Pandora Sourcecodes - pandora-kernel.git/commit

author	Kees Cook <keescook@chromium.org>
	Wed, 28 Aug 2013 20:29:55 +0000 (22:29 +0200)
committer	Jiri Kosina <jkosina@suse.cz>
	Thu, 29 Aug 2013 09:01:25 +0000 (11:01 +0200)
commit	43622021d2e2b82ea03d883926605bdd0525e1d1
tree	eb347fb9b63e544151787d58f8940bdd957961a0	tree \| snapshot
parent	58c59bc997d86593f0bea41845885917cf304d22	commit \| diff

HID: validate HID report id size

The "Report ID" field of a HID report is used to build indexes of
reports. The kernel's index of these is limited to 256 entries, so any
malicious device that sets a Report ID greater than 255 will trigger
memory corruption on the host:

[ 1347.156239] BUG: unable to handle kernel paging request at ffff88094958a878
[ 1347.156261] IP: [<ffffffff813e4da0>] hid_register_report+0x2a/0x8b

CVE-2013-2888

Signed-off-by: Kees Cook <keescook@chromium.org>
Cc: stable@kernel.org
Signed-off-by: Jiri Kosina <jkosina@suse.cz>

drivers/hid/hid-core.c		diff \| blob \| history
include/linux/hid.h		diff \| blob \| history