[kernel/f18] Fix HID CVEs. Absurd.
Josh Boyer
jwboyer at fedoraproject.org
Fri Aug 30 17:22:08 UTC 2013
commit 2392a892c3ddfdac174abe96879a28e6f61419b3
Author: Josh Boyer <jwboyer at fedoraproject.org>
Date: Fri Aug 30 13:03:20 2013 -0400
Fix HID CVEs. Absurd.
- CVE-2013-2888 rhbz 1000451 1002543 CVE-2013-2889 rhbz 999890 1002548
- CVE-2013-2891 rhbz 999960 1002555 CVE-2013-2892 rhbz 1000429 1002570
- CVE-2013-2893 rhbz 1000414 1002575 CVE-2013-2894 rhbz 1000137 1002579
- CVE-2013-2895 rhbz 1000360 1002581 CVE-2013-2896 rhbz 1000494 1002594
- CVE-2013-2897 rhbz 1000536 1002600 CVE-2013-2899 rhbz 1000373 1002604
HID-CVE-fixes.patch | 1405 +++++++++++++++++++++++++++++++++++++++++++++++++++
kernel.spec | 22 +
2 files changed, 1427 insertions(+), 0 deletions(-)
---
diff --git a/HID-CVE-fixes.patch b/HID-CVE-fixes.patch
new file mode 100644
index 0000000..2b52d01
--- /dev/null
+++ b/HID-CVE-fixes.patch
@@ -0,0 +1,1405 @@
+Path: news.gmane.org!not-for-mail
+From: Jiri Kosina <jkosina at suse.cz>
+Newsgroups: gmane.linux.kernel.input
+Subject: [PATCH 01/14] HID: validate HID report id size
+Date: Wed, 28 Aug 2013 22:29:55 +0200 (CEST)
+Lines: 81
+Approved: news at gmane.org
+Message-ID: <alpine.LNX.2.00.1308282158220.22181 at pobox.suse.cz>
+NNTP-Posting-Host: plane.gmane.org
+Mime-Version: 1.0
+Content-Type: TEXT/PLAIN; charset=US-ASCII
+X-Trace: ger.gmane.org 1377721804 9521 80.91.229.3 (28 Aug 2013 20:30:04 GMT)
+X-Complaints-To: usenet at ger.gmane.org
+NNTP-Posting-Date: Wed, 28 Aug 2013 20:30:04 +0000 (UTC)
+Cc: Kees Cook <keescook at chromium.org>
+To: linux-input at vger.kernel.org
+Original-X-From: linux-input-owner at vger.kernel.org Wed Aug 28 22:30:06 2013
+Return-path: <linux-input-owner at vger.kernel.org>
+Envelope-to: glki-linux-input-2 at plane.gmane.org
+Original-Received: from vger.kernel.org ([209.132.180.67])
+ by plane.gmane.org with esmtp (Exim 4.69)
+ (envelope-from <linux-input-owner at vger.kernel.org>)
+ id 1VEmNR-0008U8-2t
+ for glki-linux-input-2 at plane.gmane.org; Wed, 28 Aug 2013 22:30:05 +0200
+Original-Received: (majordomo at vger.kernel.org) by vger.kernel.org via listexpand
+ id S1754658Ab3H1UaD (ORCPT <rfc822;glki-linux-input-2 at m.gmane.org>);
+ Wed, 28 Aug 2013 16:30:03 -0400
+Original-Received: from cantor2.suse.de ([195.135.220.15]:57907 "EHLO mx2.suse.de"
+ rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
+ id S1752748Ab3H1UaD (ORCPT <rfc822;linux-input at vger.kernel.org>);
+ Wed, 28 Aug 2013 16:30:03 -0400
+Original-Received: from relay2.suse.de (unknown [195.135.220.254])
+ by mx2.suse.de (Postfix) with ESMTP id 1C5ACA535B;
+ Wed, 28 Aug 2013 22:30:01 +0200 (CEST)
+User-Agent: Alpine 2.00 (LNX 1167 2008-08-23)
+Original-Sender: linux-input-owner at vger.kernel.org
+Precedence: bulk
+List-ID: <linux-input.vger.kernel.org>
+X-Mailing-List: linux-input at vger.kernel.org
+Xref: news.gmane.org gmane.linux.kernel.input:31652
+Archived-At: <http://permalink.gmane.org/gmane.linux.kernel.input/31652>
+
+From: Kees Cook <keescook at chromium.org>
+
+The "Report ID" field of a HID report is used to build indexes of
+reports. The kernel's index of these is limited to 256 entries, so any
+malicious device that sets a Report ID greater than 255 will trigger
+memory corruption on the host:
+
+[ 1347.156239] BUG: unable to handle kernel paging request at ffff88094958a878
+[ 1347.156261] IP: [<ffffffff813e4da0>] hid_register_report+0x2a/0x8b
+
+CVE-2013-2888
+
+Signed-off-by: Kees Cook <keescook at chromium.org>
+Cc: stable at kernel.org
+---
+ drivers/hid/hid-core.c | 10 +++++++---
+ include/linux/hid.h | 4 +++-
+ 2 files changed, 10 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c
+index 36668d1..5ea7d51 100644
+--- a/drivers/hid/hid-core.c
++++ b/drivers/hid/hid-core.c
+@@ -63,6 +63,8 @@ struct hid_report *hid_register_report(struct hid_device *device, unsigned type,
+ struct hid_report_enum *report_enum = device->report_enum + type;
+ struct hid_report *report;
+
++ if (id >= HID_MAX_IDS)
++ return NULL;
+ if (report_enum->report_id_hash[id])
+ return report_enum->report_id_hash[id];
+
+@@ -404,8 +406,10 @@ static int hid_parser_global(struct hid_parser *parser, struct hid_item *item)
+
+ case HID_GLOBAL_ITEM_TAG_REPORT_ID:
+ parser->global.report_id = item_udata(item);
+- if (parser->global.report_id == 0) {
+- hid_err(parser->device, "report_id 0 is invalid\n");
++ if (parser->global.report_id == 0 ||
++ parser->global.report_id >= HID_MAX_IDS) {
++ hid_err(parser->device, "report_id %u is invalid\n",
++ parser->global.report_id);
+ return -1;
+ }
+ return 0;
+@@ -575,7 +579,7 @@ static void hid_close_report(struct hid_device *device)
+ for (i = 0; i < HID_REPORT_TYPES; i++) {
+ struct hid_report_enum *report_enum = device->report_enum + i;
+
+- for (j = 0; j < 256; j++) {
++ for (j = 0; j < HID_MAX_IDS; j++) {
+ struct hid_report *report = report_enum->report_id_hash[j];
+ if (report)
+ hid_free_report(report);
+diff --git a/include/linux/hid.h b/include/linux/hid.h
+index 0c48991..ff545cc 100644
+--- a/include/linux/hid.h
++++ b/include/linux/hid.h
+@@ -393,10 +393,12 @@ struct hid_report {
+ struct hid_device *device; /* associated device */
+ };
+
++#define HID_MAX_IDS 256
++
+ struct hid_report_enum {
+ unsigned numbered;
+ struct list_head report_list;
+- struct hid_report *report_id_hash[256];
++ struct hid_report *report_id_hash[HID_MAX_IDS];
+ };
+
+ #define HID_REPORT_TYPES 3
+
+--
+Jiri Kosina
+SUSE Labs
+--
+To unsubscribe from this list: send the line "unsubscribe linux-input" in
+the body of a message to majordomo at vger.kernel.org
+More majordomo info at http://vger.kernel.org/majordomo-info.html
+
+Path: news.gmane.org!not-for-mail
+From: Jiri Kosina <jkosina at suse.cz>
+Newsgroups: gmane.linux.kernel.input
+Subject: [PATCH 02/14] HID: provide a helper for validating hid reports
+Date: Wed, 28 Aug 2013 22:30:06 +0200 (CEST)
+Lines: 99
+Approved: news at gmane.org
+Message-ID: <alpine.LNX.2.00.1308282158570.22181 at pobox.suse.cz>
+NNTP-Posting-Host: plane.gmane.org
+Mime-Version: 1.0
+Content-Type: TEXT/PLAIN; charset=US-ASCII
+X-Trace: ger.gmane.org 1377721810 9564 80.91.229.3 (28 Aug 2013 20:30:10 GMT)
+X-Complaints-To: usenet at ger.gmane.org
+NNTP-Posting-Date: Wed, 28 Aug 2013 20:30:10 +0000 (UTC)
+Cc: Kees Cook <keescook at chromium.org>
+To: linux-input at vger.kernel.org
+Original-X-From: linux-input-owner at vger.kernel.org Wed Aug 28 22:30:12 2013
+Return-path: <linux-input-owner at vger.kernel.org>
+Envelope-to: glki-linux-input-2 at plane.gmane.org
+Original-Received: from vger.kernel.org ([209.132.180.67])
+ by plane.gmane.org with esmtp (Exim 4.69)
+ (envelope-from <linux-input-owner at vger.kernel.org>)
+ id 1VEmNX-0008U8-Cg
+ for glki-linux-input-2 at plane.gmane.org; Wed, 28 Aug 2013 22:30:11 +0200
+Original-Received: (majordomo at vger.kernel.org) by vger.kernel.org via listexpand
+ id S1754750Ab3H1UaK (ORCPT <rfc822;glki-linux-input-2 at m.gmane.org>);
+ Wed, 28 Aug 2013 16:30:10 -0400
+Original-Received: from cantor2.suse.de ([195.135.220.15]:57911 "EHLO mx2.suse.de"
+ rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
+ id S1752748Ab3H1UaK (ORCPT <rfc822;linux-input at vger.kernel.org>);
+ Wed, 28 Aug 2013 16:30:10 -0400
+Original-Received: from relay1.suse.de (unknown [195.135.220.254])
+ by mx2.suse.de (Postfix) with ESMTP id 3C054A531D;
+ Wed, 28 Aug 2013 22:30:09 +0200 (CEST)
+User-Agent: Alpine 2.00 (LNX 1167 2008-08-23)
+Original-Sender: linux-input-owner at vger.kernel.org
+Precedence: bulk
+List-ID: <linux-input.vger.kernel.org>
+X-Mailing-List: linux-input at vger.kernel.org
+Xref: news.gmane.org gmane.linux.kernel.input:31653
+Archived-At: <http://permalink.gmane.org/gmane.linux.kernel.input/31653>
+
+From: Kees Cook <keescook at chromium.org>
+
+Many drivers need to validate the characteristics of their HID report
+during initialization to avoid misusing the reports. This adds a common
+helper to perform validation of the report, its field count, and the
+value count within the fields.
