linux/drivers/hid
Benjamin Tissoires cc6b54aa54 HID: validate feature and input report details
When dealing with usage_index, be sure to properly use unsigned instead of
int to avoid overflows.

When working on report fields, always validate that their report_counts are
in bounds.
Without this, a HID device could report a malicious feature report that
could trick the driver into a heap overflow:

[  634.885003] usb 1-1: New USB device found, idVendor=0596, idProduct=0500
...
[  676.469629] BUG kmalloc-192 (Tainted: G        W   ): Redzone overwritten

CVE-2013-2897

Cc: stable@vger.kernel.org
Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Acked-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
2013-09-13 15:13:22 +02:00
..
i2c-hid Merge branches 'for-3.12/devm', 'for-3.12/i2c-hid', 'for-3.12/i2c-hid-dt', 'for-3.12/logitech', 'for-3.12/multitouch-win8', 'for-3.12/trasnport-driver-cleanup', 'for-3.12/uhid', 'for-3.12/upstream' and 'for-3.12/wiimote' into for-linus 2013-09-06 11:58:37 +02:00
usbhid Merge branches 'for-3.12/devm', 'for-3.12/i2c-hid', 'for-3.12/i2c-hid-dt', 'for-3.12/logitech', 'for-3.12/multitouch-win8', 'for-3.12/trasnport-driver-cleanup', 'for-3.12/uhid', 'for-3.12/upstream' and 'for-3.12/wiimote' into for-linus 2013-09-06 11:58:37 +02:00
hid-a4tech.c HID: trivial devm conversion for special hid drivers 2013-07-31 10:12:28 +02:00
hid-apple.c Merge branches 'for-3.12/devm', 'for-3.12/i2c-hid', 'for-3.12/i2c-hid-dt', 'for-3.12/logitech', 'for-3.12/multitouch-win8', 'for-3.12/trasnport-driver-cleanup', 'for-3.12/uhid', 'for-3.12/upstream' and 'for-3.12/wiimote' into for-linus 2013-09-06 11:58:37 +02:00
hid-appleir.c HID: appleir: add support for Apple ir devices 2013-04-18 19:06:20 -07:00
hid-aureal.c HID: Use module_hid_driver macro 2013-01-03 10:27:31 +01:00
hid-axff.c HID: use hid_hw_request() instead of direct call to usbhid 2013-02-25 13:26:41 +01:00
hid-belkin.c HID: Use module_hid_driver macro 2013-01-03 10:27:31 +01:00
hid-cherry.c HID: Use module_hid_driver macro 2013-01-03 10:27:31 +01:00
hid-chicony.c HID: Use module_hid_driver macro 2013-01-03 10:27:31 +01:00
hid-core.c HID: validate feature and input report details 2013-09-13 15:13:22 +02:00
hid-cypress.c HID: Use module_hid_driver macro 2013-01-03 10:27:31 +01:00
hid-debug.c HID: debug: fix RCU preemption issue 2013-05-06 13:07:33 +02:00
hid-dr.c HID: use hid_hw_request() instead of direct call to usbhid 2013-02-25 13:26:41 +01:00
hid-elecom.c HID: Use module_hid_driver macro 2013-01-03 10:27:31 +01:00
hid-elo.c HID: elo: add quirks for broken firmware 2013-05-29 01:11:43 +02:00
hid-emsff.c HID: use hid_hw_request() instead of direct call to usbhid 2013-02-25 13:26:41 +01:00
hid-ezkey.c HID: Use module_hid_driver macro 2013-01-03 10:27:31 +01:00
hid-gaff.c HID: use hid_hw_request() instead of direct call to usbhid 2013-02-25 13:26:41 +01:00
hid-generic.c HID: Use module_hid_driver macro 2013-01-03 10:27:31 +01:00
hid-gyration.c HID: Use module_hid_driver macro 2013-01-03 10:27:31 +01:00
hid-holtek-kbd.c HID: Use module_hid_driver macro 2013-01-03 10:27:31 +01:00
hid-holtek-mouse.c HID: holtek-mouse: use module_hid_driver() to simplify the code 2013-05-29 15:04:33 +02:00
hid-holtekff.c HID: hid-holtekff: don't push static constants on stack for %*ph 2013-08-05 11:29:57 +02:00
hid-huion.c HID: add support for Huion 580 tablet 2013-05-28 14:29:38 +02:00
hid-hyperv.c Drivers: hv: remove HV_DRV_VERSION 2013-08-02 11:34:30 +08:00
hid-icade.c HID: icade: u16 which never < 0 2013-04-24 16:32:27 +02:00
hid-ids.h HID: Correct the USB IDs for the new Macbook Air 6 2013-09-04 10:50:41 +02:00
hid-input.c HID: validate feature and input report details 2013-09-13 15:13:22 +02:00
hid-kensington.c HID: Use module_hid_driver macro 2013-01-03 10:27:31 +01:00
hid-keytouch.c HID: Use module_hid_driver macro 2013-01-03 10:27:31 +01:00
