[kernel] Linux v3.11-6855-g4de9ad9
Josh Boyer
jwboyer at fedoraproject.org
Fri Sep 6 19:37:06 UTC 2013
commit 012898697609c59c8c4608f03da69150fe196349
Author: Josh Boyer <jwboyer at fedoraproject.org>
Date: Fri Sep 6 14:50:17 2013 -0400
Linux v3.11-6855-g4de9ad9
HID-CVE-fixes.patch | 529 ---------------------------------------------------
config-generic | 1 +
kernel.spec | 5 +-
sources | 2 +-
4 files changed, 6 insertions(+), 531 deletions(-)
---
diff --git a/HID-CVE-fixes.patch b/HID-CVE-fixes.patch
index dc44c5e..80fda95 100644
--- a/HID-CVE-fixes.patch
+++ b/HID-CVE-fixes.patch
@@ -1,129 +1,6 @@
Path: news.gmane.org!not-for-mail
From: Jiri Kosina <jkosina at suse.cz>
Newsgroups: gmane.linux.kernel.input
-Subject: [PATCH 01/14] HID: validate HID report id size
-Date: Wed, 28 Aug 2013 22:29:55 +0200 (CEST)
-Lines: 81
-Approved: news at gmane.org
-Message-ID: <alpine.LNX.2.00.1308282158220.22181 at pobox.suse.cz>
-NNTP-Posting-Host: plane.gmane.org
-Mime-Version: 1.0
-Content-Type: TEXT/PLAIN; charset=US-ASCII
-X-Trace: ger.gmane.org 1377721804 9521 80.91.229.3 (28 Aug 2013 20:30:04 GMT)
-X-Complaints-To: usenet at ger.gmane.org
-NNTP-Posting-Date: Wed, 28 Aug 2013 20:30:04 +0000 (UTC)
-Cc: Kees Cook <keescook at chromium.org>
-To: linux-input at vger.kernel.org
-Original-X-From: linux-input-owner at vger.kernel.org Wed Aug 28 22:30:06 2013
-Return-path: <linux-input-owner at vger.kernel.org>
-Envelope-to: glki-linux-input-2 at plane.gmane.org
-Original-Received: from vger.kernel.org ([209.132.180.67])
- by plane.gmane.org with esmtp (Exim 4.69)
- (envelope-from <linux-input-owner at vger.kernel.org>)
- id 1VEmNR-0008U8-2t
- for glki-linux-input-2 at plane.gmane.org; Wed, 28 Aug 2013 22:30:05 +0200
-Original-Received: (majordomo at vger.kernel.org) by vger.kernel.org via listexpand
- id S1754658Ab3H1UaD (ORCPT <rfc822;glki-linux-input-2 at m.gmane.org>);
- Wed, 28 Aug 2013 16:30:03 -0400
-Original-Received: from cantor2.suse.de ([195.135.220.15]:57907 "EHLO mx2.suse.de"
- rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
- id S1752748Ab3H1UaD (ORCPT <rfc822;linux-input at vger.kernel.org>);
- Wed, 28 Aug 2013 16:30:03 -0400
-Original-Received: from relay2.suse.de (unknown [195.135.220.254])
- by mx2.suse.de (Postfix) with ESMTP id 1C5ACA535B;
- Wed, 28 Aug 2013 22:30:01 +0200 (CEST)
-User-Agent: Alpine 2.00 (LNX 1167 2008-08-23)
-Original-Sender: linux-input-owner at vger.kernel.org
-Precedence: bulk
-List-ID: <linux-input.vger.kernel.org>
-X-Mailing-List: linux-input at vger.kernel.org
-Xref: news.gmane.org gmane.linux.kernel.input:31652
-Archived-At: <http://permalink.gmane.org/gmane.linux.kernel.input/31652>
-
-From: Kees Cook <keescook at chromium.org>
-
-The "Report ID" field of a HID report is used to build indexes of
-reports. The kernel's index of these is limited to 256 entries, so any
-malicious device that sets a Report ID greater than 255 will trigger
-memory corruption on the host:
-
-[ 1347.156239] BUG: unable to handle kernel paging request at ffff88094958a878