+
+Signed-off-by: Kees Cook <keescook at chromium.org>
+Cc: stable at kernel.org
+---
+ drivers/hid/hid-core.c | 50 ++++++++++++++++++++++++++++++++++++++++++++++++
+ include/linux/hid.h | 4 ++++
+ 2 files changed, 54 insertions(+)
+
+diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c
+index 5ea7d51..55798b2 100644
+--- a/drivers/hid/hid-core.c
++++ b/drivers/hid/hid-core.c
+@@ -759,6 +759,56 @@ int hid_parse_report(struct hid_device *hid, __u8 *start, unsigned size)
+ }
+ EXPORT_SYMBOL_GPL(hid_parse_report);
+
++static const char * const hid_report_names[] = {
++ "HID_INPUT_REPORT",
++ "HID_OUTPUT_REPORT",
++ "HID_FEATURE_REPORT",
++};
++/**
++ * hid_validate_report - validate existing device report
++ *
++ * @device: hid device
++ * @type: which report type to examine
++ * @id: which report ID to examine (0 for first)
++ * @fields: expected number of fields
++ * @report_counts: expected number of values per field
++ *
++ * Validate the report details after parsing.
++ */
++struct hid_report *hid_validate_report(struct hid_device *hid,
++ unsigned int type, unsigned int id,
++ unsigned int fields,
++ unsigned int report_counts)
++{
++ struct hid_report *report;
++ unsigned int i;
++
++ if (type > HID_FEATURE_REPORT) {
++ hid_err(hid, "invalid HID report %u\n", type);
++ return NULL;
++ }
++
++ report = hid->report_enum[type].report_id_hash[id];
++ if (!report) {
++ hid_err(hid, "missing %s %u\n", hid_report_names[type], id);
++ return NULL;
++ }
++ if (report->maxfield < fields) {
++ hid_err(hid, "not enough fields in %s %u\n",
++ hid_report_names[type], id);
++ return NULL;
++ }
++ for (i = 0; i < fields; i++) {
++ if (report->field[i]->report_count < report_counts) {
++ hid_err(hid, "not enough values in %s %u fields\n",
++ hid_report_names[type], id);
++ return NULL;
++ }
++ }
++ return report;
++}
++EXPORT_SYMBOL_GPL(hid_validate_report);
++
+ /**
+ * hid_open_report - open a driver-specific device report
+ *
+diff --git a/include/linux/hid.h b/include/linux/hid.h
+index ff545cc..76e41d8 100644
+--- a/include/linux/hid.h
++++ b/include/linux/hid.h
+@@ -749,6 +749,10 @@ void hid_output_report(struct hid_report *report, __u8 *data);
+ struct hid_device *hid_allocate_device(void);
+ struct hid_report *hid_register_report(struct hid_device *device, unsigned type, unsigned id);
+ int hid_parse_report(struct hid_device *hid, __u8 *start, unsigned size);
++struct hid_report *hid_validate_report(struct hid_device *hid,
++ unsigned int type, unsigned int id,
++ unsigned int fields,
++ unsigned int report_counts);
+ int hid_open_report(struct hid_device *device);
+ int hid_check_keys_pressed(struct hid_device *hid);
+ int hid_connect(struct hid_device *hid, unsigned int connect_mask);
+
+--
+Jiri Kosina
+SUSE Labs
+--
+To unsubscribe from this list: send the line "unsubscribe linux-input" in
+the body of a message to majordomo at vger.kernel.org
+More majordomo info at http://vger.kernel.org/majordomo-info.html
+
+Path: news.gmane.org!not-for-mail
+From: Jiri Kosina <jkosina at suse.cz>
+Newsgroups: gmane.linux.kernel.input
+Subject: [PATCH 03/14] HID: zeroplus: validate output report details
+Date: Wed, 28 Aug 2013 22:30:15 +0200 (CEST)
+Lines: 57
+Approved: news at gmane.org
+Message-ID: <alpine.LNX.2.00.1308282159270.22181 at pobox.suse.cz>
+NNTP-Posting-Host: plane.gmane.org
+Mime-Version: 1.0
+Content-Type: TEXT/PLAIN; charset=US-ASCII
+X-Trace: ger.gmane.org 1377721819 9648 80.91.229.3 (28 Aug 2013 20:30:19 GMT)
+X-Complaints-To: usenet at ger.gmane.org
+NNTP-Posting-Date: Wed, 28 Aug 2013 20:30:19 +0000 (UTC)
+Cc: Kees Cook <keescook at chromium.org>
+To: linux-input at vger.kernel.org
+Original-X-From: linux-input-owner at vger.kernel.org Wed Aug 28 22:30:21 2013
+Return-path: <linux-input-owner at vger.kernel.org>
+Envelope-to: glki-linux-input-2 at plane.gmane.org
+Original-Received: from vger.kernel.org ([209.132.180.67])
+ by plane.gmane.org with esmtp (Exim 4.69)
+ (envelope-from <linux-input-owner at vger.kernel.org>)
+ id 1VEmNg-0008U8-24
+ for glki-linux-input-2 at plane.gmane.org; Wed, 28 Aug 2013 22:30:21 +0200
+Original-Received: (majordomo at vger.kernel.org) by vger.kernel.org via listexpand
+ id S1754896Ab3H1UaT (ORCPT <rfc822;glki-linux-input-2 at m.gmane.org>);
+ Wed, 28 Aug 2013 16:30:19 -0400
+Original-Received: from cantor2.suse.de ([195.135.220.15]:57913 "EHLO mx2.suse.de"
+ rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
+ id S1752748Ab3H1UaS (ORCPT <rfc822;linux-input at vger.kernel.org>);
+ Wed, 28 Aug 2013 16:30:18 -0400
+Original-Received: from relay2.suse.de (unknown [195.135.220.254])
+ by mx2.suse.de (Postfix) with ESMTP id A94ACA531D;
+ Wed, 28 Aug 2013 22:30:17 +0200 (CEST)
+User-Agent: Alpine 2.00 (LNX 1167 2008-08-23)
+Original-Sender: linux-input-owner at vger.kernel.org
+Precedence: bulk
+List-ID: <linux-input.vger.kernel.org>
+X-Mailing-List: linux-input at vger.kernel.org
+Xref: news.gmane.org gmane.linux.kernel.input:31654
+Archived-At: <http://permalink.gmane.org/gmane.linux.kernel.input/31654>
+
+From: Kees Cook <keescook at chromium.org>
+
+The zeroplus HID driver was not checking the size of allocated values
+in fields it used. A HID device could send a malicious output report
+that would cause the driver to write beyond the output report allocation
+during initialization, causing a heap overflow:
+
+[ 1442.728680] usb 1-1: New USB device found, idVendor=0c12, idProduct=0005
+...
