From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Simon Wood <simon@mungewell.org>,
Kees Cook <keescook@chromium.org>,
Benjamin Tissoires <benjamin.tissoires@redhat.com>,
Jiri Kosina <jkosina@suse.cz>
Subject: [PATCH 3.4 13/43] HID: core: fix validation of report id 0
Date: Sat, 28 Jun 2014 10:46:04 -0700 [thread overview]
Message-ID: <20140628174450.420386574@linuxfoundation.org> (raw)
In-Reply-To: <20140628174449.788784511@linuxfoundation.org>
3.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kees Cook <keescook@chromium.org>
commit 1b15d2e5b8077670b1e6a33250a0d9577efff4a5 upstream.
Some drivers use the first HID report in the list instead of using an
index. In these cases, validation uses ID 0, which was supposed to mean
"first known report". This fixes the problem, which was causing at least
the lgff family of devices to stop working since hid_validate_values
was being called with ID 0, but the devices used single numbered IDs
for their reports:
0x05, 0x01, /* Usage Page (Desktop), */
0x09, 0x05, /* Usage (Gamepad), */
0xA1, 0x01, /* Collection (Application), */
0xA1, 0x02, /* Collection (Logical), */
0x85, 0x01, /* Report ID (1), */
...
Reported-by: Simon Wood <simon@mungewell.org>
Signed-off-by: Kees Cook <keescook@chromium.org>
Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/hid/hid-core.c | 12 +++++++++++-
1 file changed, 11 insertions(+), 1 deletion(-)
--- a/drivers/hid/hid-core.c
+++ b/drivers/hid/hid-core.c
@@ -861,7 +861,17 @@ struct hid_report *hid_validate_values(s
* ->numbered being checked, which may not always be the case when
* drivers go to access report values.
*/
- report = hid->report_enum[type].report_id_hash[id];
+ if (id == 0) {
+ /*
+ * Validating on id 0 means we should examine the first
+ * report in the list.
+ */
+ report = list_entry(
+ hid->report_enum[type].report_list.next,
+ struct hid_report, list);
+ } else {
+ report = hid->report_enum[type].report_id_hash[id];
+ }
if (!report) {
hid_err(hid, "missing %s %u\n", hid_report_names[type], id);
return NULL;
next prev parent reply other threads:[~2014-06-28 17:46 UTC|newest]
Thread overview: 47+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-06-28 17:45 [PATCH 3.4 00/43] 3.4.96-stable review Greg Kroah-Hartman
2014-06-28 17:45 ` [PATCH 3.4 01/43] can: peak_pci: prevent use after free at netdev removal Greg Kroah-Hartman
2014-06-28 17:45 ` [PATCH 3.4 02/43] staging: tidspbridge: check for CONFIG_SND_OMAP_SOC_MCBSP Greg Kroah-Hartman
2014-06-28 17:45 ` [PATCH 3.4 03/43] applicom: dereferencing NULL on error path Greg Kroah-Hartman
2014-06-28 17:45 ` [PATCH 3.4 04/43] usb: usbtest: fix unlink write error with pattern 1 Greg Kroah-Hartman
2014-06-28 17:45 ` [PATCH 3.4 05/43] USB: usbtest: add a timeout for scatter-gather tests Greg Kroah-Hartman
2014-06-28 17:45 ` [PATCH 3.4 06/43] usb: gadget: rename CONFIG_USB_GADGET_PXA25X Greg Kroah-Hartman
2014-06-28 17:45 ` [PATCH 3.4 07/43] usb: dwc3: gadget: clear stall when disabling endpoint Greg Kroah-Hartman
2014-06-28 17:45 ` [PATCH 3.4 08/43] USB: EHCI: avoid BIOS handover on the HASEE E200 Greg Kroah-Hartman
2014-06-28 17:46 ` [PATCH 3.4 09/43] USB: option: fix runtime PM handling Greg Kroah-Hartman
2014-06-28 17:46 ` [PATCH 3.4 10/43] mm/memory-failure.c-failure: send right signal code to correct thread Greg Kroah-Hartman
2014-06-28 17:46 ` [PATCH 3.4 11/43] mm/memory-failure.c: dont let collect_procs() skip over processes for MF_ACTION_REQUIRED Greg Kroah-Hartman
2014-06-28 17:46 ` [PATCH 3.4 12/43] mm: fix sleeping function warning from __put_anon_vma Greg Kroah-Hartman