-[ 1347.156261] IP: [<ffffffff813e4da0>] hid_register_report+0x2a/0x8b
-
-CVE-2013-2888
-
-Signed-off-by: Kees Cook <keescook at chromium.org>
-Cc: stable at kernel.org
----
- drivers/hid/hid-core.c | 10 +++++++---
- include/linux/hid.h | 4 +++-
- 2 files changed, 10 insertions(+), 4 deletions(-)
-
-diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c
-index 36668d1..5ea7d51 100644
---- a/drivers/hid/hid-core.c
-+++ b/drivers/hid/hid-core.c
-@@ -63,6 +63,8 @@ struct hid_report *hid_register_report(struct hid_device *device, unsigned type,
- struct hid_report_enum *report_enum = device->report_enum + type;
- struct hid_report *report;
-
-+ if (id >= HID_MAX_IDS)
-+ return NULL;
- if (report_enum->report_id_hash[id])
- return report_enum->report_id_hash[id];
-
-@@ -404,8 +406,10 @@ static int hid_parser_global(struct hid_parser *parser, struct hid_item *item)
-
- case HID_GLOBAL_ITEM_TAG_REPORT_ID:
- parser->global.report_id = item_udata(item);
-- if (parser->global.report_id == 0) {
-- hid_err(parser->device, "report_id 0 is invalid\n");
-+ if (parser->global.report_id == 0 ||
-+ parser->global.report_id >= HID_MAX_IDS) {
-+ hid_err(parser->device, "report_id %u is invalid\n",
-+ parser->global.report_id);
- return -1;
- }
- return 0;
-@@ -575,7 +579,7 @@ static void hid_close_report(struct hid_device *device)
- for (i = 0; i < HID_REPORT_TYPES; i++) {
- struct hid_report_enum *report_enum = device->report_enum + i;
-
-- for (j = 0; j < 256; j++) {
-+ for (j = 0; j < HID_MAX_IDS; j++) {
- struct hid_report *report = report_enum->report_id_hash[j];
- if (report)
- hid_free_report(report);
-diff --git a/include/linux/hid.h b/include/linux/hid.h
-index 0c48991..ff545cc 100644
---- a/include/linux/hid.h
-+++ b/include/linux/hid.h
-@@ -393,10 +393,12 @@ struct hid_report {
- struct hid_device *device; /* associated device */
- };
-
-+#define HID_MAX_IDS 256
-+
- struct hid_report_enum {
- unsigned numbered;
- struct list_head report_list;
-- struct hid_report *report_id_hash[256];
-+ struct hid_report *report_id_hash[HID_MAX_IDS];
- };
-
- #define HID_REPORT_TYPES 3
-
---
-Jiri Kosina
-SUSE Labs
---
-To unsubscribe from this list: send the line "unsubscribe linux-input" in
-the body of a message to majordomo at vger.kernel.org
-More majordomo info at http://vger.kernel.org/majordomo-info.html
-
-Path: news.gmane.org!not-for-mail
-From: Jiri Kosina <jkosina at suse.cz>
-Newsgroups: gmane.linux.kernel.input
Subject: [PATCH 02/14] HID: provide a helper for validating hid reports
Date: Wed, 28 Aug 2013 22:30:06 +0200 (CEST)
Lines: 99
@@ -531,94 +408,6 @@ To unsubscribe from this list: send the line "unsubscribe linux-input" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
-Path: news.gmane.org!not-for-mail
-From: Jiri Kosina <jkosina at suse.cz>
-Newsgroups: gmane.linux.kernel.input
-Subject: [PATCH 06/14] HID: pantherlord: validate output report details
-Date: Wed, 28 Aug 2013 22:30:49 +0200 (CEST)
-Lines: 47
-Approved: news at gmane.org
-Message-ID: <alpine.LNX.2.00.1308282218580.22181 at pobox.suse.cz>
