udata(item);
+-		if (parser->global.report_id == 0) {
+-			hid_err(parser->device, "report_id 0 is invalid\n");
++		if (parser->global.report_id == 0 ||
++		    parser->global.report_id >= HID_MAX_IDS) {
++			hid_err(parser->device, "report_id %u is invalid\n",
++				parser->global.report_id);
+ 			return -1;
+ 		}
+ 		return 0;
+@@ -575,7 +579,7 @@ static void hid_close_report(struct hid_device *device)
+ 	for (i = 0; i < HID_REPORT_TYPES; i++) {
+ 		struct hid_report_enum *report_enum = device->report_enum + i;
+ 
+-		for (j = 0; j < 256; j++) {
++		for (j = 0; j < HID_MAX_IDS; j++) {
+ 			struct hid_report *report = report_enum->report_id_hash[j];
+ 			if (report)
+ 				hid_free_report(report);

debian/patches/bugfix/all/ipv6-remove-max_addresses-check-from-ipv6_create_tem.patch

@@ -0,0 +1,60 @@
+From: Hannes Frederic Sowa <hannes@stressinduktion.org>
+Date: Fri, 16 Aug 2013 13:02:27 +0200
+Subject: ipv6: remove max_addresses check from ipv6_create_tempaddr
+Origin: https://git.kernel.org/linus/4b08a8f1bd8cb4541c93ec170027b4d0782dab52
+
+Because of the max_addresses check attackers were able to disable privacy
+extensions on an interface by creating enough autoconfigured addresses:
+
+<http://seclists.org/oss-sec/2012/q4/292>
+
+But the check is not actually needed: max_addresses protects the
+kernel to install too many ipv6 addresses on an interface and guards
+addrconf_prefix_rcv to install further addresses as soon as this limit
+is reached. We only generate temporary addresses in direct response of
+a new address showing up. As soon as we filled up the maximum number of
+addresses of an interface, we stop installing more addresses and thus
+also stop generating more temp addresses.
+
+Even if the attacker tries to generate a lot of temporary addresses
+by announcing a prefix and removing it again (lifetime == 0) we won't
+install more temp addresses, because the temporary addresses do count
+to the maximum number of addresses, thus we would stop installing new
+autoconfigured addresses when the limit is reached.
+
+This patch fixes CVE-2013-0343 (but other layer-2 attacks are still
+possible).
+
+Thanks to Ding Tianhong to bring this topic up again.
+
+Cc: Ding Tianhong <dingtianhong@huawei.com>
+Cc: George Kargiotakis <kargig@void.gr>
+Cc: P J P <ppandit@redhat.com>
+Cc: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
+Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
+Acked-by: Ding Tianhong <dingtianhong@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+[bwh: Backported to 3.10: adjust ipv6_add_addr() parameter list]
+---
+ net/ipv6/addrconf.c | 10 ++++------
+ 1 file changed, 4 insertions(+), 6 deletions(-)
+
+--- a/net/ipv6/addrconf.c
++++ b/net/ipv6/addrconf.c
+@@ -1124,12 +1124,10 @@ retry:
+ 	if (ifp->flags & IFA_F_OPTIMISTIC)
+ 		addr_flags |= IFA_F_OPTIMISTIC;
+ 
+-	ift = !max_addresses ||
+-	      ipv6_count_addresses(idev) < max_addresses ?
+-		ipv6_add_addr(idev, &addr, tmp_plen,
+-			      ipv6_addr_type(&addr)&IPV6_ADDR_SCOPE_MASK,
+-			      addr_flags) : NULL;
+-	if (IS_ERR_OR_NULL(ift)) {
++	ift = ipv6_add_addr(idev, &addr, tmp_plen,
++			    ipv6_addr_type(&addr)&IPV6_ADDR_SCOPE_MASK,
++			    addr_flags);
++	if (IS_ERR(ift)) {
+ 		in6_ifa_put(ifp);
+ 		in6_dev_put(idev);
+ 		pr_info("%s: retry temporary address regeneration\n", __func__);

debian/patches/series

@@ -117,3 +117,10 @@ bugfix/arm/I2C-mv64xxx-move-mv64xxx_i2c_prepare_for_io.patch
 bugfix/arm/I2C-mv64xxx-fix-race-between-FSM-interrupt-and-proce.patch
 bugfix/arm/ARM-Fix-the-world-famous-typo-with-is_gate_vma.patch
 bugfix/x86/amd64_edac-Fix-single-channel-setups.patch
+bugfix/all/ipv6-remove-max_addresses-check-from-ipv6_create_tem.patch
+bugfix/all/HID-validate-HID-report-id-size.patch
+bugfix/all/HID-pantherlord-validate-output-report-details.patch
+bugfix/all/HID-ntrig-validate-feature-report-details.patch
+bugfix/all/HID-sensor-hub-validate-feature-report-details.patch
+bugfix/all/HID-picolcd_core-validate-output-report-details.patch
+bugfix/all/HID-check-for-NULL-field-when-setting-values.patch