-
由 Benjamin Tissoires 提交于
When working on report indexes, always validate that they are in bounds. Without this, a HID device could report a malicious feature report that could trick the driver into a heap overflow: [ 634.885003] usb 1-1: New USB device found, idVendor=0596, idProduct=0500 ... [ 676.469629] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten Note that we need to change the indexes from s8 to s16 as they can be between -1 and 255. CVE-2013-2897 Cc: stable@vger.kernel.org Signed-off-by: NBenjamin Tissoires <benjamin.tissoires@redhat.com> Acked-by: NKees Cook <keescook@chromium.org> Signed-off-by: NJiri Kosina <jkosina@suse.cz>
8821f5dc