-NNTP-Posting-Host: plane.gmane.org
-Mime-Version: 1.0
-Content-Type: TEXT/PLAIN; charset=US-ASCII
-X-Trace: ger.gmane.org 1377721853 9919 80.91.229.3 (28 Aug 2013 20:30:53 GMT)
-X-Complaints-To: usenet at ger.gmane.org
-NNTP-Posting-Date: Wed, 28 Aug 2013 20:30:53 +0000 (UTC)
-Cc: Kees Cook <keescook at chromium.org>
-To: linux-input at vger.kernel.org
-Original-X-From: linux-input-owner at vger.kernel.org Wed Aug 28 22:30:55 2013
-Return-path: <linux-input-owner at vger.kernel.org>
-Envelope-to: glki-linux-input-2 at plane.gmane.org
-Original-Received: from vger.kernel.org ([209.132.180.67])
- by plane.gmane.org with esmtp (Exim 4.69)
- (envelope-from <linux-input-owner at vger.kernel.org>)
- id 1VEmOD-0000cl-Qd
- for glki-linux-input-2 at plane.gmane.org; Wed, 28 Aug 2013 22:30:54 +0200
-Original-Received: (majordomo at vger.kernel.org) by vger.kernel.org via listexpand
- id S1754500Ab3H1Uax (ORCPT <rfc822;glki-linux-input-2 at m.gmane.org>);
- Wed, 28 Aug 2013 16:30:53 -0400
-Original-Received: from cantor2.suse.de ([195.135.220.15]:57948 "EHLO mx2.suse.de"
- rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
- id S1753468Ab3H1Uaw (ORCPT <rfc822;linux-input at vger.kernel.org>);
- Wed, 28 Aug 2013 16:30:52 -0400
-Original-Received: from relay2.suse.de (unknown [195.135.220.254])
- by mx2.suse.de (Postfix) with ESMTP id 21315A531D;
- Wed, 28 Aug 2013 22:30:52 +0200 (CEST)
-User-Agent: Alpine 2.00 (LNX 1167 2008-08-23)
-Original-Sender: linux-input-owner at vger.kernel.org
-Precedence: bulk
-List-ID: <linux-input.vger.kernel.org>
-X-Mailing-List: linux-input at vger.kernel.org
-Xref: news.gmane.org gmane.linux.kernel.input:31657
-Archived-At: <http://permalink.gmane.org/gmane.linux.kernel.input/31657>
-
-From: Kees Cook <keescook at chromium.org>
-
-A HID device could send a malicious output report that would cause the
-pantherlord HID driver to write beyond the output report allocation
-during initialization, causing a heap overflow:
-
-[ 310.939483] usb 1-1: New USB device found, idVendor=0e8f, idProduct=0003
-...
-[ 315.980774] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten
-
-CVE-2013-2892
-
-Signed-off-by: Kees Cook <keescook at chromium.org>
-Cc: stable at kernel.org
----
- drivers/hid/hid-pl.c | 10 ++++++++--
- 1 file changed, 8 insertions(+), 2 deletions(-)
-
-diff --git a/drivers/hid/hid-pl.c b/drivers/hid/hid-pl.c
-index d29112f..2dcd7d9 100644
---- a/drivers/hid/hid-pl.c
-+++ b/drivers/hid/hid-pl.c
-@@ -132,8 +132,14 @@ static int plff_init(struct hid_device *hid)
- strong = &report->field[0]->value[2];
- weak = &report->field[0]->value[3];
- debug("detected single-field device");
-- } else if (report->maxfield >= 4 && report->field[0]->maxusage == 1 &&
-- report->field[0]->usage[0].hid == (HID_UP_LED | 0x43)) {
-+ } else if (report->field[0]->maxusage == 1 &&
-+ report->field[0]->usage[0].hid ==
-+ (HID_UP_LED | 0x43) &&
-+ report->maxfield >= 4 &&
-+ report->field[0]->report_count >= 1 &&
-+ report->field[1]->report_count >= 1 &&
