From: Kees Cook <keesc...@chromium.org>
A HID device could send a malicious output report that would cause the
lenovo-tpkbd HID driver to write just beyond the output report allocation
during initialization, causing a heap overflow:
[ 76.109807] usb 1-1: New USB device found, idVendor=17ef, idProduct=6009
...
[ 80.462540] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten
CVE-2013-2894
Signed-off-by: Kees Cook <keesc...@chromium.org>
Cc: sta...@kernel.org
---
drivers/hid/hid-lenovo-tpkbd.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/drivers/hid/hid-lenovo-tpkbd.c b/drivers/hid/hid-lenovo-tpkbd.c
index 07837f5..b697ada 100644
--- a/drivers/hid/hid-lenovo-tpkbd.c
+++ b/drivers/hid/hid-lenovo-tpkbd.c
@@ -341,6 +341,11 @@ static int tpkbd_probe_tp(struct hid_device *hdev)
char *name_mute, *name_micmute;
int ret;
+ /* Validate required reports. */
+ if (!hid_validate_report(hdev, HID_OUTPUT_REPORT, 4, 4, 1) ||
+ !hid_validate_report(hdev, HID_OUTPUT_REPORT, 3, 1, 2))
+ return -ENODEV;
+
if (sysfs_create_group(&hdev->dev.kobj,
&tpkbd_attr_group_pointer)) {
hid_warn(hdev, "Could not create sysfs group\n");
--
Jiri Kosina
SUSE Labs
--
To unsubscribe from this list: send the line "unsubscribe linux-input" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
