[meta-freescale] [meta-fsl-ppc][PATCH 2/2] Kernel-HID/USB: multiple CVEs

Sona Sarmadi sona.sarmadi at enea.com
Tue Jan 27 00:10:42 PST 2015 

CVE-2014-3181 Kernel: HID: OOB write in magicmouse driver
CVE-2014-3182 Kernel: HID: logitech-dj OOB array access
CVE-2014-3184 Kernel: HID: off by one error in various _report_fixup routine
CVE-2014-3185 Kernel: USB serial: memory corruption flaw

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3181
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3182
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3184
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3185

Signed-off-by: Sona Sarmadi <sona.sarmadi at enea.com>
---
 .../linux/files/0001-HID-CVE-2014-3181.patch       |  52 ++++++++++
 .../linux/files/0002-HID-CVE-2014-3182.patch       |  65 ++++++++++++
 .../linux/files/0003-HID-CVE-2014-3184.patch       | 114 +++++++++++++++++++++
 .../linux/files/0004-USB-CVE-2014-3185.patch       |  51 +++++++++
 recipes-kernel/linux/linux-qoriq_3.12.bb           |   4 +
 5 files changed, 286 insertions(+)
 create mode 100644 recipes-kernel/linux/files/0001-HID-CVE-2014-3181.patch
 create mode 100644 recipes-kernel/linux/files/0002-HID-CVE-2014-3182.patch
 create mode 100644 recipes-kernel/linux/files/0003-HID-CVE-2014-3184.patch
 create mode 100644 recipes-kernel/linux/files/0004-USB-CVE-2014-3185.patch

