diff mbox

[CVE-2017-7273,T] HID: hid-cypress: validate length of report

Message ID 20170719085514.10530-2-po-hsu.lin@canonical.com
State New
Headers show

Commit Message

Po-Hsu Lin July 19, 2017, 8:55 a.m. UTC 
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

CVE-2017-7273

Make sure we have enough of a report structure to validate before
looking at it.

Reported-by: Benoit Camredon <benoit.camredon@airbus.com>
Tested-by: Benoit Camredon <benoit.camredon@airbus.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
(cherry picked from commit 1ebb71143758f45dc0fa76e2f48429e13b16d110)
Signed-off-by: Po-Hsu Lin <po-hsu.lin@canonical.com>
---
 drivers/hid/hid-cypress.c | 3 +++
 1 file changed, 3 insertions(+)

Comments

Stefan Bader July 21, 2017, 8:20 a.m. UTC | #1 
On 19.07.2017 10:55, Po-Hsu Lin wrote:
> From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> 
> CVE-2017-7273
> 
> Make sure we have enough of a report structure to validate before
> looking at it.
> 
> Reported-by: Benoit Camredon <benoit.camredon@airbus.com>
> Tested-by: Benoit Camredon <benoit.camredon@airbus.com>
> Cc: stable <stable@vger.kernel.org>
> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> Signed-off-by: Jiri Kosina <jkosina@suse.cz>
> (cherry picked from commit 1ebb71143758f45dc0fa76e2f48429e13b16d110)
> Signed-off-by: Po-Hsu Lin <po-hsu.lin@canonical.com>
Acked-by: Stefan Bader <stefan.bader@canonical.com>

> ---
>  drivers/hid/hid-cypress.c | 3 +++
>  1 file changed, 3 insertions(+)
> 
> diff --git a/drivers/hid/hid-cypress.c b/drivers/hid/hid-cypress.c
> index c4ef3bc..e299576 100644
> --- a/drivers/hid/hid-cypress.c
> +++ b/drivers/hid/hid-cypress.c
> @@ -39,6 +39,9 @@ static __u8 *cp_report_fixup(struct hid_device *hdev, __u8 *rdesc,
>  	if (!(quirks & CP_RDESC_SWAPPED_MIN_MAX))
>  		return rdesc;
>  
> +	if (*rsize < 4)
> +		return rdesc;
> +
>  	for (i = 0; i < *rsize - 4; i++)
>  		if (rdesc[i] == 0x29 && rdesc[i + 2] == 0x19) {
>  			__u8 tmp;
>
Colin Ian King July 21, 2017, 9:16 a.m. UTC | #2 
On 19/07/17 09:55, Po-Hsu Lin wrote:
> From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> 
> CVE-2017-7273
> 
> Make sure we have enough of a report structure to validate before
> looking at it.
> 
> Reported-by: Benoit Camredon <benoit.camredon@airbus.com>
> Tested-by: Benoit Camredon <benoit.camredon@airbus.com>
> Cc: stable <stable@vger.kernel.org>
> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> Signed-off-by: Jiri Kosina <jkosina@suse.cz>
> (cherry picked from commit 1ebb71143758f45dc0fa76e2f48429e13b16d110)
> Signed-off-by: Po-Hsu Lin <po-hsu.lin@canonical.com>
> ---
>  drivers/hid/hid-cypress.c | 3 +++
>  1 file changed, 3 insertions(+)
> 
> diff --git a/drivers/hid/hid-cypress.c b/drivers/hid/hid-cypress.c
> index c4ef3bc..e299576 100644
> --- a/drivers/hid/hid-cypress.c
> +++ b/drivers/hid/hid-cypress.c
> @@ -39,6 +39,9 @@ static __u8 *cp_report_fixup(struct hid_device *hdev, __u8 *rdesc,
>  	if (!(quirks & CP_RDESC_SWAPPED_MIN_MAX))
>  		return rdesc;
>  
> +	if (*rsize < 4)
> +		return rdesc;
> +
>  	for (i = 0; i < *rsize - 4; i++)
>  		if (rdesc[i] == 0x29 && rdesc[i + 2] == 0x19) {
>  			__u8 tmp;
> 
Clean cherry pick, looks good.

Acked-by: Colin Ian King <colin.king@canonical.com>
Kleber Sacilotto de Souza Aug. 7, 2017, 11:05 a.m. UTC | #3 
Applied on trusty master-next branch.

Thank you,
Kleber
diff mbox

Patch

diff --git a/drivers/hid/hid-cypress.c b/drivers/hid/hid-cypress.c
index c4ef3bc..e299576 100644
--- a/drivers/hid/hid-cypress.c
+++ b/drivers/hid/hid-cypress.c
@@ -39,6 +39,9 @@  static __u8 *cp_report_fixup(struct hid_device *hdev, __u8 *rdesc,
 	if (!(quirks & CP_RDESC_SWAPPED_MIN_MAX))
 		return rdesc;
 
+	if (*rsize < 4)
+		return rdesc;
+
 	for (i = 0; i < *rsize - 4; i++)
 		if (rdesc[i] == 0x29 && rdesc[i + 2] == 0x19) {
 			__u8 tmp;