From: Benjamin Tissoires <benjamin.tissoires@redhat.com>
To: Kees Cook <keescook@chromium.org>
Cc: linux-input@vger.kernel.org, Jiri Kosina <jkosina@suse.cz>,
Henrik Rydberg <rydberg@euromail.se>
Subject: Re: [PATCH 7/7] HID: logitech-dj: validate output report details
Date: Mon, 09 Sep 2013 15:44:36 +0200 [thread overview]
Message-ID: <522DD0C4.2080408@redhat.com> (raw)
In-Reply-To: <1378312645-27736-8-git-send-email-keescook@chromium.org>
On 04/09/13 18:37, Kees Cook wrote:
> A HID device could send a malicious output report that would cause the
> logitech-dj HID driver to leak kernel memory contents to the device, or
> trigger a NULL dereference during initialization:
>
> [ 304.424553] usb 1-1: New USB device found, idVendor=046d, idProduct=c52b
> ...
> [ 304.780467] BUG: unable to handle kernel NULL pointer dereference at 0000000000000028
> [ 304.781409] IP: [<ffffffff815d50aa>] logi_dj_recv_send_report.isra.11+0x1a/0x90
>
> CVE-2013-2895
>
> Signed-off-by: Kees Cook <keescook@chromium.org>
> Cc: stable@kernel.org
> ---
> drivers/hid/hid-logitech-dj.c | 12 ++++++++++--
> 1 file changed, 10 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/hid/hid-logitech-dj.c b/drivers/hid/hid-logitech-dj.c
> index cd33084..404f2d0 100644
> --- a/drivers/hid/hid-logitech-dj.c
> +++ b/drivers/hid/hid-logitech-dj.c
> @@ -461,7 +461,7 @@ static int logi_dj_recv_send_report(struct dj_receiver_dev *djrcv_dev,
> struct hid_report *report;
> struct hid_report_enum *output_report_enum;
> u8 *data = (u8 *)(&dj_report->device_index);
> - int i;
> + unsigned int i, length;
>
> output_report_enum = &hdev->report_enum[HID_OUTPUT_REPORT];
> report = output_report_enum->report_id_hash[REPORT_ID_DJ_SHORT];
> @@ -471,7 +471,9 @@ static int logi_dj_recv_send_report(struct dj_receiver_dev *djrcv_dev,
> return -ENODEV;
> }
>
> - for (i = 0; i < report->field[0]->report_count; i++)
> + length = min_t(size_t, sizeof(*dj_report) - 1,
> + report->field[0]->report_count);
> + for (i = 0; i < length; i++)
I would rather simply do:
for (i = 0; i < DJREPORT_SHORT_LENGTH - 1; i++)
> report->field[0]->value[i] = data[i];
>
> hid_hw_request(hdev, report, HID_REQ_SET_REPORT);
> @@ -783,6 +785,12 @@ static int logi_dj_probe(struct hid_device *hdev,
> goto hid_parse_fail;
> }
>
> + if (!hid_validate_values(hdev, HID_OUTPUT_REPORT, REPORT_ID_DJ_SHORT,
> + 0, 3)) {
and here:
if (!hid_validate_values(hdev, HID_OUTPUT_REPORT, REPORT_ID_DJ_SHORT,
0, DJREPORT_SHORT_LENGTH - 1)) {
3 seems to come from nowhere, and is also wrong because in logi_dj_recv_switch_to_dj_mode(), we write 4 bytes.
Besides this small nitpick, there is the same problem that I spotted in hid-steelseries, in case of a failure, the hid device is not cleaned correctly.
Cheers,
Benjamin
> + retval = -ENODEV;
> + goto hid_parse_fail;
> + }
> +
> /* Starts the usb device and connects to upper interfaces hiddev and
> * hidraw */
> retval = hid_hw_start(hdev, HID_CONNECT_DEFAULT);
>
next prev parent reply other threads:[~2013-09-09 13:44 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-09-04 16:37 [PATCH v2 0/7] HID: validate report details Kees Cook
2013-09-04 16:37 ` [PATCH 1/7] HID: provide a helper for validating hid reports Kees Cook
2013-09-09 12:33 ` Benjamin Tissoires
2013-09-04 16:37 ` [PATCH 2/7] HID: zeroplus: validate output report details Kees Cook
2013-09-09 12:36 ` Benjamin Tissoires
2013-09-04 16:37 ` [PATCH 3/7] HID: sony: validate HID " Kees Cook
2013-09-09 12:39 ` Benjamin Tissoires
2013-09-04 16:37 ` [PATCH 4/7] HID: steelseries: validate " Kees Cook
2013-09-09 13:02 ` Benjamin Tissoires
2013-09-10 11:45 ` Benjamin Tissoires
2013-09-04 16:37 ` [PATCH 5/7] HID: LG: validate HID " Kees Cook
2013-09-09 13:22 ` Benjamin Tissoires
2013-09-04 16:37 ` [PATCH 6/7] HID: lenovo-tpkbd: validate " Kees Cook
2013-09-09 13:28 ` Benjamin Tissoires
2013-09-04 16:37 ` [PATCH 7/7] HID: logitech-dj: " Kees Cook
2013-09-09 13:44 ` Benjamin Tissoires [this message]
2013-09-09 13:48 ` [PATCH v2 0/7] HID: validate " Benjamin Tissoires
2013-09-09 21:48 ` Kees Cook
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=522DD0C4.2080408@redhat.com \
--to=benjamin.tissoires@redhat.com \
--cc=jkosina@suse.cz \
--cc=keescook@chromium.org \
--cc=linux-input@vger.kernel.org \
--cc=rydberg@euromail.se \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.