-+ report->field[2]->report_count >= 1 &&
-+ report->field[3]->report_count >= 1) {
- report->field[0]->value[0] = 0x00;
- report->field[1]->value[0] = 0x00;
- strong = &report->field[2]->value[0];
---
-Jiri Kosina
-SUSE Labs
---
-To unsubscribe from this list: send the line "unsubscribe linux-input" in
-the body of a message to majordomo at vger.kernel.org
-More majordomo info at http://vger.kernel.org/majordomo-info.html
Path: news.gmane.org!not-for-mail
From: Jiri Kosina <jkosina at suse.cz>
@@ -1049,88 +838,6 @@ To unsubscribe from this list: send the line "unsubscribe linux-input" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
-Path: news.gmane.org!not-for-mail
-From: Jiri Kosina <jkosina at suse.cz>
-Newsgroups: gmane.linux.kernel.input
-Subject: [PATCH 10/14] HID: ntrig: validate feature report details
-Date: Wed, 28 Aug 2013 22:31:28 +0200 (CEST)
-Lines: 41
-Approved: news at gmane.org
-Message-ID: <alpine.LNX.2.00.1308282221210.22181 at pobox.suse.cz>
-NNTP-Posting-Host: plane.gmane.org
-Mime-Version: 1.0
-Content-Type: TEXT/PLAIN; charset=US-ASCII
-X-Trace: ger.gmane.org 1377721895 10362 80.91.229.3 (28 Aug 2013 20:31:35 GMT)
-X-Complaints-To: usenet at ger.gmane.org
-NNTP-Posting-Date: Wed, 28 Aug 2013 20:31:35 +0000 (UTC)
-Cc: Kees Cook <keescook at chromium.org>, Rafi Rubin <rafi at seas.upenn.edu>
-To: linux-input at vger.kernel.org
-Original-X-From: linux-input-owner at vger.kernel.org Wed Aug 28 22:31:36 2013
-Return-path: <linux-input-owner at vger.kernel.org>
-Envelope-to: glki-linux-input-2 at plane.gmane.org
-Original-Received: from vger.kernel.org ([209.132.180.67])
- by plane.gmane.org with esmtp (Exim 4.69)
- (envelope-from <linux-input-owner at vger.kernel.org>)
- id 1VEmOq-0000cl-KK
- for glki-linux-input-2 at plane.gmane.org; Wed, 28 Aug 2013 22:31:32 +0200
-Original-Received: (majordomo at vger.kernel.org) by vger.kernel.org via listexpand
- id S1753024Ab3H1Ubc (ORCPT <rfc822;glki-linux-input-2 at m.gmane.org>);
- Wed, 28 Aug 2013 16:31:32 -0400
-Original-Received: from cantor2.suse.de ([195.135.220.15]:57985 "EHLO mx2.suse.de"
- rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
- id S1751971Ab3H1Ubb (ORCPT <rfc822;linux-input at vger.kernel.org>);
- Wed, 28 Aug 2013 16:31:31 -0400
-Original-Received: from relay1.suse.de (unknown [195.135.220.254])
- by mx2.suse.de (Postfix) with ESMTP id C4DDAA531D;
- Wed, 28 Aug 2013 22:31:30 +0200 (CEST)
-User-Agent: Alpine 2.00 (LNX 1167 2008-08-23)
-Original-Sender: linux-input-owner at vger.kernel.org
-Precedence: bulk
-List-ID: <linux-input.vger.kernel.org>
-X-Mailing-List: linux-input at vger.kernel.org
-Xref: news.gmane.org gmane.linux.kernel.input:31661
-Archived-At: <http://permalink.gmane.org/gmane.linux.kernel.input/31661>
-
-From: Kees Cook <keescook at chromium.org>
-
-A HID device could send a malicious feature report that would cause the
-ntrig HID driver to trigger a NULL dereference during initialization:
-
-[57383.031190] usb 3-1: New USB device found, idVendor=1b96, idProduct=0001
-...
