diff options
author | Josh Boyer <jwboyer@fedoraproject.org> | 2016-06-27 11:57:34 -0400 |
---|---|---|
committer | Josh Boyer <jwboyer@fedoraproject.org> | 2016-06-27 12:00:07 -0400 |
commit | b88c442b2e21cb155aab2adeed6fb9be4d50b893 (patch) | |
tree | a5bdd3ea295d087373792ba8c5c80d0e947d99a1 | |
parent | 94d37862fa8c81afe54cd7c05f7b312438f83e90 (diff) | |
download | kernel-b88c442b2e21cb155aab2adeed6fb9be4d50b893.tar.gz kernel-b88c442b2e21cb155aab2adeed6fb9be4d50b893.tar.xz kernel-b88c442b2e21cb155aab2adeed6fb9be4d50b893.zip |
CVE-2016-5829 heap overflow in hiddev (rhbz 1350509 1350513)
-rw-r--r-- | HID-hiddev-validate-num_values-for-HIDIOCGUSAGES-HID.patch | 44 | ||||
-rw-r--r-- | kernel.spec | 8 |
2 files changed, 51 insertions, 1 deletions
diff --git a/HID-hiddev-validate-num_values-for-HIDIOCGUSAGES-HID.patch b/HID-hiddev-validate-num_values-for-HIDIOCGUSAGES-HID.patch new file mode 100644 index 000000000..e84272ee7 --- /dev/null +++ b/HID-hiddev-validate-num_values-for-HIDIOCGUSAGES-HID.patch @@ -0,0 +1,44 @@ +From 93a2001bdfd5376c3dc2158653034c20392d15c5 Mon Sep 17 00:00:00 2001 +From: Scott Bauer <sbauer@plzdonthack.me> +Date: Thu, 23 Jun 2016 08:59:47 -0600 +Subject: [PATCH] HID: hiddev: validate num_values for HIDIOCGUSAGES, + HIDIOCSUSAGES commands + +This patch validates the num_values parameter from userland during the +HIDIOCGUSAGES and HIDIOCSUSAGES commands. Previously, if the report id was set +to HID_REPORT_ID_UNKNOWN, we would fail to validate the num_values parameter +leading to a heap overflow. + +Cc: stable@vger.kernel.org +Signed-off-by: Scott Bauer <sbauer@plzdonthack.me> +Signed-off-by: Jiri Kosina <jkosina@suse.cz> +--- + drivers/hid/usbhid/hiddev.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/drivers/hid/usbhid/hiddev.c b/drivers/hid/usbhid/hiddev.c +index 2f1ddca6f2e0..700145b15088 100644 +--- a/drivers/hid/usbhid/hiddev.c ++++ b/drivers/hid/usbhid/hiddev.c +@@ -516,13 +516,13 @@ static noinline int hiddev_ioctl_usage(struct hiddev *hiddev, unsigned int cmd, + goto inval; + } else if (uref->usage_index >= field->report_count) + goto inval; +- +- else if ((cmd == HIDIOCGUSAGES || cmd == HIDIOCSUSAGES) && +- (uref_multi->num_values > HID_MAX_MULTI_USAGES || +- uref->usage_index + uref_multi->num_values > field->report_count)) +- goto inval; + } + ++ if ((cmd == HIDIOCGUSAGES || cmd == HIDIOCSUSAGES) && ++ (uref_multi->num_values > HID_MAX_MULTI_USAGES || ++ uref->usage_index + uref_multi->num_values > field->report_count)) ++ goto inval; ++ + switch (cmd) { + case HIDIOCGUSAGE: + uref->value = field->value[uref->usage_index]; +-- +2.5.5 + diff --git a/kernel.spec b/kernel.spec index 99343d59b..6195340c2 100644 --- a/kernel.spec +++ b/kernel.spec @@ -673,6 +673,9 @@ Patch728: hp-wmi-fix-wifi-cannot-be-hard-unblock.patch #CVE-2016-4998 rhbz 1349886 1350316 Patch729: CVE-2016-4998.patch +#CVE-2016-5829 rhbz 1350509 1350513 +Patch826: HID-hiddev-validate-num_values-for-HIDIOCGUSAGES-HID.patch + # END OF PATCH DEFINITIONS %endif @@ -2190,7 +2193,10 @@ fi # # %changelog -* Mon Jun 27 2016 Justin M. Forbes <jforbes@fedoraproject.org> 4.5.7-201 +* Mon Jun 27 2016 Josh Boyer <jwboyer@fedoraproject.org> - 4.5.7-201 +- CVE-2016-5829 heap overflow in hiddev (rhbz 1350509 1350513) + +* Mon Jun 27 2016 Justin M. Forbes <jforbes@fedoraproject.org> - CVE-2016-4998 oob reads when processing IPT_SO_SET_REPLACE setsockopt (rhbz 1349886 1350316) * Wed Jun 15 2016 Laura Abbott <labbott@fedoraproject.org> |