[PATCH 13/14] HID: picolcd_core: validate output report details

Jiri Kosina Wed, 28 Aug 2013 13:32:59 -0700

From: Kees Cook <keesc...@chromium.org>

A HID device could send a malicious output report that would cause the
picolcd HID driver to trigger a NULL dereference during attr file writing.


CVE-2013-2899

Signed-off-by: Kees Cook <keesc...@chromium.org>
Cc: sta...@kernel.org
---
 drivers/hid/hid-picolcd_core.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/hid/hid-picolcd_core.c b/drivers/hid/hid-picolcd_core.c
index b48092d..72bba1e 100644
--- a/drivers/hid/hid-picolcd_core.c
+++ b/drivers/hid/hid-picolcd_core.c
@@ -290,7 +290,7 @@ static ssize_t picolcd_operation_mode_store(struct device 
*dev,
                buf += 10;
                cnt -= 10;
        }
-       if (!report)
+       if (!report || report->maxfield < 1)
                return -EINVAL;
 
        while (cnt > 0 && (buf[cnt-1] == '\n' || buf[cnt-1] == '\r'))
-- 
Jiri Kosina
SUSE Labs
--
To unsubscribe from this list: send the line "unsubscribe linux-input" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH 13/14] HID: picolcd_core: validate output report details

Reply via email to