+[ 1466.243173] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten
+
+CVE-2013-2889
+
+Signed-off-by: Kees Cook <keescook at chromium.org>
+Cc: stable at kernel.org
+---
+ drivers/hid/hid-zpff.c | 14 ++------------
+ 1 file changed, 2 insertions(+), 12 deletions(-)
+
+diff --git a/drivers/hid/hid-zpff.c b/drivers/hid/hid-zpff.c
+index 6ec28a3..b124991 100644
+--- a/drivers/hid/hid-zpff.c
++++ b/drivers/hid/hid-zpff.c
+@@ -68,22 +68,12 @@ static int zpff_init(struct hid_device *hid)
+ struct hid_report *report;
+ struct hid_input *hidinput = list_entry(hid->inputs.next,
+ struct hid_input, list);
+- struct list_head *report_list =
+- &hid->report_enum[HID_OUTPUT_REPORT].report_list;
+ struct input_dev *dev = hidinput->input;
+ int error;
+
+- if (list_empty(report_list)) {
+- hid_err(hid, "no output report found\n");
++ report = hid_validate_report(hid, HID_OUTPUT_REPORT, 0, 4, 1);
++ if (!report)
+ return -ENODEV;
+- }
+-
+- report = list_entry(report_list->next, struct hid_report, list);
+-
+- if (report->maxfield < 4) {
+- hid_err(hid, "not enough fields in report\n");
+- return -ENODEV;
+- }
+
+ zpff = kzalloc(sizeof(struct zpff_device), GFP_KERNEL);
+ if (!zpff)
+
+--
+Jiri Kosina
+SUSE Labs
+--
+To unsubscribe from this list: send the line "unsubscribe linux-input" in
+the body of a message to majordomo at vger.kernel.org
+More majordomo info at http://vger.kernel.org/majordomo-info.html
+
+Path: news.gmane.org!not-for-mail
+From: Jiri Kosina <jkosina at suse.cz>
+Newsgroups: gmane.linux.kernel.input
+Subject: [PATCH 05/14] HID: steelseries: validate output report details
+Date: Wed, 28 Aug 2013 22:30:37 +0200 (CEST)
+Lines: 43
+Approved: news at gmane.org
+Message-ID: <alpine.LNX.2.00.1308282201070.22181 at pobox.suse.cz>
+NNTP-Posting-Host: plane.gmane.org
+Mime-Version: 1.0
+Content-Type: TEXT/PLAIN; charset=US-ASCII
+X-Trace: ger.gmane.org 1377721849 9885 80.91.229.3 (28 Aug 2013 20:30:49 GMT)
+X-Complaints-To: usenet at ger.gmane.org
+NNTP-Posting-Date: Wed, 28 Aug 2013 20:30:49 +0000 (UTC)
+Cc: Kees Cook <keescook at chromium.org>, Simon Wood <simon at mungewell.org>
+To: linux-input at vger.kernel.org
+Original-X-From: linux-input-owner at vger.kernel.org Wed Aug 28 22:30:51 2013
+Return-path: <linux-input-owner at vger.kernel.org>
+Envelope-to: glki-linux-input-2 at plane.gmane.org
+Original-Received: from vger.kernel.org ([209.132.180.67])
+ by plane.gmane.org with esmtp (Exim 4.69)
+ (envelope-from <linux-input-owner at vger.kernel.org>)
+ id 1VEmO7-0000cl-Po
+ for glki-linux-input-2 at plane.gmane.org; Wed, 28 Aug 2013 22:30:48 +0200
+Original-Received: (majordomo at vger.kernel.org) by vger.kernel.org via listexpand
+ id S1755238Ab3H1Uam (ORCPT <rfc822;glki-linux-input-2 at m.gmane.org>);
+ Wed, 28 Aug 2013 16:30:42 -0400
+Original-Received: from cantor2.suse.de ([195.135.220.15]:57942 "EHLO mx2.suse.de"
+ rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
+ id S1754222Ab3H1Uak (ORCPT <rfc822;linux-input at vger.kernel.org>);
+ Wed, 28 Aug 2013 16:30:40 -0400
+Original-Received: from relay1.suse.de (unknown [195.135.220.254])
+ by mx2.suse.de (Postfix) with ESMTP id EFDE1A531D;
+ Wed, 28 Aug 2013 22:30:39 +0200 (CEST)
+User-Agent: Alpine 2.00 (LNX 1167 2008-08-23)
+Original-Sender: linux-input-owner at vger.kernel.org
+Precedence: bulk
+List-ID: <linux-input.vger.kernel.org>
+X-Mailing-List: linux-input at vger.kernel.org
+Xref: news.gmane.org gmane.linux.kernel.input:31656
+Archived-At: <http://permalink.gmane.org/gmane.linux.kernel.input/31656>
+
+From: Kees Cook <keescook at chromium.org>
+
+A HID device could send a malicious output report that would cause the
+steelseries HID driver to write beyond the output report allocation
+during initialization, causing a heap overflow:
+
+[ 167.981534] usb 1-1: New USB device found, idVendor=1038, idProduct=1410
+...
+[ 182.050547] BUG kmalloc-256 (Tainted: G W ): Redzone overwritten
+
+CVE-2013-2891
+
+Signed-off-by: Kees Cook <keescook at chromium.org>
+Cc: stable at kernel.org
+---
+ drivers/hid/hid-steelseries.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/hid/hid-steelseries.c b/drivers/hid/hid-steelseries.c
+index d164911..ef42e86 100644
+--- a/drivers/hid/hid-steelseries.c
++++ b/drivers/hid/hid-steelseries.c
+@@ -249,6 +249,11 @@ static int steelseries_srws1_probe(struct hid_device *hdev,
+ goto err_free;
+ }
+
++ if (!hid_validate_report(hdev, HID_OUTPUT_REPORT, 0, 1, 16)) {
++ ret = -ENODEV;
++ goto err_free;
++ }
++
+ ret = hid_hw_start(hdev, HID_CONNECT_DEFAULT);
+ if (ret) {
+ hid_err(hdev, "hw start failed\n");
+
+--
+Jiri Kosina
+SUSE Labs
+--
+To unsubscribe from this list: send the line "unsubscribe linux-input" in
+the body of a message to majordomo at vger.kernel.org
+More majordomo info at http://vger.kernel.org/majordomo-info.html
+
+Path: news.gmane.org!not-for-mail
+From: Jiri Kosina <jkosina at suse.cz>
+Newsgroups: gmane.linux.kernel.input
+Subject: [PATCH 06/14] HID: pantherlord: validate output report details
+Date: Wed, 28 Aug 2013 22:30:49 +0200 (CEST)
+Lines: 47
+Approved: news at gmane.org
+Message-ID: <alpine.LNX.2.00.1308282218580.22181 at pobox.suse.cz>
+NNTP-Posting-Host: plane.gmane.org
+Mime-Version: 1.0
+Content-Type: TEXT/PLAIN; charset=US-ASCII
+X-Trace: ger.gmane.org 1377721853 9919 80.91.229.3 (28 Aug 2013 20:30:53 GMT)
+X-Complaints-To: usenet at ger.gmane.org
+NNTP-Posting-Date: Wed, 28 Aug 2013 20:30:53 +0000 (UTC)
+Cc: Kees Cook <keescook at chromium.org>
+To: linux-input at vger.kernel.org
+Original-X-From: linux-input-owner at vger.kernel.org Wed Aug 28 22:30:55 2013
+Return-path: <linux-input-owner at vger.kernel.org>
+Envelope-to: glki-linux-input-2 at plane.gmane.org
+Original-Received: from vger.kernel.org ([209.132.180.67])
+ by plane.gmane.org with esmtp (Exim 4.69)
+ (envelope-from <linux-input-owner at vger.kernel.org>)
+ id 1VEmOD-0000cl-Qd
+ for glki-linux-input-2 at plane.gmane.org; Wed, 28 Aug 2013 22:30:54 +0200
+Original-Received: (majordomo at vger.kernel.org) by vger.kernel.org via listexpand
+ id S1754500Ab3H1Uax (ORCPT <rfc822;glki-linux-input-2 at m.gmane.org>);
+ Wed, 28 Aug 2013 16:30:53 -0400
+Original-Received: from cantor2.suse.de ([195.135.220.15]:57948 "EHLO mx2.suse.de"
+ rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
+ id S1753468Ab3H1Uaw (ORCPT <rfc822;linux-input at vger.kernel.org>);
+ Wed, 28 Aug 2013 16:30:52 -0400
+Original-Received: from relay2.suse.de (unknown [195.135.220.254])
+ by mx2.suse.de (Postfix) with ESMTP id 21315A531D;
+ Wed, 28 Aug 2013 22:30:52 +0200 (CEST)
+User-Agent: Alpine 2.00 (LNX 1167 2008-08-23)
+Original-Sender: linux-input-owner at vger.kernel.org
+Precedence: bulk
+List-ID: <linux-input.vger.kernel.org>
+X-Mailing-List: linux-input at vger.kernel.org
+Xref: news.gmane.org gmane.linux.kernel.input:31657
+Archived-At: <http://permalink.gmane.org/gmane.linux.kernel.input/31657>
+
+From: Kees Cook <keescook at chromium.org>
+
+A HID device could send a malicious output report that would cause the
+pantherlord HID driver to write beyond the output report allocation
+during initialization, causing a heap overflow:
+
+[ 310.939483] usb 1-1: New USB device found, idVendor=0e8f, idProduct=0003
+...
