HID: sensor-hub: validate feature report details
authorKees Cook <keescook@chromium.org>
Wed, 28 Aug 2013 20:31:44 +0000 (22:31 +0200)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Fri, 27 Sep 2013 00:18:16 +0000 (17:18 -0700)
commit 9e8910257397372633e74b333ef891f20c800ee4 upstream.

A HID device could send a malicious feature report that would cause the
sensor-hub HID driver to read past the end of heap allocation, leaking
kernel memory contents to the caller.

CVE-2013-2898

Signed-off-by: Kees Cook <keescook@chromium.org>
Reviewed-by: Mika Westerberg <mika.westerberg@linux.intel.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
drivers/hid/hid-sensor-hub.c

index ca74981073271effdddc72ba1f173acea27ebbf9..aa34755ca205eb6955cb10b01b2a6b01bc1a3dd1 100644 (file)
@@ -221,7 +221,8 @@ int sensor_hub_get_feature(struct hid_sensor_hub_device *hsdev, u32 report_id,
 
        mutex_lock(&data->mutex);
        report = sensor_hub_report(report_id, hsdev->hdev, HID_FEATURE_REPORT);
-       if (!report || (field_index >=  report->maxfield)) {
+       if (!report || (field_index >=  report->maxfield) ||
+           report->field[field_index]->report_count < 1) {
                ret = -EINVAL;
                goto done_proc;
        }