-[57383.315193] BUG: unable to handle kernel NULL pointer dereference at 0000000000000030
-[57383.315308] IP: [<ffffffffa08102de>] ntrig_probe+0x25e/0x420 [hid_ntrig]
-
-CVE-2013-2896
-
-Signed-off-by: Kees Cook <keescook at chromium.org>
-Cc: stable at kernel.org
----
- drivers/hid/hid-ntrig.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/drivers/hid/hid-ntrig.c b/drivers/hid/hid-ntrig.c
-index ef95102..5482156 100644
---- a/drivers/hid/hid-ntrig.c
-+++ b/drivers/hid/hid-ntrig.c
-@@ -115,7 +115,8 @@ static inline int ntrig_get_mode(struct hid_device *hdev)
- struct hid_report *report = hdev->report_enum[HID_FEATURE_REPORT].
- report_id_hash[0x0d];
-
-- if (!report)
-+ if (!report || report->maxfield < 1 ||
-+ report->field[0]->report_count < 1)
- return -EINVAL;
-
- hid_hw_request(hdev, report, HID_REQ_GET_REPORT);
-
---
-Jiri Kosina
-SUSE Labs
---
-To unsubscribe from this list: send the line "unsubscribe linux-input" in
-the body of a message to majordomo at vger.kernel.org
-More majordomo info at http://vger.kernel.org/majordomo-info.html
Path: news.gmane.org!not-for-mail
From: Jiri Kosina <jkosina at suse.cz>
@@ -1252,239 +959,3 @@ SUSE Labs
To unsubscribe from this list: send the line "unsubscribe linux-input" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
-
-Path: news.gmane.org!not-for-mail
-From: Jiri Kosina <jkosina at suse.cz>
-Newsgroups: gmane.linux.kernel.input
-Subject: [PATCH 12/14] HID: sensor-hub: validate feature report details
-Date: Wed, 28 Aug 2013 22:31:44 +0200 (CEST)
-Lines: 36
-Approved: news at gmane.org
-Message-ID: <alpine.LNX.2.00.1308282222190.22181 at pobox.suse.cz>
-NNTP-Posting-Host: plane.gmane.org
-Mime-Version: 1.0
-Content-Type: TEXT/PLAIN; charset=US-ASCII
-X-Trace: ger.gmane.org 1377721907 10489 80.91.229.3 (28 Aug 2013 20:31:47 GMT)
-X-Complaints-To: usenet at ger.gmane.org
-NNTP-Posting-Date: Wed, 28 Aug 2013 20:31:47 +0000 (UTC)
-Cc: Kees Cook <keescook at chromium.org>,
- Mika Westerberg <mika.westerberg at linux.intel.com>,
- srinivas pandruvada <srinivas.pandruvada at intel.com>
-To: linux-input at vger.kernel.org
-Original-X-From: linux-input-owner at vger.kernel.org Wed Aug 28 22:31:51 2013
-Return-path: <linux-input-owner at vger.kernel.org>
-Envelope-to: glki-linux-input-2 at plane.gmane.org
-Original-Received: from vger.kernel.org ([209.132.180.67])
- by plane.gmane.org with esmtp (Exim 4.69)
- (envelope-from <linux-input-owner at vger.kernel.org>)
- id 1VEmP8-0000cl-9D
- for glki-linux-input-2 at plane.gmane.org; Wed, 28 Aug 2013 22:31:50 +0200
-Original-Received: (majordomo at vger.kernel.org) by vger.kernel.org via listexpand
- id S1754788Ab3H1Ubt (ORCPT <rfc822;glki-linux-input-2 at m.gmane.org>);
- Wed, 28 Aug 2013 16:31:49 -0400
-Original-Received: from cantor2.suse.de ([195.135.220.15]:58000 "EHLO mx2.suse.de"
- rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
- id S1754228Ab3H1Ubt (ORCPT <rfc822;linux-input at vger.kernel.org>);
- Wed, 28 Aug 2013 16:31:49 -0400
-Original-Received: from relay2.suse.de (unknown [195.135.220.254])
- by mx2.suse.de (Postfix) with ESMTP id BBD85A535B;
- Wed, 28 Aug 2013 22:31:47 +0200 (CEST)
-User-Agent: Alpine 2.00 (LNX 1167 2008-08-23)
-Original-Sender: linux-input-owner at vger.kernel.org
-Precedence: bulk
-List-ID: <linux-input.vger.kernel.org>
-X-Mailing-List: linux-input at vger.kernel.org
-Xref: news.gmane.org gmane.linux.kernel.input:31663
-Archived-At: <http://permalink.gmane.org/gmane.linux.kernel.input/31663>
-
-From: Kees Cook <keescook at chromium.org>
-
-A HID device could send a malicious feature report that would cause the
-sensor-hub HID driver to read past the end of heap allocation, leaking
-kernel memory contents to the caller.