+[ 315.980774] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten
+
+CVE-2013-2892
+
+Signed-off-by: Kees Cook <keescook at chromium.org>
+Cc: stable at kernel.org
+---
+ drivers/hid/hid-pl.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/hid/hid-pl.c b/drivers/hid/hid-pl.c
+index d29112f..2dcd7d9 100644
+--- a/drivers/hid/hid-pl.c
++++ b/drivers/hid/hid-pl.c
+@@ -132,8 +132,14 @@ static int plff_init(struct hid_device *hid)
+ strong = &report->field[0]->value[2];
+ weak = &report->field[0]->value[3];
+ debug("detected single-field device");
+- } else if (report->maxfield >= 4 && report->field[0]->maxusage == 1 &&
+- report->field[0]->usage[0].hid == (HID_UP_LED | 0x43)) {
++ } else if (report->field[0]->maxusage == 1 &&
++ report->field[0]->usage[0].hid ==
++ (HID_UP_LED | 0x43) &&
++ report->maxfield >= 4 &&
++ report->field[0]->report_count >= 1 &&
++ report->field[1]->report_count >= 1 &&
++ report->field[2]->report_count >= 1 &&
++ report->field[3]->report_count >= 1) {
+ report->field[0]->value[0] = 0x00;
+ report->field[1]->value[0] = 0x00;
+ strong = &report->field[2]->value[0];
+--
+Jiri Kosina
+SUSE Labs
+--
+To unsubscribe from this list: send the line "unsubscribe linux-input" in
+the body of a message to majordomo at vger.kernel.org
+More majordomo info at http://vger.kernel.org/majordomo-info.html
+
+Path: news.gmane.org!not-for-mail
+From: Jiri Kosina <jkosina at suse.cz>
+Newsgroups: gmane.linux.kernel.input
+Subject: [PATCH 07/14] HID: LG: validate HID output report details
+Date: Wed, 28 Aug 2013 22:31:00 +0200 (CEST)
+Lines: 194
+Approved: news at gmane.org
+Message-ID: <alpine.LNX.2.00.1308282219290.22181 at pobox.suse.cz>
+NNTP-Posting-Host: plane.gmane.org
+Mime-Version: 1.0
+Content-Type: TEXT/PLAIN; charset=US-ASCII
+X-Trace: ger.gmane.org 1377721865 10099 80.91.229.3 (28 Aug 2013 20:31:05 GMT)
+X-Complaints-To: usenet at ger.gmane.org
+NNTP-Posting-Date: Wed, 28 Aug 2013 20:31:05 +0000 (UTC)
+Cc: Kees Cook <keescook at chromium.org>
+To: linux-input at vger.kernel.org
+Original-X-From: linux-input-owner at vger.kernel.org Wed Aug 28 22:31:07 2013
+Return-path: <linux-input-owner at vger.kernel.org>
+Envelope-to: glki-linux-input-2 at plane.gmane.org
+Original-Received: from vger.kernel.org ([209.132.180.67])
+ by plane.gmane.org with esmtp (Exim 4.69)
+ (envelope-from <linux-input-owner at vger.kernel.org>)
+ id 1VEmOQ-0000cl-Fi
+ for glki-linux-input-2 at plane.gmane.org; Wed, 28 Aug 2013 22:31:06 +0200
+Original-Received: (majordomo at vger.kernel.org) by vger.kernel.org via listexpand
+ id S1753468Ab3H1UbF (ORCPT <rfc822;glki-linux-input-2 at m.gmane.org>);
+ Wed, 28 Aug 2013 16:31:05 -0400
+Original-Received: from cantor2.suse.de ([195.135.220.15]:57957 "EHLO mx2.suse.de"
+ rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
+ id S1752780Ab3H1UbE (ORCPT <rfc822;linux-input at vger.kernel.org>);
+ Wed, 28 Aug 2013 16:31:04 -0400
+Original-Received: from relay2.suse.de (unknown [195.135.220.254])
+ by mx2.suse.de (Postfix) with ESMTP id 5F1F5A531D;
+ Wed, 28 Aug 2013 22:31:03 +0200 (CEST)
+User-Agent: Alpine 2.00 (LNX 1167 2008-08-23)
+Original-Sender: linux-input-owner at vger.kernel.org
+Precedence: bulk
+List-ID: <linux-input.vger.kernel.org>
+X-Mailing-List: linux-input at vger.kernel.org
+Xref: news.gmane.org gmane.linux.kernel.input:31658
+Archived-At: <http://permalink.gmane.org/gmane.linux.kernel.input/31658>
+
+From: Kees Cook <keescook at chromium.org>
+
+A HID device could send a malicious output report that would cause the
+lg, lg3, and lg4 HID drivers to write beyond the output report allocation
+during an event, causing a heap overflow:
+
+[ 325.245240] usb 1-1: New USB device found, idVendor=046d, idProduct=c287
+...
+[ 414.518960] BUG kmalloc-4096 (Not tainted): Redzone overwritten
+
+Additionally, while lg2 did correctly validate the report details, it was
+cleaned up and shortened.
+
+CVE-2013-2893
+
+Signed-off-by: Kees Cook <keescook at chromium.org>
+Cc: stable at kernel.org
+---
+ drivers/hid/hid-lg2ff.c | 19 +++----------------
+ drivers/hid/hid-lg3ff.c | 29 ++++++-----------------------
+ drivers/hid/hid-lg4ff.c | 20 +-------------------
+ drivers/hid/hid-lgff.c | 17 ++---------------
+ 4 files changed, 12 insertions(+), 73 deletions(-)
+
+diff --git a/drivers/hid/hid-lg2ff.c b/drivers/hid/hid-lg2ff.c
+index b3cd150..9805197 100644
+--- a/drivers/hid/hid-lg2ff.c
++++ b/drivers/hid/hid-lg2ff.c
+@@ -64,26 +64,13 @@ int lg2ff_init(struct hid_device *hid)
+ struct hid_report *report;
+ struct hid_input *hidinput = list_entry(hid->inputs.next,
+ struct hid_input, list);
+- struct list_head *report_list =
+- &hid->report_enum[HID_OUTPUT_REPORT].report_list;
+ struct input_dev *dev = hidinput->input;
+ int error;
+
+- if (list_empty(report_list)) {
+- hid_err(hid, "no output report found\n");
++ /* Check that the report looks ok */
++ report = hid_validate_report(hid, HID_OUTPUT_REPORT, 0, 1, 7);
++ if (!report)
+ return -ENODEV;
+- }
+-
+- report = list_entry(report_list->next, struct hid_report, list);
+-
+- if (report->maxfield < 1) {
+- hid_err(hid, "output report is empty\n");
+- return -ENODEV;
+- }
+- if (report->field[0]->report_count < 7) {
+- hid_err(hid, "not enough values in the field\n");
+- return -ENODEV;
+- }
+
+ lg2ff = kmalloc(sizeof(struct lg2ff_device), GFP_KERNEL);
+ if (!lg2ff)
+diff --git a/drivers/hid/hid-lg3ff.c b/drivers/hid/hid-lg3ff.c
+index e52f181..53ac79b 100644
+--- a/drivers/hid/hid-lg3ff.c
++++ b/drivers/hid/hid-lg3ff.c
+@@ -66,10 +66,11 @@ static int hid_lg3ff_play(struct input_dev *dev, void *data,
+ int x, y;
+
+ /*
+- * Maxusage should always be 63 (maximum fields)
+- * likely a better way to ensure this data is clean
++ * Available values in the field should always be 63, but we only use up to
++ * 35. Instead, clear the entire area, however big it is.
+ */
+- memset(report->field[0]->value, 0, sizeof(__s32)*report->field[0]->maxusage);
++ memset(report->field[0]->value, 0,
++ sizeof(__s32) * report->field[0]->report_count);
+
+ switch (effect->type) {
+ case FF_CONSTANT:
+@@ -129,32 +130,14 @@ static const signed short ff3_joystick_ac[] = {
+ int lg3ff_init(struct hid_device *hid)
+ {
+ struct hid_input *hidinput = list_entry(hid->inputs.next, struct hid_input, list);
+- struct list_head *report_list = &hid->report_enum[HID_OUTPUT_REPORT].report_list;
+ struct input_dev *dev = hidinput->input;
+- struct hid_report *report;
+- struct hid_field *field;
+ const signed short *ff_bits = ff3_joystick_ac;
+ int error;
+ int i;
+
+- /* Find the report to use */
+- if (list_empty(report_list)) {
+- hid_err(hid, "No output report found\n");
+- return -1;
+- }
+-
+ /* Check that the report looks ok */
+- report = list_entry(report_list->next, struct hid_report, list);
+- if (!report) {
+- hid_err(hid, "NULL output report\n");
+- return -1;
+- }
+-
+- field = report->field[0];
+- if (!field) {
+- hid_err(hid, "NULL field\n");
+- return -1;
+- }
++ if (!hid_validate_report(hid, HID_OUTPUT_REPORT, 0, 1, 35))
++ return -ENODEV;
+
+ /* Assume single fixed device G940 */
+ for (i = 0; ff_bits[i] >= 0; i++)
+diff --git a/drivers/hid/hid-lg4ff.c b/drivers/hid/hid-lg4ff.c
+index 0ddae2a..8b89f0f 100644
+--- a/drivers/hid/hid-lg4ff.c
++++ b/drivers/hid/hid-lg4ff.c
+@@ -484,34 +484,16 @@ static enum led_brightness lg4ff_led_get_brightness(struct led_classdev *led_cde
+ int lg4ff_init(struct hid_device *hid)
+ {
+ struct hid_input *hidinput = list_entry(hid->inputs.next, struct hid_input, list);
+- struct list_head *report_list = &hid->report_enum[HID_OUTPUT_REPORT].report_list;
+ struct input_dev *dev = hidinput->input;
+- struct hid_report *report;
+- struct hid_field *field;
+ struct lg4ff_device_entry *entry;
+ struct lg_drv_data *drv_data;
+ struct usb_device_descriptor *udesc;
+ int error, i, j;
+ __u16 bcdDevice, rev_maj, rev_min;
+
+- /* Find the report to use */
