34 lines
1.2 KiB
Diff
34 lines
1.2 KiB
Diff
From: Kees Cook <keescook@chromium.org>
|
|
Date: Wed, 28 Aug 2013 22:31:44 +0200
|
|
Subject: [4/6] HID: sensor-hub: validate feature report details
|
|
Origin: https://git.kernel.org/linus/9e8910257397372633e74b333ef891f20c800ee4
|
|
|
|
A HID device could send a malicious feature report that would cause the
|
|
sensor-hub HID driver to read past the end of heap allocation, leaking
|
|
kernel memory contents to the caller.
|
|
|
|
CVE-2013-2898
|
|
|
|
Signed-off-by: Kees Cook <keescook@chromium.org>
|
|
Cc: stable@kernel.org
|
|
Reviewed-by: Mika Westerberg <mika.westerberg@linux.intel.com>
|
|
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
|
|
---
|
|
drivers/hid/hid-sensor-hub.c | 3 ++-
|
|
1 file changed, 2 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/drivers/hid/hid-sensor-hub.c b/drivers/hid/hid-sensor-hub.c
|
|
index ffc80cf..6fca30e 100644
|
|
--- a/drivers/hid/hid-sensor-hub.c
|
|
+++ b/drivers/hid/hid-sensor-hub.c
|
|
@@ -221,7 +221,8 @@ int sensor_hub_get_feature(struct hid_sensor_hub_device *hsdev, u32 report_id,
|
|
|
|
mutex_lock(&data->mutex);
|
|
report = sensor_hub_report(report_id, hsdev->hdev, HID_FEATURE_REPORT);
|
|
- if (!report || (field_index >= report->maxfield)) {
|
|
+ if (!report || (field_index >= report->maxfield) ||
|
|
+ report->field[field_index]->report_count < 1) {
|
|
ret = -EINVAL;
|
|
goto done_proc;
|
|
}
|