diff --git a/recipes-kernel/linux/files/0001-HID-CVE-2014-3181.patch b/recipes-kernel/linux/files/0001-HID-CVE-2014-3181.patch
new file mode 100644
index 0000000..4355c68
--- /dev/null
+++ b/recipes-kernel/linux/files/0001-HID-CVE-2014-3181.patch
@@ -0,0 +1,52 @@
+From c54def7bd64d7c0b6993336abcffb8444795bf38 Mon Sep 17 00:00:00 2001
+From: Jiri Kosina <jkosina at suse.cz>
+Date: Wed, 27 Aug 2014 09:12:24 +0200
+Subject: [PATCH] HID: magicmouse: sanity check report size in raw_event()
+ callback
+
+The report passed to us from transport driver could potentially be
+arbitrarily large, therefore we better sanity-check it so that
+magicmouse_emit_touch() gets only valid values of raw_id.
+
+This fixes CVE-2014-3181
+Upstream-Status: Backport
+
+Cc: stable at vger.kernel.org
+Reported-by: Steven Vittitoe <scvitti at google.com>
+Signed-off-by: Jiri Kosina <jkosina at suse.cz>
+Signed-off-by: Sona Sarmadi <sona.sarmadi at enea.com>
+---
+ drivers/hid/hid-magicmouse.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/drivers/hid/hid-magicmouse.c b/drivers/hid/hid-magicmouse.c
+index ecc2cbf..29a74c1 100644
+--- a/drivers/hid/hid-magicmouse.c
++++ b/drivers/hid/hid-magicmouse.c
+@@ -290,6 +290,11 @@ static int magicmouse_raw_event(struct hid_device *hdev,
+ 		if (size < 4 || ((size - 4) % 9) != 0)
+ 			return 0;
+ 		npoints = (size - 4) / 9;
++		if (npoints > 15) {
++			hid_warn(hdev, "invalid size value (%d) for TRACKPAD_REPORT_ID\n",
++					size);
++			return 0;
++		}
+ 		msc->ntouches = 0;
+ 		for (ii = 0; ii < npoints; ii++)
+ 			magicmouse_emit_touch(msc, ii, data + ii * 9 + 4);
+@@ -307,6 +312,11 @@ static int magicmouse_raw_event(struct hid_device *hdev,
+ 		if (size < 6 || ((size - 6) % 8) != 0)
+ 			return 0;
+ 		npoints = (size - 6) / 8;
++		if (npoints > 15) {
++			hid_warn(hdev, "invalid size value (%d) for MOUSE_REPORT_ID\n",
++					size);
++			return 0;
++		}
+ 		msc->ntouches = 0;
+ 		for (ii = 0; ii < npoints; ii++)
+ 			magicmouse_emit_touch(msc, ii, data + ii * 8 + 6);
+-- 
+1.9.1
+
diff --git a/recipes-kernel/linux/files/0002-HID-CVE-2014-3182.patch b/recipes-kernel/linux/files/0002-HID-CVE-2014-3182.patch
new file mode 100644
index 0000000..a90d079
--- /dev/null
+++ b/recipes-kernel/linux/files/0002-HID-CVE-2014-3182.patch
@@ -0,0 +1,65 @@
+From ad3e14d7c5268c2e24477c6ef54bbdf88add5d36 Mon Sep 17 00:00:00 2001
+From: Jiri Kosina <jkosina at suse.cz>
+Date: Thu, 21 Aug 2014 09:57:17 -0500
+Subject: [PATCH] HID: logitech: perform bounds checking on device_id early
+ enough
+
+device_index is a char type and the size of paired_dj_deivces is 7
+elements, therefore proper bounds checking has to be applied to
+device_index before it is used.
+
+We are currently performing the bounds checking in
+logi_dj_recv_add_djhid_device(), which is too late, as malicious device
+could send REPORT_TYPE_NOTIF_DEVICE_UNPAIRED early enough and trigger the
+problem in one of the report forwarding functions called from
+logi_dj_raw_event().
+
+Fix this by performing the check at the earliest possible ocasion in
+logi_dj_raw_event().
+
+This fixes CVE-2014-3182
+Upstream-Status: Backport
+
+Cc: stable at vger.kernel.org
+Reported-by: Ben Hawkes <hawkes at google.com>
+Reviewed-by: Benjamin Tissoires <benjamin.tissoires at redhat.com>
+Signed-off-by: Jiri Kosina <jkosina at suse.cz>
+Signed-off-by: Sona Sarmadi <sona.sarmadi at enea.com>
+---
+ drivers/hid/hid-logitech-dj.c | 13 ++++++-------
+ 1 file changed, 6 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/hid/hid-logitech-dj.c b/drivers/hid/hid-logitech-dj.c
+index ca0ab51..b7ba829 100644
+--- a/drivers/hid/hid-logitech-dj.c
++++ b/drivers/hid/hid-logitech-dj.c
+@@ -238,13 +238,6 @@ static void logi_dj_recv_add_djhid_device(struct dj_receiver_dev *djrcv_dev,
+ 		return;
+ 	}
+ 
+-	if ((dj_report->device_index < DJ_DEVICE_INDEX_MIN) ||