+- if (list_empty(report_list)) {
+- hid_err(hid, "No output report found\n");
+- return -1;
+- }
+-
+ /* Check that the report looks ok */
+- report = list_entry(report_list->next, struct hid_report, list);
+- if (!report) {
+- hid_err(hid, "NULL output report\n");
++ if (!hid_validate_report(hid, HID_OUTPUT_REPORT, 0, 1, 7))
+ return -1;
+- }
+-
+- field = report->field[0];
+- if (!field) {
+- hid_err(hid, "NULL field\n");
+- return -1;
+- }
+
+ /* Check what wheel has been connected */
+ for (i = 0; i < ARRAY_SIZE(lg4ff_devices); i++) {
+diff --git a/drivers/hid/hid-lgff.c b/drivers/hid/hid-lgff.c
+index d7ea8c8..a84fb40 100644
+--- a/drivers/hid/hid-lgff.c
++++ b/drivers/hid/hid-lgff.c
+@@ -128,27 +128,14 @@ static void hid_lgff_set_autocenter(struct input_dev *dev, u16 magnitude)
+ int lgff_init(struct hid_device* hid)
+ {
+ struct hid_input *hidinput = list_entry(hid->inputs.next, struct hid_input, list);
+- struct list_head *report_list = &hid->report_enum[HID_OUTPUT_REPORT].report_list;
+ struct input_dev *dev = hidinput->input;
+- struct hid_report *report;
+- struct hid_field *field;
+ const signed short *ff_bits = ff_joystick;
+ int error;
+ int i;
+
+- /* Find the report to use */
+- if (list_empty(report_list)) {
+- hid_err(hid, "No output report found\n");
+- return -1;
+- }
+-
+ /* Check that the report looks ok */
+- report = list_entry(report_list->next, struct hid_report, list);
+- field = report->field[0];
+- if (!field) {
+- hid_err(hid, "NULL field\n");
+- return -1;
+- }
++ if (!hid_validate_report(hid, HID_OUTPUT_REPORT, 0, 1, 7))
++ return -ENODEV;
+
+ for (i = 0; i < ARRAY_SIZE(devices); i++) {
+ if (dev->id.vendor == devices[i].idVendor &&
+--
+Jiri Kosina
+SUSE Labs
+--
+To unsubscribe from this list: send the line "unsubscribe linux-input" in
+the body of a message to majordomo at vger.kernel.org
+More majordomo info at http://vger.kernel.org/majordomo-info.html
+
+Path: news.gmane.org!not-for-mail
+From: Jiri Kosina <jkosina at suse.cz>
+Newsgroups: gmane.linux.kernel.input
+Subject: [PATCH 08/14] HID: lenovo-tpkbd: validate output report details
+Date: Wed, 28 Aug 2013 22:31:10 +0200 (CEST)
+Lines: 42
+Approved: news at gmane.org
+Message-ID: <alpine.LNX.2.00.1308282219570.22181 at pobox.suse.cz>
+NNTP-Posting-Host: plane.gmane.org
+Mime-Version: 1.0
+Content-Type: TEXT/PLAIN; charset=US-ASCII
+X-Trace: ger.gmane.org 1377721874 10167 80.91.229.3 (28 Aug 2013 20:31:14 GMT)
+X-Complaints-To: usenet at ger.gmane.org
+NNTP-Posting-Date: Wed, 28 Aug 2013 20:31:14 +0000 (UTC)
+Cc: Kees Cook <keescook at chromium.org>,
+ Bernhard Seibold <mail at bernhard-seibold.de>
+To: linux-input at vger.kernel.org
+Original-X-From: linux-input-owner at vger.kernel.org Wed Aug 28 22:31:16 2013
+Return-path: <linux-input-owner at vger.kernel.org>
+Envelope-to: glki-linux-input-2 at plane.gmane.org
+Original-Received: from vger.kernel.org ([209.132.180.67])
+ by plane.gmane.org with esmtp (Exim 4.69)
+ (envelope-from <linux-input-owner at vger.kernel.org>)
+ id 1VEmOY-0000cl-HM
+ for glki-linux-input-2 at plane.gmane.org; Wed, 28 Aug 2013 22:31:14 +0200
+Original-Received: (majordomo at vger.kernel.org) by vger.kernel.org via listexpand
+ id S1754122Ab3H1UbN (ORCPT <rfc822;glki-linux-input-2 at m.gmane.org>);
+ Wed, 28 Aug 2013 16:31:13 -0400
+Original-Received: from cantor2.suse.de ([195.135.220.15]:57965 "EHLO mx2.suse.de"
+ rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
+ id S1752780Ab3H1UbN (ORCPT <rfc822;linux-input at vger.kernel.org>);
+ Wed, 28 Aug 2013 16:31:13 -0400
+Original-Received: from relay1.suse.de (unknown [195.135.220.254])
+ by mx2.suse.de (Postfix) with ESMTP id 982A1A531D;
+ Wed, 28 Aug 2013 22:31:12 +0200 (CEST)
+User-Agent: Alpine 2.00 (LNX 1167 2008-08-23)
+Original-Sender: linux-input-owner at vger.kernel.org
+Precedence: bulk
+List-ID: <linux-input.vger.kernel.org>
+X-Mailing-List: linux-input at vger.kernel.org
+Xref: news.gmane.org gmane.linux.kernel.input:31659
+Archived-At: <http://permalink.gmane.org/gmane.linux.kernel.input/31659>
+
+From: Kees Cook <keescook at chromium.org>
+
+A HID device could send a malicious output report that would cause the
+lenovo-tpkbd HID driver to write just beyond the output report allocation
+during initialization, causing a heap overflow:
+
+[ 76.109807] usb 1-1: New USB device found, idVendor=17ef, idProduct=6009
+...
+[ 80.462540] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten
+
+CVE-2013-2894
+
+Signed-off-by: Kees Cook <keescook at chromium.org>
+Cc: stable at kernel.org
+---
+ drivers/hid/hid-lenovo-tpkbd.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/hid/hid-lenovo-tpkbd.c b/drivers/hid/hid-lenovo-tpkbd.c
+index 07837f5..b697ada 100644
+--- a/drivers/hid/hid-lenovo-tpkbd.c
++++ b/drivers/hid/hid-lenovo-tpkbd.c
+@@ -341,6 +341,11 @@ static int tpkbd_probe_tp(struct hid_device *hdev)
+ char *name_mute, *name_micmute;
+ int ret;
+
++ /* Validate required reports. */
++ if (!hid_validate_report(hdev, HID_OUTPUT_REPORT, 4, 4, 1) ||
++ !hid_validate_report(hdev, HID_OUTPUT_REPORT, 3, 1, 2))
++ return -ENODEV;
++
+ if (sysfs_create_group(&hdev->dev.kobj,
+ &tpkbd_attr_group_pointer)) {
+ hid_warn(hdev, "Could not create sysfs group\n");
+--
+Jiri Kosina
+SUSE Labs
+--
+To unsubscribe from this list: send the line "unsubscribe linux-input" in
+the body of a message to majordomo at vger.kernel.org
+More majordomo info at http://vger.kernel.org/majordomo-info.html
+
+Path: news.gmane.org!not-for-mail
+From: Jiri Kosina <jkosina at suse.cz>
+Newsgroups: gmane.linux.kernel.input
+Subject: [PATCH 09/14] HID: logitech-dj: validate output report details
+Date: Wed, 28 Aug 2013 22:31:18 +0200 (CEST)
+Lines: 65
+Approved: news at gmane.org
+Message-ID: <alpine.LNX.2.00.1308282220530.22181 at pobox.suse.cz>
+NNTP-Posting-Host: plane.gmane.org
+Mime-Version: 1.0
+Content-Type: TEXT/PLAIN; charset=US-ASCII
+X-Trace: ger.gmane.org 1377721883 10249 80.91.229.3 (28 Aug 2013 20:31:23 GMT)
+X-Complaints-To: usenet at ger.gmane.org
+NNTP-Posting-Date: Wed, 28 Aug 2013 20:31:23 +0000 (UTC)
+Cc: Kees Cook <keescook at chromium.org>,
+ Nestor Lopez Casado <nlopezcasad at logitech.com>
+To: linux-input at vger.kernel.org
+Original-X-From: linux-input-owner at vger.kernel.org Wed Aug 28 22:31:25 2013
+Return-path: <linux-input-owner at vger.kernel.org>
+Envelope-to: glki-linux-input-2 at plane.gmane.org
+Original-Received: from vger.kernel.org ([209.132.180.67])
+ by plane.gmane.org with esmtp (Exim 4.69)
+ (envelope-from <linux-input-owner at vger.kernel.org>)
+ id 1VEmOg-0000cl-O9
+ for glki-linux-input-2 at plane.gmane.org; Wed, 28 Aug 2013 22:31:23 +0200
+Original-Received: (majordomo at vger.kernel.org) by vger.kernel.org via listexpand
+ id S1752780Ab3H1UbW (ORCPT <rfc822;glki-linux-input-2 at m.gmane.org>);
+ Wed, 28 Aug 2013 16:31:22 -0400
+Original-Received: from cantor2.suse.de ([195.135.220.15]:57976 "EHLO mx2.suse.de"
+ rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
+ id S1751971Ab3H1UbV (ORCPT <rfc822;linux-input at vger.kernel.org>);
+ Wed, 28 Aug 2013 16:31:21 -0400
+Original-Received: from relay2.suse.de (unknown [195.135.220.254])
+ by mx2.suse.de (Postfix) with ESMTP id D53F8A531D;
+ Wed, 28 Aug 2013 22:31:20 +0200 (CEST)
+User-Agent: Alpine 2.00 (LNX 1167 2008-08-23)
+Original-Sender: linux-input-owner at vger.kernel.org
+Precedence: bulk
+List-ID: <linux-input.vger.kernel.org>
+X-Mailing-List: linux-input at vger.kernel.org
+Xref: news.gmane.org gmane.linux.kernel.input:31660
+Archived-At: <http://permalink.gmane.org/gmane.linux.kernel.input/31660>
+
+From: Kees Cook <keescook at chromium.org>
+
+A HID device could send a malicious output report that would cause the
+logitech-dj HID driver to leak kernel memory contents to the device, or
+trigger a NULL dereference during initialization:
+
+[ 304.424553] usb 1-1: New USB device found, idVendor=046d, idProduct=c52b
+...
