[kernel/f20] Fix hidp crash with apple bluetooth trackpads (rhbz 1027465)

Josh Boyer jwboyer at fedoraproject.org
Tue Mar 4 18:39:05 UTC 2014 

commit 70c5e5d572ce2744cacf1185c84e235968c7bc67
Author: Josh Boyer <jwboyer at redhat.com>
Date:   Tue Mar 4 13:37:04 2014 -0500

    Fix hidp crash with apple bluetooth trackpads (rhbz 1027465)

 ...th-hidp-make-sure-input-buffers-are-big-e.patch |   95 ++++++++++++++++++++
 kernel.spec                                        |    9 ++
 2 files changed, 104 insertions(+), 0 deletions(-)
---
diff --git a/HID-Bluetooth-hidp-make-sure-input-buffers-are-big-e.patch b/HID-Bluetooth-hidp-make-sure-input-buffers-are-big-e.patch
new file mode 100644
index 0000000..0fb3cc4
--- /dev/null
+++ b/HID-Bluetooth-hidp-make-sure-input-buffers-are-big-e.patch
@@ -0,0 +1,95 @@
+Bugzilla: 1027465
+Upstream-status: 3.14
+
+From a4b1b5877b514b276f0f31efe02388a9c2836728 Mon Sep 17 00:00:00 2001
+From: David Herrmann <dh.herrmann at gmail.com>
+Date: Thu, 19 Dec 2013 12:09:32 +0100
+Subject: [PATCH] HID: Bluetooth: hidp: make sure input buffers are big enough
+
+HID core expects the input buffers to be at least of size 4096
+(HID_MAX_BUFFER_SIZE). Other sizes will result in buffer-overflows if an
+input-report is smaller than advertised. We could, like i2c, compute the
+biggest report-size instead of using HID_MAX_BUFFER_SIZE, but this will
+blow up if report-descriptors are changed after ->start() has been called.
+So lets be safe and just use the biggest buffer we have.
+
+Note that this adds an additional copy to the HIDP input path. If there is
+a way to make sure the skb-buf is big enough, we should use that instead.
+
+The best way would be to make hid-core honor the @size argument, though,
+that sounds easier than it is. So lets just fix the buffer-overflows for
+now and afterwards look for a faster way for all transport drivers.
+
+Signed-off-by: David Herrmann <dh.herrmann at gmail.com>
+Signed-off-by: Jiri Kosina <jkosina at suse.cz>
+---
+ net/bluetooth/hidp/core.c | 16 ++++++++++++++--
+ net/bluetooth/hidp/hidp.h |  4 ++++
+ 2 files changed, 18 insertions(+), 2 deletions(-)
+
+diff --git a/net/bluetooth/hidp/core.c b/net/bluetooth/hidp/core.c
+index 292e619..d9fb934 100644
+--- a/net/bluetooth/hidp/core.c
++++ b/net/bluetooth/hidp/core.c
+@@ -430,6 +430,16 @@ static void hidp_del_timer(struct hidp_session *session)
+ 		del_timer(&session->timer);
+ }
+ 
++static void hidp_process_report(struct hidp_session *session,
++				int type, const u8 *data, int len, int intr)
++{
++	if (len > HID_MAX_BUFFER_SIZE)
++		len = HID_MAX_BUFFER_SIZE;
++
++	memcpy(session->input_buf, data, len);
++	hid_input_report(session->hid, type, session->input_buf, len, intr);
++}
++
+ static void hidp_process_handshake(struct hidp_session *session,
+ 					unsigned char param)
+ {
+@@ -502,7 +512,8 @@ static int hidp_process_data(struct hidp_session *session, struct sk_buff *skb,
+ 			hidp_input_report(session, skb);
+ 
+ 		if (session->hid)
+-			hid_input_report(session->hid, HID_INPUT_REPORT, skb->data, skb->len, 0);
++			hidp_process_report(session, HID_INPUT_REPORT,
++					    skb->data, skb->len, 0);
+ 		break;
+ 
+ 	case HIDP_DATA_RTYPE_OTHER:
+@@ -584,7 +595,8 @@ static void hidp_recv_intr_frame(struct hidp_session *session,
+ 			hidp_input_report(session, skb);
+ 
+ 		if (session->hid) {
+-			hid_input_report(session->hid, HID_INPUT_REPORT, skb->data, skb->len, 1);
++			hidp_process_report(session, HID_INPUT_REPORT,
++					    skb->data, skb->len, 1);
+ 			BT_DBG("report len %d", skb->len);
+ 		}
+ 	} else {
+diff --git a/net/bluetooth/hidp/hidp.h b/net/bluetooth/hidp/hidp.h
+index ab52414..8798492 100644
+--- a/net/bluetooth/hidp/hidp.h
++++ b/net/bluetooth/hidp/hidp.h
+@@ -24,6 +24,7 @@
+ #define __HIDP_H
+ 
+ #include <linux/types.h>
++#include <linux/hid.h>
+ #include <linux/kref.h>
+ #include <net/bluetooth/bluetooth.h>
+ #include <net/bluetooth/l2cap.h>
+@@ -179,6 +180,9 @@ struct hidp_session {
+ 
+ 	/* Used in hidp_output_raw_report() */
+ 	int output_report_success; /* boolean */
++
++	/* temporary input buffer */
++	u8 input_buf[HID_MAX_BUFFER_SIZE];
+ };
+ 
+ /* HIDP init defines */
+-- 
+1.8.5.3
+
diff --git a/kernel.spec b/kernel.spec
index 05f0c81..a3c92a3 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -782,6 +782,9 @@ Patch25030: net-net-sctp-fix-sctp_sf_do_5_1D_ce-to-verify-if-we-peer-is-AUTH-cap
 #CVE-2014-0100 rhbz 1072026 1070618
 Patch25031: net-fix-for-a-race-condition-in-the-inet-frag-code.patch
 
+#rhbz 1027465
+Patch25032: HID-Bluetooth-hidp-make-sure-input-buffers-are-big-e.patch
+
 # END OF PATCH DEFINITIONS
 
 %endif
@@ -1520,6 +1523,9 @@ ApplyPatch net-net-sctp-fix-sctp_sf_do_5_1D_ce-to-verify-if-we-peer-is-AUTH-capa
 #CVE-2014-0100 rhbz 1072026 1070618
 ApplyPatch net-fix-for-a-race-condition-in-the-inet-frag-code.patch
 
+#rhbz 1027465
+ApplyPatch HID-Bluetooth-hidp-make-sure-input-buffers-are-big-e.patch
+
 # END OF PATCH APPLICATIONS
 
 %endif
@@ -2331,6 +2337,9 @@ fi
 #                 ||----w |
 #                 ||     ||
 %changelog
+* Tue Mar 04 2014 Josh Boyer <jwboyer at fedoraproject.org>
+- Fix hidp crash with apple bluetooth trackpads (rhbz 1027465)
+
 * Mon Mar 03 2014 Josh Boyer <jwboyer at fedoraproject.org> - 3.13.5-202
 - CVE-2014-0100 net: inet frag race condition use-after-free (rhbz 1072026 1070618)
 - CVE-2014-0101 sctp: null ptr deref when processing auth cookie_echo chunk (rhbz 1070209 1070705)

More information about the scm-commits mailing list