2014-06-28 17:46 ` Greg Kroah-Hartman [this message]
2014-06-28 17:46 ` [PATCH 3.4 14/43] mm: vmscan: clear kswapds special reclaim powers before exiting Greg Kroah-Hartman
2014-06-28 17:46 ` [PATCH 3.4 15/43] s390/lowcore: reserve 96 bytes for IRB in lowcore Greg Kroah-Hartman
2014-06-28 17:46 ` [PATCH 3.4 16/43] ext4: fix wrong assert in ext4_mb_normalize_request() Greg Kroah-Hartman
2014-06-28 17:46 ` [PATCH 3.4 17/43] matroxfb: perform a dummy read of M_STATUS Greg Kroah-Hartman
2014-06-28 17:46 ` [PATCH 3.4 18/43] USB: usb_wwan: fix urb leak in write error path Greg Kroah-Hartman
2014-06-28 17:46 ` [PATCH 3.4 19/43] USB: usb_wwan: fix race between write and resume Greg Kroah-Hartman
2014-06-28 17:46 ` [PATCH 3.4 20/43] USB: usb_wwan: fix write and suspend race Greg Kroah-Hartman
2014-06-28 17:46 ` [PATCH 3.4 21/43] USB: usb_wwan: fix urb leak at shutdown Greg Kroah-Hartman
2014-06-28 17:46 ` [PATCH 3.4 22/43] USB: usb_wwan: fix potential NULL-deref at resume Greg Kroah-Hartman
2014-06-28 17:46 ` [PATCH 3.4 23/43] USB: usb_wwan: fix potential blocked I/O after resume Greg Kroah-Hartman
2014-06-28 17:46 ` [PATCH 3.4 24/43] USB: sierra: fix AA deadlock in open error path Greg Kroah-Hartman
2014-06-28 17:46 ` [PATCH 3.4 25/43] USB: sierra: fix use after free at suspend/resume Greg Kroah-Hartman
2014-06-28 17:46 ` [PATCH 3.4 26/43] USB: sierra: fix urb and memory leak in resume error path Greg Kroah-Hartman
2014-06-28 17:46 ` [PATCH 3.4 27/43] USB: sierra: fix urb and memory leak on disconnect Greg Kroah-Hartman
2014-06-28 17:46 ` [PATCH 3.4 28/43] USB: sierra: fix remote wakeup Greg Kroah-Hartman
2014-06-28 17:46 ` [PATCH 3.4 29/43] ACPI: Fix conflict between customized DSDT and DSDT local copy Greg Kroah-Hartman
2014-06-28 17:46 ` [PATCH 3.4 30/43] ARM: stacktrace: avoid listing stacktrace functions in stacktrace Greg Kroah-Hartman
2014-06-28 17:46 ` [PATCH 3.4 31/43] [PATCH] target: Explicitly clear ramdisk_mcp backend pages Greg Kroah-Hartman
2014-06-28 17:46 ` [PATCH 3.4 32/43] x86-32, espfix: Remove filter for espfix32 due to race Greg Kroah-Hartman
2014-06-28 17:46 ` [PATCH 3.4 33/43] x86, x32: Use compat shims for io_{setup,submit} Greg Kroah-Hartman
2014-06-28 17:46 ` [PATCH 3.4 34/43] genirq: Sanitize spurious interrupt detection of threaded irqs Greg Kroah-Hartman
2014-06-28 17:46 ` [PATCH 3.4 35/43] skbuff: add an api to orphan frags Greg Kroah-Hartman
2014-06-28 17:46 ` [PATCH 3.4 36/43] skbuff: export skb_copy_ubufs Greg Kroah-Hartman
2014-06-28 17:46 ` [PATCH 3.4 37/43] skbuff: skb_segment: orphan frags before copying Greg Kroah-Hartman
2014-06-28 17:46 ` [PATCH 3.4 38/43] Btrfs: fix double free in find_lock_delalloc_range Greg Kroah-Hartman
2014-06-28 17:46 ` [PATCH 3.4 39/43] fs: btrfs: volumes.c: Fix for possible null pointer dereference Greg Kroah-Hartman
2014-06-28 17:46 ` [PATCH 3.4 40/43] Btrfs: use right type to get real comparison Greg Kroah-Hartman
2014-06-28 17:46 ` [PATCH 3.4 41/43] btrfs: fix use of uninit "ret" in end_extent_writepage() Greg Kroah-Hartman
2014-06-28 17:46 ` [PATCH 3.4 42/43] usb: usbtest: Add timetout to simple_io() Greg Kroah-Hartman
2014-06-28 22:28 ` [PATCH 3.4 00/43] 3.4.96-stable review Guenter Roeck
2014-06-28 22:34 ` Greg Kroah-Hartman
2014-06-30 16:17 ` Shuah Khan
2014-06-30 16:26 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140628174450.420386574@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=benjamin.tissoires@redhat.com \
--cc=jkosina@suse.cz \
--cc=keescook@chromium.org \
--cc=linux-kernel@vger.kernel.org \
--cc=simon@mungewell.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).