-
-CVE-2013-2898
-
-Signed-off-by: Kees Cook <keescook at chromium.org>
-Cc: stable at kernel.org
----
- drivers/hid/hid-sensor-hub.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/drivers/hid/hid-sensor-hub.c b/drivers/hid/hid-sensor-hub.c
-index ca749810..aa34755 100644
---- a/drivers/hid/hid-sensor-hub.c
-+++ b/drivers/hid/hid-sensor-hub.c
-@@ -221,7 +221,8 @@ int sensor_hub_get_feature(struct hid_sensor_hub_device *hsdev, u32 report_id,
-
- mutex_lock(&data->mutex);
- report = sensor_hub_report(report_id, hsdev->hdev, HID_FEATURE_REPORT);
-- if (!report || (field_index >= report->maxfield)) {
-+ if (!report || (field_index >= report->maxfield) ||
-+ report->field[field_index]->report_count < 1) {
- ret = -EINVAL;
- goto done_proc;
- }
---
-Jiri Kosina
-SUSE Labs
---
-To unsubscribe from this list: send the line "unsubscribe linux-input" in
-the body of a message to majordomo at vger.kernel.org
-More majordomo info at http://vger.kernel.org/majordomo-info.html
-
-Path: news.gmane.org!not-for-mail
-From: Jiri Kosina <jkosina at suse.cz>
-Newsgroups: gmane.linux.kernel.input
-Subject: [PATCH 13/14] HID: picolcd_core: validate output report details
-Date: Wed, 28 Aug 2013 22:31:52 +0200 (CEST)
-Lines: 34
-Approved: news at gmane.org
-Message-ID: <alpine.LNX.2.00.1308282222460.22181 at pobox.suse.cz>
-NNTP-Posting-Host: plane.gmane.org
-Mime-Version: 1.0
-Content-Type: TEXT/PLAIN; charset=US-ASCII
-X-Trace: ger.gmane.org 1377721917 10573 80.91.229.3 (28 Aug 2013 20:31:57 GMT)
-X-Complaints-To: usenet at ger.gmane.org
-NNTP-Posting-Date: Wed, 28 Aug 2013 20:31:57 +0000 (UTC)
-Cc: Kees Cook <keescook at chromium.org>,
- =?ISO-8859-15?Q?Bruno_Pr=E9mont?= <bonbons at linux-vserver.org>
-To: linux-input at vger.kernel.org
-Original-X-From: linux-input-owner at vger.kernel.org Wed Aug 28 22:31:59 2013
-Return-path: <linux-input-owner at vger.kernel.org>
-Envelope-to: glki-linux-input-2 at plane.gmane.org
-Original-Received: from vger.kernel.org ([209.132.180.67])
- by plane.gmane.org with esmtp (Exim 4.69)
- (envelope-from <linux-input-owner at vger.kernel.org>)
- id 1VEmPE-0000cl-T8
- for glki-linux-input-2 at plane.gmane.org; Wed, 28 Aug 2013 22:31:57 +0200
-Original-Received: (majordomo at vger.kernel.org) by vger.kernel.org via listexpand
- id S1754901Ab3H1Ub4 (ORCPT <rfc822;glki-linux-input-2 at m.gmane.org>);
- Wed, 28 Aug 2013 16:31:56 -0400
-Original-Received: from cantor2.suse.de ([195.135.220.15]:58006 "EHLO mx2.suse.de"
- rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
- id S1754228Ab3H1Ub4 (ORCPT <rfc822;linux-input at vger.kernel.org>);
- Wed, 28 Aug 2013 16:31:56 -0400
-Original-Received: from relay2.suse.de (unknown [195.135.220.254])
- by mx2.suse.de (Postfix) with ESMTP id 2720DA531D;
- Wed, 28 Aug 2013 22:31:55 +0200 (CEST)
-User-Agent: Alpine 2.00 (LNX 1167 2008-08-23)
-Original-Sender: linux-input-owner at vger.kernel.org
-Precedence: bulk
-List-ID: <linux-input.vger.kernel.org>
-X-Mailing-List: linux-input at vger.kernel.org
-Xref: news.gmane.org gmane.linux.kernel.input:31664
-Archived-At: <http://permalink.gmane.org/gmane.linux.kernel.input/31664>
-
-From: Kees Cook <keescook at chromium.org>
-
-A HID device could send a malicious output report that would cause the
-picolcd HID driver to trigger a NULL dereference during attr file writing.