hid-kye.c HID: kye: Add report fixup for Genius Gx Imperator Keyboard 2013-07-15 10:25:33 +02:00
hid-lcpower.c HID: Use module_hid_driver macro 2013-01-03 10:27:31 +01:00
hid-lenovo-tpkbd.c HID: lenovo-tpkbd: validate output report details 2013-09-13 15:13:00 +02:00
hid-lg2ff.c HID: LG: validate HID output report details 2013-09-13 15:12:39 +02:00
hid-lg3ff.c HID: LG: validate HID output report details 2013-09-13 15:12:39 +02:00
hid-lg4ff.c HID: LG: validate HID output report details 2013-09-13 15:12:39 +02:00
hid-lg.c Merge branches 'for-3.9/logitech', 'for-3.9/multitouch', 'for-3.9/ntrig', 'for-3.9/thingm' and 'for-3.9/upstream' into for-linus 2013-02-21 10:45:01 +01:00
hid-lg.h HID: hid-lg4ff: Adjust X axis input value accordingly to selected range. 2012-09-25 15:41:02 +02:00
hid-lgff.c HID: LG: validate HID output report details 2013-09-13 15:12:39 +02:00
hid-logitech-dj.c Merge branches 'for-3.12/devm', 'for-3.12/i2c-hid', 'for-3.12/i2c-hid-dt', 'for-3.12/logitech', 'for-3.12/multitouch-win8', 'for-3.12/trasnport-driver-cleanup', 'for-3.12/uhid', 'for-3.12/upstream' and 'for-3.12/wiimote' into for-linus 2013-09-06 11:58:37 +02:00
hid-logitech-dj.h HID: Revert "Revert "HID: Fix logitech-dj: missing Unifying device issue"" 2013-07-22 16:32:24 +02:00
hid-magicmouse.c Merge branches 'for-3.12/devm', 'for-3.12/i2c-hid', 'for-3.12/i2c-hid-dt', 'for-3.12/logitech', 'for-3.12/multitouch-win8', 'for-3.12/trasnport-driver-cleanup', 'for-3.12/uhid', 'for-3.12/upstream' and 'for-3.12/wiimote' into for-linus 2013-09-06 11:58:37 +02:00
hid-microsoft.c HID: Add PID for Japanese version of NE4K keyboard 2013-04-29 10:16:55 +02:00
hid-monterey.c HID: Use module_hid_driver macro 2013-01-03 10:27:31 +01:00
hid-multitouch.c HID: do not init input reports for Win 8 multitouch devices 2013-08-27 10:00:00 +02:00
hid-ntrig.c HID: ntrig: validate feature report details 2013-09-04 12:00:23 +02:00
hid-ortek.c HID: Use module_hid_driver macro 2013-01-03 10:27:31 +01:00
hid-petalynx.c HID: Use module_hid_driver macro 2013-01-03 10:27:31 +01:00
hid-picolcd_backlight.c HID: use hid_hw_request() instead of direct call to usbhid 2013-02-25 13:26:41 +01:00
hid-picolcd_cir.c HID: picolcd: Prevent NULL pointer dereference on _remove() 2013-09-02 13:36:50 +02:00
hid-picolcd_core.c HID: picolcd_core: validate output report details 2013-09-04 12:03:27 +02:00
hid-picolcd_debugfs.c HID: fix data access in implement() 2013-07-22 16:16:40 +02:00
hid-picolcd_fb.c HID: picolcd: Prevent NULL pointer dereference on _remove() 2013-09-02 13:36:50 +02:00
hid-picolcd_lcd.c HID: use hid_hw_request() instead of direct call to usbhid 2013-02-25 13:26:41 +01:00
hid-picolcd_leds.c HID: use hid_hw_request() instead of direct call to usbhid 2013-02-25 13:26:41 +01:00
hid-picolcd.h Merge branches 'for-3.10/multitouch', 'for-3.10/roccat' and 'for-3.10/upstream' into for-linus 2013-04-30 10:19:07 +02:00
hid-pl.c HID: pantherlord: validate output report details 2013-09-04 11:58:32 +02:00
hid-primax.c HID: Use module_hid_driver macro 2013-01-03 10:27:31 +01:00
hid-prodikeys.c HID: use hid_hw_request() instead of direct call to usbhid 2013-02-25 13:26:41 +01:00
hid-roccat-arvo.c Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/hid 2013-09-06 09:30:36 -07:00
hid-roccat-arvo.h
hid-roccat-common.c HID: roccat: rename roccat_common functions to roccat_common2 2012-06-28 10:34:01 +02:00
hid-roccat-common.h HID: roccat: rename roccat_common functions to roccat_common2 2012-06-28 10:34:01 +02:00
hid-roccat-isku.c Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/hid 2013-09-06 09:30:36 -07:00
hid-roccat-isku.h HID: roccat: add support for IskuFX 2013-03-14 11:50:49 +01:00
hid-roccat-kone.c Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/hid 2013-09-06 09:30:36 -07:00
hid-roccat-kone.h HID: roccat: added media key support for Kone 2013-04-08 10:33:13 +02:00
