HID: validate feature and input report details
When dealing with usage_index, be sure to properly use unsigned instead of int to avoid overflows. When working on report fields, always validate that their report_counts are in bounds. Without this, a HID device could report a malicious feature report that could trick the driver into a heap overflow: [ 634.885003] usb 1-1: New USB device found, idVendor=0596, idProduct=0500 ... [ 676.469629] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten CVE-2013-2897 Cc: stable@vger.kernel.org Signed-off-by: NBenjamin Tissoires <benjamin.tissoires@redhat.com> Acked-by: NKees Cook <keescook@chromium.org> Signed-off-by: NJiri Kosina <jkosina@suse.cz>
Showing
想要评论请 注册 或 登录