-
-CVE-2013-2899
-
-Signed-off-by: Kees Cook <keescook at chromium.org>
-Cc: stable at kernel.org
----
- drivers/hid/hid-picolcd_core.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/drivers/hid/hid-picolcd_core.c b/drivers/hid/hid-picolcd_core.c
-index b48092d..72bba1e 100644
---- a/drivers/hid/hid-picolcd_core.c
-+++ b/drivers/hid/hid-picolcd_core.c
-@@ -290,7 +290,7 @@ static ssize_t picolcd_operation_mode_store(struct device *dev,
- buf += 10;
- cnt -= 10;
- }
-- if (!report)
-+ if (!report || report->maxfield < 1)
- return -EINVAL;
-
- while (cnt > 0 && (buf[cnt-1] == '\n' || buf[cnt-1] == '\r'))
---
-Jiri Kosina
-SUSE Labs
---
-To unsubscribe from this list: send the line "unsubscribe linux-input" in
-the body of a message to majordomo at vger.kernel.org
-More majordomo info at http://vger.kernel.org/majordomo-info.html
-
-Path: news.gmane.org!not-for-mail
-From: Jiri Kosina <jkosina at suse.cz>
-Newsgroups: gmane.linux.kernel.input
-Subject: [PATCH 14/14] HID: check for NULL field when setting values
-Date: Wed, 28 Aug 2013 22:32:01 +0200 (CEST)
-Lines: 36
-Approved: news at gmane.org
-Message-ID: <alpine.LNX.2.00.1308282223090.22181 at pobox.suse.cz>
-NNTP-Posting-Host: plane.gmane.org
-Mime-Version: 1.0
-Content-Type: TEXT/PLAIN; charset=US-ASCII
-X-Trace: ger.gmane.org 1377721927 10651 80.91.229.3 (28 Aug 2013 20:32:07 GMT)
-X-Complaints-To: usenet at ger.gmane.org
-NNTP-Posting-Date: Wed, 28 Aug 2013 20:32:07 +0000 (UTC)
-Cc: Kees Cook <keescook at chromium.org>
-To: linux-input at vger.kernel.org
-Original-X-From: linux-input-owner at vger.kernel.org Wed Aug 28 22:32:06 2013
-Return-path: <linux-input-owner at vger.kernel.org>
-Envelope-to: glki-linux-input-2 at plane.gmane.org
-Original-Received: from vger.kernel.org ([209.132.180.67])
- by plane.gmane.org with esmtp (Exim 4.69)
- (envelope-from <linux-input-owner at vger.kernel.org>)
- id 1VEmPO-0000cl-40
- for glki-linux-input-2 at plane.gmane.org; Wed, 28 Aug 2013 22:32:06 +0200
-Original-Received: (majordomo at vger.kernel.org) by vger.kernel.org via listexpand
- id S1754959Ab3H1UcF (ORCPT <rfc822;glki-linux-input-2 at m.gmane.org>);
- Wed, 28 Aug 2013 16:32:05 -0400
-Original-Received: from cantor2.suse.de ([195.135.220.15]:58016 "EHLO mx2.suse.de"
- rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
- id S1754282Ab3H1UcE (ORCPT <rfc822;linux-input at vger.kernel.org>);
- Wed, 28 Aug 2013 16:32:04 -0400
-Original-Received: from relay1.suse.de (unknown [195.135.220.254])
- by mx2.suse.de (Postfix) with ESMTP id 6D278A531D;
- Wed, 28 Aug 2013 22:32:03 +0200 (CEST)
-User-Agent: Alpine 2.00 (LNX 1167 2008-08-23)
-Original-Sender: linux-input-owner at vger.kernel.org
-Precedence: bulk
-List-ID: <linux-input.vger.kernel.org>
-X-Mailing-List: linux-input at vger.kernel.org
-Xref: news.gmane.org gmane.linux.kernel.input:31665
-Archived-At: <http://permalink.gmane.org/gmane.linux.kernel.input/31665>
-
-From: Kees Cook <keescook at chromium.org>
-
-Defensively check that the field to be worked on is not NULL.