hid-roccat-koneplus.c Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/hid 2013-09-06 09:30:36 -07:00
hid-roccat-koneplus.h HID: roccat: fix wrong attr size for koneplus tcu 2012-11-18 22:58:28 +01:00
hid-roccat-konepure.c Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/hid 2013-09-06 09:30:36 -07:00
hid-roccat-konepure.h HID: roccat: add support for Roccat Kone Pure gaming mouse 2013-03-14 11:50:49 +01:00
hid-roccat-kovaplus.c Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/hid 2013-09-06 09:30:36 -07:00
hid-roccat-kovaplus.h HID: roccat: deprecate some Kovaplus attributes 2012-11-12 15:30:29 +01:00
hid-roccat-lua.c HID: Use module_hid_driver macro 2013-01-03 10:27:31 +01:00
hid-roccat-lua.h HID: roccat: add support for Roccat Lua 2012-10-17 10:44:47 +02:00
hid-roccat-pyra.c hid: roccat-pyra: convert class code to use bin_attrs in groups 2013-08-20 16:59:00 -07:00
hid-roccat-pyra.h HID: roccat: deprecated some Pyra attributes 2012-11-12 15:30:28 +01:00
hid-roccat-savu.c hid: roccat-savu: convert class code to use bin_attrs in groups 2013-08-19 21:46:53 -07:00
hid-roccat-savu.h HID: roccat: added sensor sysfs attribute for Savu 2012-07-20 09:50:42 +02:00
hid-roccat.c HID: roccat: check cdev_add return value 2013-06-18 11:00:36 +02:00
hid-saitek.c HID: Use module_hid_driver macro 2013-01-03 10:27:31 +01:00
hid-samsung.c HID: Use module_hid_driver macro 2013-01-03 10:27:31 +01:00
hid-sensor-hub.c Merge branch 'for-3.12/sensor-hub' into for-linus 2013-09-06 11:59:53 +02:00
hid-sjoy.c HID: use hid_hw_request() instead of direct call to usbhid 2013-02-25 13:26:41 +01:00
hid-sony.c HID: sony: validate HID output report details 2013-09-13 15:12:12 +02:00
hid-speedlink.c HID: Fix Speedlink VAD Cezanne support for some devices 2013-08-26 13:51:10 +02:00
hid-steelseries.c HID: steelseries: validate output report details 2013-09-13 15:12:28 +02:00
hid-sunplus.c HID: Use module_hid_driver macro 2013-01-03 10:27:31 +01:00
hid-thingm.c HID: Kconfig: Remove explicit transport layer dependencies 2013-02-25 13:26:40 +01:00
hid-tivo.c HID: Use module_hid_driver macro 2013-01-03 10:27:31 +01:00
hid-tmff.c HID: use hid_hw_request() instead of direct call to usbhid 2013-02-25 13:26:41 +01:00
hid-topseed.c HID: Use module_hid_driver macro 2013-01-03 10:27:31 +01:00
hid-twinhan.c HID: Use module_hid_driver macro 2013-01-03 10:27:31 +01:00
hid-uclogic.c HID: Use module_hid_driver macro 2013-01-03 10:27:31 +01:00
hid-wacom.c HID: wacom: Intuos4 battery charging changes 2013-07-04 15:04:47 +02:00
hid-waltop.c HID: Use module_hid_driver macro 2013-01-03 10:27:31 +01:00
hid-wiimote-core.c Revert "Input: introduce BTN/ABS bits for drums and guitars" 2013-09-07 09:48:41 -07:00
hid-wiimote-debug.c HID: wiimote: fix DRM debug-attr to correctly parse input 2013-06-03 11:07:06 +02:00
hid-wiimote-modules.c Revert "Input: introduce BTN/ABS bits for drums and guitars" 2013-09-07 09:48:41 -07:00
hid-wiimote.h Revert "Input: introduce BTN/ABS bits for drums and guitars" 2013-09-07 09:48:41 -07:00
hid-xinmo.c HID: use module_hid_driver() to simplify the code 2013-08-26 13:23:04 +02:00
hid-zpff.c HID: zeroplus: validate output report details 2013-09-13 15:11:34 +02:00
hid-zydacron.c HID: trivial devm conversion for special hid drivers 2013-07-31 10:12:28 +02:00
hidraw.c Merge branch 'master' into for-3.12/upstream 2013-09-04 10:49:57 +02:00
Kconfig HID: Add new driver for non-compliant Xin-Mo devices. 2013-07-29 11:49:29 +02:00
Makefile HID: Add new driver for non-compliant Xin-Mo devices. 2013-07-29 11:49:29 +02:00
uhid.c Merge branches 'for-3.12/devm', 'for-3.12/i2c-hid', 'for-3.12/i2c-hid-dt', 'for-3.12/logitech', 'for-3.12/multitouch-win8', 'for-3.12/trasnport-driver-cleanup', 'for-3.12/uhid', 'for-3.12/upstream' and 'for-3.12/wiimote' into for-linus 2013-09-06 11:58:37 +02:00