HID: validate feature and input report details
authorBenjamin Tissoires <benjamin.tissoires@redhat.com>
Wed, 11 Sep 2013 19:56:57 +0000 (21:56 +0200)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Tue, 1 Oct 2013 16:17:46 +0000 (09:17 -0700)
commitae5c98a48258dbdb742be23eadf9261b70d642c3
tree18c0eed25fb788b1d55e79802c96ba309a8e6762
parent791abfbee86161ad63bddc6af88c0391ef7332bd
HID: validate feature and input report details

commit cc6b54aa54bf40b762cab45a9fc8aa81653146eb upstream.

When dealing with usage_index, be sure to properly use unsigned instead of
int to avoid overflows.

When working on report fields, always validate that their report_counts are
in bounds.
Without this, a HID device could report a malicious feature report that
could trick the driver into a heap overflow:

[  634.885003] usb 1-1: New USB device found, idVendor=0596, idProduct=0500
...
[  676.469629] BUG kmalloc-192 (Tainted: G        W   ): Redzone overwritten

CVE-2013-2897

Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Acked-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
drivers/hid/hid-core.c
drivers/hid/hid-input.c