+[ 304.780467] BUG: unable to handle kernel NULL pointer dereference at 0000000000000028
+[ 304.781409] IP: [<ffffffff815d50aa>] logi_dj_recv_send_report.isra.11+0x1a/0x90
+
+CVE-2013-2895
+
+Signed-off-by: Kees Cook <keescook at chromium.org>
+Cc: stable at kernel.org
+---
+ drivers/hid/hid-logitech-dj.c | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/hid/hid-logitech-dj.c b/drivers/hid/hid-logitech-dj.c
+index cd33084..7b99c2a 100644
+--- a/drivers/hid/hid-logitech-dj.c
++++ b/drivers/hid/hid-logitech-dj.c
+@@ -461,7 +461,7 @@ static int logi_dj_recv_send_report(struct dj_receiver_dev *djrcv_dev,
+ struct hid_report *report;
+ struct hid_report_enum *output_report_enum;
+ u8 *data = (u8 *)(&dj_report->device_index);
+- int i;
++ unsigned int i, length;
+
+ output_report_enum = &hdev->report_enum[HID_OUTPUT_REPORT];
+ report = output_report_enum->report_id_hash[REPORT_ID_DJ_SHORT];
+@@ -471,7 +471,9 @@ static int logi_dj_recv_send_report(struct dj_receiver_dev *djrcv_dev,
+ return -ENODEV;
+ }
+
+- for (i = 0; i < report->field[0]->report_count; i++)
++ length = min_t(size_t, sizeof(*dj_report) - 1,
++ report->field[0]->report_count);
++ for (i = 0; i < length; i++)
+ report->field[0]->value[i] = data[i];
+
+ hid_hw_request(hdev, report, HID_REQ_SET_REPORT);
+@@ -783,6 +785,12 @@ static int logi_dj_probe(struct hid_device *hdev,
+ goto hid_parse_fail;
+ }
+
++ if (!hid_validate_report(hdev, HID_OUTPUT_REPORT, REPORT_ID_DJ_SHORT,
++ 1, 3)) {
++ retval = -ENODEV;
++ goto hid_parse_fail;
++ }
++
+ /* Starts the usb device and connects to upper interfaces hiddev and
+ * hidraw */
+ retval = hid_hw_start(hdev, HID_CONNECT_DEFAULT);
+
+--
+Jiri Kosina
+SUSE Labs
+--
+To unsubscribe from this list: send the line "unsubscribe linux-input" in
+the body of a message to majordomo at vger.kernel.org
+More majordomo info at http://vger.kernel.org/majordomo-info.html
+
+Path: news.gmane.org!not-for-mail
+From: Jiri Kosina <jkosina at suse.cz>
+Newsgroups: gmane.linux.kernel.input
+Subject: [PATCH 10/14] HID: ntrig: validate feature report details
+Date: Wed, 28 Aug 2013 22:31:28 +0200 (CEST)
+Lines: 41
+Approved: news at gmane.org
+Message-ID: <alpine.LNX.2.00.1308282221210.22181 at pobox.suse.cz>
+NNTP-Posting-Host: plane.gmane.org
+Mime-Version: 1.0
+Content-Type: TEXT/PLAIN; charset=US-ASCII
+X-Trace: ger.gmane.org 1377721895 10362 80.91.229.3 (28 Aug 2013 20:31:35 GMT)
+X-Complaints-To: usenet at ger.gmane.org
+NNTP-Posting-Date: Wed, 28 Aug 2013 20:31:35 +0000 (UTC)
+Cc: Kees Cook <keescook at chromium.org>, Rafi Rubin <rafi at seas.upenn.edu>
+To: linux-input at vger.kernel.org
+Original-X-From: linux-input-owner at vger.kernel.org Wed Aug 28 22:31:36 2013
+Return-path: <linux-input-owner at vger.kernel.org>
+Envelope-to: glki-linux-input-2 at plane.gmane.org
+Original-Received: from vger.kernel.org ([209.132.180.67])
+ by plane.gmane.org with esmtp (Exim 4.69)
+ (envelope-from <linux-input-owner at vger.kernel.org>)
+ id 1VEmOq-0000cl-KK
+ for glki-linux-input-2 at plane.gmane.org; Wed, 28 Aug 2013 22:31:32 +0200
+Original-Received: (majordomo at vger.kernel.org) by vger.kernel.org via listexpand
+ id S1753024Ab3H1Ubc (ORCPT <rfc822;glki-linux-input-2 at m.gmane.org>);
+ Wed, 28 Aug 2013 16:31:32 -0400
+Original-Received: from cantor2.suse.de ([195.135.220.15]:57985 "EHLO mx2.suse.de"
+ rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
+ id S1751971Ab3H1Ubb (ORCPT <rfc822;linux-input at vger.kernel.org>);
+ Wed, 28 Aug 2013 16:31:31 -0400
+Original-Received: from relay1.suse.de (unknown [195.135.220.254])
+ by mx2.suse.de (Postfix) with ESMTP id C4DDAA531D;
+ Wed, 28 Aug 2013 22:31:30 +0200 (CEST)
+User-Agent: Alpine 2.00 (LNX 1167 2008-08-23)
+Original-Sender: linux-input-owner at vger.kernel.org
+Precedence: bulk
+List-ID: <linux-input.vger.kernel.org>
+X-Mailing-List: linux-input at vger.kernel.org
+Xref: news.gmane.org gmane.linux.kernel.input:31661
+Archived-At: <http://permalink.gmane.org/gmane.linux.kernel.input/31661>
+
+From: Kees Cook <keescook at chromium.org>
+
+A HID device could send a malicious feature report that would cause the
+ntrig HID driver to trigger a NULL dereference during initialization:
+
+[57383.031190] usb 3-1: New USB device found, idVendor=1b96, idProduct=0001
+...
+[57383.315193] BUG: unable to handle kernel NULL pointer dereference at 0000000000000030
+[57383.315308] IP: [<ffffffffa08102de>] ntrig_probe+0x25e/0x420 [hid_ntrig]
+
+CVE-2013-2896
+
+Signed-off-by: Kees Cook <keescook at chromium.org>
+Cc: stable at kernel.org
+---
+ drivers/hid/hid-ntrig.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/hid/hid-ntrig.c b/drivers/hid/hid-ntrig.c
+index ef95102..5482156 100644
+--- a/drivers/hid/hid-ntrig.c
++++ b/drivers/hid/hid-ntrig.c
+@@ -115,7 +115,8 @@ static inline int ntrig_get_mode(struct hid_device *hdev)
+ struct hid_report *report = hdev->report_enum[HID_FEATURE_REPORT].
+ report_id_hash[0x0d];
+
+- if (!report)
++ if (!report || report->maxfield < 1 ||
++ report->field[0]->report_count < 1)
+ return -EINVAL;
+
+ hid_hw_request(hdev, report, HID_REQ_GET_REPORT);
+
+--
+Jiri Kosina
+SUSE Labs
+--
+To unsubscribe from this list: send the line "unsubscribe linux-input" in
+the body of a message to majordomo at vger.kernel.org
+More majordomo info at http://vger.kernel.org/majordomo-info.html
+
+Path: news.gmane.org!not-for-mail
+From: Jiri Kosina <jkosina at suse.cz>
+Newsgroups: gmane.linux.kernel.input
+Subject: [PATCH 11/14] HID: multitouch: validate feature report details
+Date: Wed, 28 Aug 2013 22:31:37 +0200 (CEST)
+Lines: 77
+Approved: news at gmane.org
+Message-ID: <alpine.LNX.2.00.1308282221440.22181 at pobox.suse.cz>
+NNTP-Posting-Host: plane.gmane.org
+Mime-Version: 1.0
+Content-Type: TEXT/PLAIN; charset=US-ASCII
+X-Trace: ger.gmane.org 1377721900 10409 80.91.229.3 (28 Aug 2013 20:31:40 GMT)
+X-Complaints-To: usenet at ger.gmane.org
+NNTP-Posting-Date: Wed, 28 Aug 2013 20:31:40 +0000 (UTC)
+Cc: Kees Cook <keescook at chromium.org>,
+ Henrik Rydberg <rydberg at euromail.se>,
+ Benjamin Tissoires <benjamin.tissoires at redhat.com>
+To: linux-input at vger.kernel.org
+Original-X-From: linux-input-owner at vger.kernel.org Wed Aug 28 22:31:42 2013
+Return-path: <linux-input-owner at vger.kernel.org>
+Envelope-to: glki-linux-input-2 at plane.gmane.org
+Original-Received: from vger.kernel.org ([209.132.180.67])
+ by plane.gmane.org with esmtp (Exim 4.69)
+ (envelope-from <linux-input-owner at vger.kernel.org>)
+ id 1VEmOz-0000cl-Ku
+ for glki-linux-input-2 at plane.gmane.org; Wed, 28 Aug 2013 22:31:42 +0200
+Original-Received: (majordomo at vger.kernel.org) by vger.kernel.org via listexpand
+ id S1754253Ab3H1Ubl (ORCPT <rfc822;glki-linux-input-2 at m.gmane.org>);
+ Wed, 28 Aug 2013 16:31:41 -0400
+Original-Received: from cantor2.suse.de ([195.135.220.15]:57991 "EHLO mx2.suse.de"
+ rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
+ id S1754222Ab3H1Ubk (ORCPT <rfc822;linux-input at vger.kernel.org>);
+ Wed, 28 Aug 2013 16:31:40 -0400
+Original-Received: from relay1.suse.de (unknown [195.135.220.254])
+ by mx2.suse.de (Postfix) with ESMTP id BA511A535B;
+ Wed, 28 Aug 2013 22:31:39 +0200 (CEST)
+User-Agent: Alpine 2.00 (LNX 1167 2008-08-23)
+Original-Sender: linux-input-owner at vger.kernel.org
+Precedence: bulk
+List-ID: <linux-input.vger.kernel.org>
+X-Mailing-List: linux-input at vger.kernel.org
+Xref: news.gmane.org gmane.linux.kernel.input:31662
+Archived-At: <http://permalink.gmane.org/gmane.linux.kernel.input/31662>
+
+From: Kees Cook <keescook at chromium.org>
+
+When working on report indexes, always validate that they are in bounds.
