[kernel/f20] CVE-2014-3186 HID: memory corruption via OOB write (rhbz 1141407 1141410)
Josh Boyer
jwboyer at fedoraproject.org
Mon Sep 15 13:36:12 UTC 2014
commit acfd908865a9584cc5b585da40d2c4faed8caafa
Author: Josh Boyer <jwboyer at fedoraproject.org>
Date: Mon Sep 15 09:34:06 2014 -0400
CVE-2014-3186 HID: memory corruption via OOB write (rhbz 1141407 1141410)
...-sanity-check-report-size-in-raw_event-ca.patch | 41 ++++++++++++++++++++
kernel.spec | 9 ++++
2 files changed, 50 insertions(+), 0 deletions(-)
---
diff --git a/HID-picolcd-sanity-check-report-size-in-raw_event-ca.patch b/HID-picolcd-sanity-check-report-size-in-raw_event-ca.patch
new file mode 100644
index 0000000..456d91c
--- /dev/null
+++ b/HID-picolcd-sanity-check-report-size-in-raw_event-ca.patch
@@ -0,0 +1,41 @@
+From 844817e47eef14141cf59b8d5ac08dd11c0a9189 Mon Sep 17 00:00:00 2001
+From: Jiri Kosina <jkosina at suse.cz>
+Date: Wed, 27 Aug 2014 09:13:15 +0200
+Subject: [PATCH] HID: picolcd: sanity check report size in raw_event()
+ callback
+
+The report passed to us from transport driver could potentially be
+arbitrarily large, therefore we better sanity-check it so that raw_data
+that we hold in picolcd_pending structure are always kept within proper
+bounds.
+
+Bugzilla: 1141410
+Upstream-status: 3.17 and CC'd to stable
+
+Cc: stable at vger.kernel.org
+Reported-by: Steven Vittitoe <scvitti at google.com>
+Signed-off-by: Jiri Kosina <jkosina at suse.cz>
+---
+ drivers/hid/hid-picolcd_core.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/drivers/hid/hid-picolcd_core.c b/drivers/hid/hid-picolcd_core.c
+index acbb021065ec..020df3c2e8b4 100644
+--- a/drivers/hid/hid-picolcd_core.c
++++ b/drivers/hid/hid-picolcd_core.c
+@@ -350,6 +350,12 @@ static int picolcd_raw_event(struct hid_device *hdev,
+ if (!data)
+ return 1;
+
++ if (size > 64) {
++ hid_warn(hdev, "invalid size value (%d) for picolcd raw event\n",
++ size);
++ return 0;
++ }
++
+ if (report->id == REPORT_KEY_STATE) {
+ if (data->input_keys)
+ ret = picolcd_raw_keypad(data, report, raw_data+1, size-1);
+--
+2.1.0
+
diff --git a/kernel.spec b/kernel.spec
index 35efcaf..697df11 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -724,6 +724,9 @@ Patch26023: psmouse-Add-support-for-detecting-FocalTech-PS-2-tou.patch
#CVE-2014-3181 rhbz 1141179 1141173
Patch26024: HID-magicmouse-sanity-check-report-size-in-raw_event.patch
+#CVE-2014-3186 rhbz 1141407 1141410
+Patch26025: HID-picolcd-sanity-check-report-size-in-raw_event-ca.patch
+
# git clone ssh://git.fedorahosted.org/git/kernel-arm64.git, git diff master...devel
Patch30000: kernel-arm64.patch
@@ -1416,6 +1419,9 @@ ApplyPatch psmouse-Add-support-for-detecting-FocalTech-PS-2-tou.patch
#CVE-2014-3181 rhbz 1141179 1141173
ApplyPatch HID-magicmouse-sanity-check-report-size-in-raw_event.patch
+#CVE-2014-3186 rhbz 1141407 1141410
+ApplyPatch HID-picolcd-sanity-check-report-size-in-raw_event-ca.patch
+
%if 0%{?aarch64patches}
ApplyPatch kernel-arm64.patch
%ifnarch aarch64 # this is stupid, but i want to notice before secondary koji does.
@@ -2234,6 +2240,9 @@ fi
# ||----w |
# || ||
%changelog
+* Mon Sep 15 2014 Josh Boyer <jwboyer at fedoraproject.org>
+- CVE-2014-3186 HID: memory corruption via OOB write (rhbz 1141407 1141410)
+
* Fri Sep 12 2014 Josh Boyer <jwboyer at fedoraproject.org>
- CVE-2014-3181 HID: OOB write in magicmouse driver (rhbz 1141173 1141179)
More information about the scm-commits
mailing list