HID: validate feature and input report details
authorBenjamin Tissoires <benjamin.tissoires@redhat.com>
Wed, 11 Sep 2013 19:56:57 +0000 (21:56 +0200)
committerJiri Kosina <jkosina@suse.cz>
Fri, 13 Sep 2013 13:13:22 +0000 (15:13 +0200)
commitcc6b54aa54bf40b762cab45a9fc8aa81653146eb
tree311d5b5b18d0d59e2cda8b45146c8a6ab3cc5fee
parent0a9cd0a80ac559357c6a90d26c55270ed752aa26
HID: validate feature and input report details

When dealing with usage_index, be sure to properly use unsigned instead of
int to avoid overflows.

When working on report fields, always validate that their report_counts are
in bounds.
Without this, a HID device could report a malicious feature report that
could trick the driver into a heap overflow:

[  634.885003] usb 1-1: New USB device found, idVendor=0596, idProduct=0500
...
[  676.469629] BUG kmalloc-192 (Tainted: G        W   ): Redzone overwritten

CVE-2013-2897

Cc: stable@vger.kernel.org
Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Acked-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
drivers/hid/hid-core.c
drivers/hid/hid-input.c