[ 3.8.y.z extended stable ] Patch "HID: lenovo-tpkbd: validate output report details" has been added to staging queue

Kamal Mostafa kamal at canonical.com
Mon Oct 7 18:40:45 UTC 2013 

This is a note to let you know that I have just added a patch titled

    HID: lenovo-tpkbd: validate output report details

to the linux-3.8.y-queue branch of the 3.8.y.z extended stable tree 
which can be found at:

 http://kernel.ubuntu.com/git?p=ubuntu/linux.git;a=shortlog;h=refs/heads/linux-3.8.y-queue

This patch is scheduled to be released in version 3.8.13.11.

If you, or anyone else, feels it should not be added to this tree, please 
reply to this email.

For more information about the 3.8.y.z tree, see
https://wiki.ubuntu.com/Kernel/Dev/ExtendedStable

Thanks.
-Kamal

------

>From e770f7e5cf314edb4b85c0a701b6c851d0a9d855 Mon Sep 17 00:00:00 2001
From: Kees Cook <keescook at chromium.org>
Date: Wed, 11 Sep 2013 21:56:55 +0200
Subject: HID: lenovo-tpkbd: validate output report details

commit 0a9cd0a80ac559357c6a90d26c55270ed752aa26 upstream.

A HID device could send a malicious output report that would cause the
lenovo-tpkbd HID driver to write just beyond the output report allocation
during initialization, causing a heap overflow:

[   76.109807] usb 1-1: New USB device found, idVendor=17ef, idProduct=6009
...
[   80.462540] BUG kmalloc-192 (Tainted: G        W   ): Redzone overwritten

CVE-2013-2894

Signed-off-by: Kees Cook <keescook at chromium.org>
Signed-off-by: Benjamin Tissoires <benjamin.tissoires at redhat.com>
Signed-off-by: Jiri Kosina <jkosina at suse.cz>
Signed-off-by: Kamal Mostafa <kamal at canonical.com>
---
 drivers/hid/hid-lenovo-tpkbd.c | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/drivers/hid/hid-lenovo-tpkbd.c b/drivers/hid/hid-lenovo-tpkbd.c
index cea016e..189a3fb 100644
--- a/drivers/hid/hid-lenovo-tpkbd.c
+++ b/drivers/hid/hid-lenovo-tpkbd.c
@@ -341,7 +341,15 @@ static int tpkbd_probe_tp(struct hid_device *hdev)
 	struct tpkbd_data_pointer *data_pointer;
 	size_t name_sz = strlen(dev_name(dev)) + 16;
 	char *name_mute, *name_micmute;
-	int ret;
+	int i, ret;
+
+	/* Validate required reports. */
+	for (i = 0; i < 4; i++) {
+		if (!hid_validate_values(hdev, HID_FEATURE_REPORT, 4, i, 1))
+			return -ENODEV;
+	}
+	if (!hid_validate_values(hdev, HID_OUTPUT_REPORT, 3, 0, 2))
+		return -ENODEV;

 	if (sysfs_create_group(&hdev->dev.kobj,
 				&tpkbd_attr_group_pointer)) {
--
1.8.1.2

More information about the kernel-team mailing list