+Without this, a HID device could report a malicious feature report that
+could trick the driver into a heap overflow:
+
+[ 634.885003] usb 1-1: New USB device found, idVendor=0596, idProduct=0500
+...
+[ 676.469629] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten
+
+CVE-2013-2897
+
+Signed-off-by: Kees Cook <keescook at chromium.org>
+Cc: stable at kernel.org
+---
+ drivers/hid/hid-multitouch.c | 25 ++++++++++++++++++++-----
+ 1 file changed, 20 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/hid/hid-multitouch.c b/drivers/hid/hid-multitouch.c
+index cb0e361..2aa275e 100644
+--- a/drivers/hid/hid-multitouch.c
++++ b/drivers/hid/hid-multitouch.c
+@@ -330,9 +330,18 @@ static void mt_feature_mapping(struct hid_device *hdev,
+ break;
+ }
+ }
++ /* Ignore if value index is out of bounds. */
++ if (td->inputmode_index < 0 ||
++ td->inputmode_index >= field->report_count) {
++ dev_err(&hdev->dev, "HID_DG_INPUTMODE out of range\n");
++ td->inputmode = -1;
++ }
+
+ break;
+ case HID_DG_CONTACTMAX:
++ /* Ignore if value count is out of bounds. */
++ if (field->report_count < 1)
++ break;
+ td->maxcontact_report_id = field->report->id;
+ td->maxcontacts = field->value[0];
+ if (!td->maxcontacts &&
+@@ -743,15 +752,21 @@ static void mt_touch_report(struct hid_device *hid, struct hid_report *report)
+ unsigned count;
+ int r, n;
+
++ if (report->maxfield == 0)
++ return;
++
+ /*
+ * Includes multi-packet support where subsequent
+ * packets are sent with zero contactcount.
+ */
+- if (td->cc_index >= 0) {
+- struct hid_field *field = report->field[td->cc_index];
+- int value = field->value[td->cc_value_index];
+- if (value)
+- td->num_expected = value;
++ if (td->cc_index >= 0 && td->cc_index < report->maxfield) {
++ field = report->field[td->cc_index];
++ if (td->cc_value_index >= 0 &&
++ td->cc_value_index < field->report_count) {
++ int value = field->value[td->cc_value_index];
++ if (value)
++ td->num_expected = value;
++ }
+ }
+
+ for (r = 0; r < report->maxfield; r++) {
+
+--
+Jiri Kosina
+SUSE Labs
+--
+To unsubscribe from this list: send the line "unsubscribe linux-input" in
+the body of a message to majordomo at vger.kernel.org
+More majordomo info at http://vger.kernel.org/majordomo-info.html
+
+Path: news.gmane.org!not-for-mail
+From: Jiri Kosina <jkosina at suse.cz>
+Newsgroups: gmane.linux.kernel.input
+Subject: [PATCH 12/14] HID: sensor-hub: validate feature report details
+Date: Wed, 28 Aug 2013 22:31:44 +0200 (CEST)
+Lines: 36
+Approved: news at gmane.org
+Message-ID: <alpine.LNX.2.00.1308282222190.22181 at pobox.suse.cz>
+NNTP-Posting-Host: plane.gmane.org
+Mime-Version: 1.0
+Content-Type: TEXT/PLAIN; charset=US-ASCII
+X-Trace: ger.gmane.org 1377721907 10489 80.91.229.3 (28 Aug 2013 20:31:47 GMT)
+X-Complaints-To: usenet at ger.gmane.org
+NNTP-Posting-Date: Wed, 28 Aug 2013 20:31:47 +0000 (UTC)
+Cc: Kees Cook <keescook at chromium.org>,
+ Mika Westerberg <mika.westerberg at linux.intel.com>,
+ srinivas pandruvada <srinivas.pandruvada at intel.com>
+To: linux-input at vger.kernel.org
+Original-X-From: linux-input-owner at vger.kernel.org Wed Aug 28 22:31:51 2013
+Return-path: <linux-input-owner at vger.kernel.org>
+Envelope-to: glki-linux-input-2 at plane.gmane.org
+Original-Received: from vger.kernel.org ([209.132.180.67])
+ by plane.gmane.org with esmtp (Exim 4.69)
+ (envelope-from <linux-input-owner at vger.kernel.org>)
+ id 1VEmP8-0000cl-9D
+ for glki-linux-input-2 at plane.gmane.org; Wed, 28 Aug 2013 22:31:50 +0200
+Original-Received: (majordomo at vger.kernel.org) by vger.kernel.org via listexpand
+ id S1754788Ab3H1Ubt (ORCPT <rfc822;glki-linux-input-2 at m.gmane.org>);
+ Wed, 28 Aug 2013 16:31:49 -0400
+Original-Received: from cantor2.suse.de ([195.135.220.15]:58000 "EHLO mx2.suse.de"
+ rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
+ id S1754228Ab3H1Ubt (ORCPT <rfc822;linux-input at vger.kernel.org>);
+ Wed, 28 Aug 2013 16:31:49 -0400
+Original-Received: from relay2.suse.de (unknown [195.135.220.254])
+ by mx2.suse.de (Postfix) with ESMTP id BBD85A535B;
+ Wed, 28 Aug 2013 22:31:47 +0200 (CEST)
+User-Agent: Alpine 2.00 (LNX 1167 2008-08-23)
+Original-Sender: linux-input-owner at vger.kernel.org
+Precedence: bulk
+List-ID: <linux-input.vger.kernel.org>
+X-Mailing-List: linux-input at vger.kernel.org
+Xref: news.gmane.org gmane.linux.kernel.input:31663
+Archived-At: <http://permalink.gmane.org/gmane.linux.kernel.input/31663>
+
+From: Kees Cook <keescook at chromium.org>
+
+A HID device could send a malicious feature report that would cause the
+sensor-hub HID driver to read past the end of heap allocation, leaking
+kernel memory contents to the caller.
+
+CVE-2013-2898
+
+Signed-off-by: Kees Cook <keescook at chromium.org>
+Cc: stable at kernel.org
+---
+ drivers/hid/hid-sensor-hub.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/hid/hid-sensor-hub.c b/drivers/hid/hid-sensor-hub.c
+index ca749810..aa34755 100644
+--- a/drivers/hid/hid-sensor-hub.c
++++ b/drivers/hid/hid-sensor-hub.c
+@@ -221,7 +221,8 @@ int sensor_hub_get_feature(struct hid_sensor_hub_device *hsdev, u32 report_id,
+
+ mutex_lock(&data->mutex);
+ report = sensor_hub_report(report_id, hsdev->hdev, HID_FEATURE_REPORT);
+- if (!report || (field_index >= report->maxfield)) {
++ if (!report || (field_index >= report->maxfield) ||
++ report->field[field_index]->report_count < 1) {
+ ret = -EINVAL;
+ goto done_proc;
+ }
+--
+Jiri Kosina
+SUSE Labs
+--
+To unsubscribe from this list: send the line "unsubscribe linux-input" in
+the body of a message to majordomo at vger.kernel.org
+More majordomo info at http://vger.kernel.org/majordomo-info.html
+
+Path: news.gmane.org!not-for-mail
+From: Jiri Kosina <jkosina at suse.cz>
+Newsgroups: gmane.linux.kernel.input
+Subject: [PATCH 13/14] HID: picolcd_core: validate output report details
+Date: Wed, 28 Aug 2013 22:31:52 +0200 (CEST)
+Lines: 34
+Approved: news at gmane.org
+Message-ID: <alpine.LNX.2.00.1308282222460.22181 at pobox.suse.cz>
+NNTP-Posting-Host: plane.gmane.org
+Mime-Version: 1.0
+Content-Type: TEXT/PLAIN; charset=US-ASCII
+X-Trace: ger.gmane.org 1377721917 10573 80.91.229.3 (28 Aug 2013 20:31:57 GMT)
+X-Complaints-To: usenet at ger.gmane.org
+NNTP-Posting-Date: Wed, 28 Aug 2013 20:31:57 +0000 (UTC)
+Cc: Kees Cook <keescook at chromium.org>,
+ =?ISO-8859-15?Q?Bruno_Pr=E9mont?= <bonbons at linux-vserver.org>
+To: linux-input at vger.kernel.org
+Original-X-From: linux-input-owner at vger.kernel.org Wed Aug 28 22:31:59 2013
+Return-path: <linux-input-owner at vger.kernel.org>
+Envelope-to: glki-linux-input-2 at plane.gmane.org
+Original-Received: from vger.kernel.org ([209.132.180.67])
+ by plane.gmane.org with esmtp (Exim 4.69)
+ (envelope-from <linux-input-owner at vger.kernel.org>)
+ id 1VEmPE-0000cl-T8
+ for glki-linux-input-2 at plane.gmane.org; Wed, 28 Aug 2013 22:31:57 +0200
+Original-Received: (majordomo at vger.kernel.org) by vger.kernel.org via listexpand
+ id S1754901Ab3H1Ub4 (ORCPT <rfc822;glki-linux-input-2 at m.gmane.org>);
+ Wed, 28 Aug 2013 16:31:56 -0400
+Original-Received: from cantor2.suse.de ([195.135.220.15]:58006 "EHLO mx2.suse.de"
+ rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
+ id S1754228Ab3H1Ub4 (ORCPT <rfc822;linux-input at vger.kernel.org>);
+ Wed, 28 Aug 2013 16:31:56 -0400
+Original-Received: from relay2.suse.de (unknown [195.135.220.254])
+ by mx2.suse.de (Postfix) with ESMTP id 2720DA531D;
+ Wed, 28 Aug 2013 22:31:55 +0200 (CEST)
+User-Agent: Alpine 2.00 (LNX 1167 2008-08-23)
+Original-Sender: linux-input-owner at vger.kernel.org
+Precedence: bulk
+List-ID: <linux-input.vger.kernel.org>
+X-Mailing-List: linux-input at vger.kernel.org
+Xref: news.gmane.org gmane.linux.kernel.input:31664
+Archived-At: <http://permalink.gmane.org/gmane.linux.kernel.input/31664>
+
+From: Kees Cook <keescook at chromium.org>
+
+A HID device could send a malicious output report that would cause the
+picolcd HID driver to trigger a NULL dereference during attr file writing.
