HID: validate HID report id size
The "Report ID" field of a HID report is used to build indexes of reports. The kernel's index of these is limited to 256 entries, so any malicious device that sets a Report ID greater than 255 will trigger memory corruption on the host: [ 1347.156239] BUG: unable to handle kernel paging request at ffff88094958a878 [ 1347.156261] IP: [<ffffffff813e4da0>] hid_register_report+0x2a/0x8b CVE-2013-2888 Signed-off-by: NKees Cook <keescook@chromium.org> Cc: stable@kernel.org Signed-off-by: NJiri Kosina <jkosina@suse.cz>
Showing
想要评论请 注册 或 登录