-
-Signed-off-by: Kees Cook <keescook at chromium.org>
-Cc: stable at kernel.org
----
- drivers/hid/hid-core.c | 7 ++++++-
- 1 file changed, 6 insertions(+), 1 deletion(-)
-
-diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c
-index 55798b2..192be6b 100644
---- a/drivers/hid/hid-core.c
-+++ b/drivers/hid/hid-core.c
-@@ -1206,7 +1206,12 @@ EXPORT_SYMBOL_GPL(hid_output_report);
-
- int hid_set_field(struct hid_field *field, unsigned offset, __s32 value)
- {
-- unsigned size = field->report_size;
-+ unsigned size;
-+
-+ if (!field)
-+ return -1;
-+
-+ size = field->report_size;
-
- hid_dump_input(field->report->device, field->usage + offset, value);
-
---
-Jiri Kosina
-SUSE Labs
---
-To unsubscribe from this list: send the line "unsubscribe linux-input" in
-the body of a message to majordomo at vger.kernel.org
-More majordomo info at http://vger.kernel.org/majordomo-info.html
-
diff --git a/config-generic b/config-generic
index ef9ee05..7df3652 100644
--- a/config-generic
+++ b/config-generic
@@ -3346,6 +3346,7 @@ CONFIG_HID_SMARTJOYPLUS=m
CONFIG_HID_TOPSEED=m
CONFIG_HID_THINGM=m
CONFIG_HID_THRUSTMASTER=m
+CONFIG_HID_XINMO=m
CONFIG_HID_ZEROPLUS=m
CONFIG_HID_ZYDACRON=m
CONFIG_HID_SENSOR_HUB=m
diff --git a/kernel.spec b/kernel.spec
index 28a218b..ff0e3d6 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -95,7 +95,7 @@ Summary: The Linux kernel
# The rc snapshot level
%define rcrev 0
# The git snapshot level
-%define gitrev 13
+%define gitrev 14
# Set rpm version accordingly
%define rpmversion 3.%{upstream_sublevel}.0
%endif
@@ -2301,6 +2301,9 @@ fi
# ||----w |
# || ||
%changelog
+* Fri Sep 06 2013 Josh Boyer <jwboyer at fedoraproject.org> - 3.12.0-0.rc0.git14.1
+- Linux v3.11-6855-g4de9ad9
+
* Fri Sep 06 2013 Kyle McMartin <kyle at redhat.com>
- [arm] enable KERNEL_MODE_NEON, safe to do, as the raid6 code tests hwcaps
so it won't impact tegra.
diff --git a/sources b/sources
index 8ea8152..a705ca0 100644
--- a/sources
+++ b/sources
@@ -1,2 +1,2 @@
fea363551ff45fbe4cb88497b863b261 linux-3.11.tar.xz
-a0f29a37d42d8aa73393fb70992ffb11 patch-3.11-git13.xz
+fa0d29db568eef6e318c5d78dc4de40d patch-3.11-git14.xz
More information about the scm-commits
mailing list