+
+CVE-2013-2899
+
+Signed-off-by: Kees Cook <keescook at chromium.org>
+Cc: stable at kernel.org
+---
+ drivers/hid/hid-picolcd_core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/hid/hid-picolcd_core.c b/drivers/hid/hid-picolcd_core.c
+index b48092d..72bba1e 100644
+--- a/drivers/hid/hid-picolcd_core.c
++++ b/drivers/hid/hid-picolcd_core.c
+@@ -290,7 +290,7 @@ static ssize_t picolcd_operation_mode_store(struct device *dev,
+ buf += 10;
+ cnt -= 10;
+ }
+- if (!report)
++ if (!report || report->maxfield < 1)
+ return -EINVAL;
+
+ while (cnt > 0 && (buf[cnt-1] == '\n' || buf[cnt-1] == '\r'))
+--
+Jiri Kosina
+SUSE Labs
+--
+To unsubscribe from this list: send the line "unsubscribe linux-input" in
+the body of a message to majordomo at vger.kernel.org
+More majordomo info at http://vger.kernel.org/majordomo-info.html
+
+Path: news.gmane.org!not-for-mail
+From: Jiri Kosina <jkosina at suse.cz>
+Newsgroups: gmane.linux.kernel.input
+Subject: [PATCH 14/14] HID: check for NULL field when setting values
+Date: Wed, 28 Aug 2013 22:32:01 +0200 (CEST)
+Lines: 36
+Approved: news at gmane.org
+Message-ID: <alpine.LNX.2.00.1308282223090.22181 at pobox.suse.cz>
+NNTP-Posting-Host: plane.gmane.org
+Mime-Version: 1.0
+Content-Type: TEXT/PLAIN; charset=US-ASCII
+X-Trace: ger.gmane.org 1377721927 10651 80.91.229.3 (28 Aug 2013 20:32:07 GMT)
+X-Complaints-To: usenet at ger.gmane.org
+NNTP-Posting-Date: Wed, 28 Aug 2013 20:32:07 +0000 (UTC)
+Cc: Kees Cook <keescook at chromium.org>
+To: linux-input at vger.kernel.org
+Original-X-From: linux-input-owner at vger.kernel.org Wed Aug 28 22:32:06 2013
+Return-path: <linux-input-owner at vger.kernel.org>
+Envelope-to: glki-linux-input-2 at plane.gmane.org
+Original-Received: from vger.kernel.org ([209.132.180.67])
+ by plane.gmane.org with esmtp (Exim 4.69)
+ (envelope-from <linux-input-owner at vger.kernel.org>)
+ id 1VEmPO-0000cl-40
+ for glki-linux-input-2 at plane.gmane.org; Wed, 28 Aug 2013 22:32:06 +0200
+Original-Received: (majordomo at vger.kernel.org) by vger.kernel.org via listexpand
+ id S1754959Ab3H1UcF (ORCPT <rfc822;glki-linux-input-2 at m.gmane.org>);
+ Wed, 28 Aug 2013 16:32:05 -0400
+Original-Received: from cantor2.suse.de ([195.135.220.15]:58016 "EHLO mx2.suse.de"
+ rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
+ id S1754282Ab3H1UcE (ORCPT <rfc822;linux-input at vger.kernel.org>);
+ Wed, 28 Aug 2013 16:32:04 -0400
+Original-Received: from relay1.suse.de (unknown [195.135.220.254])
+ by mx2.suse.de (Postfix) with ESMTP id 6D278A531D;
+ Wed, 28 Aug 2013 22:32:03 +0200 (CEST)
+User-Agent: Alpine 2.00 (LNX 1167 2008-08-23)
+Original-Sender: linux-input-owner at vger.kernel.org
+Precedence: bulk
+List-ID: <linux-input.vger.kernel.org>
+X-Mailing-List: linux-input at vger.kernel.org
+Xref: news.gmane.org gmane.linux.kernel.input:31665
+Archived-At: <http://permalink.gmane.org/gmane.linux.kernel.input/31665>
+
+From: Kees Cook <keescook at chromium.org>
+
+Defensively check that the field to be worked on is not NULL.
+
+Signed-off-by: Kees Cook <keescook at chromium.org>
+Cc: stable at kernel.org
+---
+ drivers/hid/hid-core.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c
+index 55798b2..192be6b 100644
+--- a/drivers/hid/hid-core.c
++++ b/drivers/hid/hid-core.c
+@@ -1206,7 +1206,12 @@ EXPORT_SYMBOL_GPL(hid_output_report);
+
+ int hid_set_field(struct hid_field *field, unsigned offset, __s32 value)
+ {
+- unsigned size = field->report_size;
++ unsigned size;
++
++ if (!field)
++ return -1;
++
++ size = field->report_size;
+
+ hid_dump_input(field->report->device, field->usage + offset, value);
+
+--
+Jiri Kosina
+SUSE Labs
+--
+To unsubscribe from this list: send the line "unsubscribe linux-input" in
+the body of a message to majordomo at vger.kernel.org
+More majordomo info at http://vger.kernel.org/majordomo-info.html
+
diff --git a/kernel.spec b/kernel.spec
index 0a736f3..def0d5c 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -774,6 +774,13 @@ Patch25079: 3.10.-6-7-crashes-on-network-activity.patch
Patch25090: mei-3.10.y.patch
+#CVE-2013-2888 rhbz 1000451 1002543 CVE-2013-2889 rhbz 999890 1002548
+#CVE-2013-2891 rhbz 999960 1002555 CVE-2013-2892 rhbz 1000429 1002570
+#CVE-2013-2893 rhbz 1000414 1002575 CVE-2013-2894 rhbz 1000137 1002579
+#CVE-2013-2895 rhbz 1000360 1002581 CVE-2013-2896 rhbz 1000494 1002594
+#CVE-2013-2897 rhbz 1000536 1002600 CVE-2013-2899 rhbz 1000373 1002604
+Patch25099: HID-CVE-fixes.patch
+
# END OF PATCH DEFINITIONS
%endif
@@ -1483,6 +1490,13 @@ ApplyPatch 3.10.-6-7-crashes-on-network-activity.patch
ApplyPatch mei-3.10.y.patch
+#CVE-2013-2888 rhbz 1000451 1002543 CVE-2013-2889 rhbz 999890 1002548
+#CVE-2013-2891 rhbz 999960 1002555 CVE-2013-2892 rhbz 1000429 1002570
+#CVE-2013-2893 rhbz 1000414 1002575 CVE-2013-2894 rhbz 1000137 1002579
+#CVE-2013-2895 rhbz 1000360 1002581 CVE-2013-2896 rhbz 1000494 1002594
+#CVE-2013-2897 rhbz 1000536 1002600 CVE-2013-2899 rhbz 1000373 1002604
+ApplyPatch HID-CVE-fixes.patch
+
# END OF PATCH APPLICATIONS
%endif
@@ -2324,6 +2338,14 @@ fi
# ||----w |
# || ||
%changelog
+* Fri Aug 30 2013 Josh Boyer <jwboyer at fedoraproject.org>
+- Fix HID CVEs. Absurd.
+- CVE-2013-2888 rhbz 1000451 1002543 CVE-2013-2889 rhbz 999890 1002548
+- CVE-2013-2891 rhbz 999960 1002555 CVE-2013-2892 rhbz 1000429 1002570
+- CVE-2013-2893 rhbz 1000414 1002575 CVE-2013-2894 rhbz 1000137 1002579
+- CVE-2013-2895 rhbz 1000360 1002581 CVE-2013-2896 rhbz 1000494 1002594
+- CVE-2013-2897 rhbz 1000536 1002600 CVE-2013-2899 rhbz 1000373 1002604
+
* Thu Aug 29 2013 Justin M. Forbes <jforbes at fedoraproject.org> 3.10.10-100
- Linux v3.10.10
More information about the scm-commits
mailing list