+-	    (dj_report->device_index > DJ_DEVICE_INDEX_MAX)) {
+-		dev_err(&djrcv_hdev->dev, "%s: invalid device index:%d\n",
+-			__func__, dj_report->device_index);
+-		return;
+-	}
+-
+ 	if (djrcv_dev->paired_dj_devices[dj_report->device_index]) {
+ 		/* The device is already known. No need to reallocate it. */
+ 		dbg_hid("%s: device is already known\n", __func__);
+@@ -690,6 +683,12 @@ static int logi_dj_raw_event(struct hid_device *hdev,
+ 	 * device (via hid_input_report() ) and return 1 so hid-core does not do
+ 	 * anything else with it.
+ 	 */
++	if ((dj_report->device_index < DJ_DEVICE_INDEX_MIN) ||
++	    (dj_report->device_index > DJ_DEVICE_INDEX_MAX)) {
++		dev_err(&hdev->dev, "%s: invalid device index:%d\n",
++				__func__, dj_report->device_index);
++		return false;
++	}
+ 
+ 	spin_lock_irqsave(&djrcv_dev->lock, flags);
+ 	if (dj_report->report_id == REPORT_ID_DJ_SHORT) {
+-- 
+1.9.1
+
diff --git a/recipes-kernel/linux/files/0003-HID-CVE-2014-3184.patch b/recipes-kernel/linux/files/0003-HID-CVE-2014-3184.patch
new file mode 100644
index 0000000..f58b2f0
--- /dev/null
+++ b/recipes-kernel/linux/files/0003-HID-CVE-2014-3184.patch
@@ -0,0 +1,114 @@
+From 4ab25786c87eb20857bbb715c3ae34ec8fd6a214 Mon Sep 17 00:00:00 2001
+From: Jiri Kosina <jkosina at suse.cz>
+Date: Thu, 21 Aug 2014 09:57:48 -0500
+Subject: [PATCH] HID: fix a couple of off-by-ones
+
+There are a few very theoretical off-by-one bugs in report descriptor size
+checking when performing a pre-parsing fixup. Fix those.
+
+This fixes CVE-2014-3184
+Upstream-Status: Backport
+
+Cc: stable at vger.kernel.org
+Reported-by: Ben Hawkes <hawkes at google.com>
+Reviewed-by: Benjamin Tissoires <benjamin.tissoires at redhat.com>
+Signed-off-by: Jiri Kosina <jkosina at suse.cz>
+Signed-off-by: Sona Sarmadi <sona.sarmadi at enea.com>
+---
+ drivers/hid/hid-cherry.c   | 2 +-
+ drivers/hid/hid-kye.c      | 2 +-
+ drivers/hid/hid-lg.c       | 4 ++--
+ drivers/hid/hid-monterey.c | 2 +-
+ drivers/hid/hid-petalynx.c | 2 +-
+ drivers/hid/hid-sunplus.c  | 2 +-
+ 6 files changed, 7 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/hid/hid-cherry.c b/drivers/hid/hid-cherry.c
+index 1bdcccc..f745d2c 100644
+--- a/drivers/hid/hid-cherry.c
++++ b/drivers/hid/hid-cherry.c
+@@ -28,7 +28,7 @@
+ static __u8 *ch_report_fixup(struct hid_device *hdev, __u8 *rdesc,
+ 		unsigned int *rsize)
+ {
+-	if (*rsize >= 17 && rdesc[11] == 0x3c && rdesc[12] == 0x02) {
++	if (*rsize >= 18 && rdesc[11] == 0x3c && rdesc[12] == 0x02) {
+ 		hid_info(hdev, "fixing up Cherry Cymotion report descriptor\n");
+ 		rdesc[11] = rdesc[16] = 0xff;
+ 		rdesc[12] = rdesc[17] = 0x03;
+diff --git a/drivers/hid/hid-kye.c b/drivers/hid/hid-kye.c
+index e776963..b92bf01 100644
+--- a/drivers/hid/hid-kye.c
++++ b/drivers/hid/hid-kye.c
+@@ -300,7 +300,7 @@ static __u8 *kye_report_fixup(struct hid_device *hdev, __u8 *rdesc,
+ 		 *   - change the button usage range to 4-7 for the extra
+ 		 *     buttons
+ 		 */
+-		if (*rsize >= 74 &&
++		if (*rsize >= 75 &&
+ 			rdesc[61] == 0x05 && rdesc[62] == 0x08 &&
+ 			rdesc[63] == 0x19 && rdesc[64] == 0x08 &&
+ 			rdesc[65] == 0x29 && rdesc[66] == 0x0f &&
+diff --git a/drivers/hid/hid-lg.c b/drivers/hid/hid-lg.c
+index a976f48..f91ff14 100644
+--- a/drivers/hid/hid-lg.c
++++ b/drivers/hid/hid-lg.c
+@@ -345,14 +345,14 @@ static __u8 *lg_report_fixup(struct hid_device *hdev, __u8 *rdesc,
+ 	struct usb_device_descriptor *udesc;
+ 	__u16 bcdDevice, rev_maj, rev_min;
+ 
+-	if ((drv_data->quirks & LG_RDESC) && *rsize >= 90 && rdesc[83] == 0x26 &&
++	if ((drv_data->quirks & LG_RDESC) && *rsize >= 91 && rdesc[83] == 0x26 &&
+ 			rdesc[84] == 0x8c && rdesc[85] == 0x02) {
+ 		hid_info(hdev,
+ 			 "fixing up Logitech keyboard report descriptor\n");
+ 		rdesc[84] = rdesc[89] = 0x4d;
+ 		rdesc[85] = rdesc[90] = 0x10;
+ 	}
+-	if ((drv_data->quirks & LG_RDESC_REL_ABS) && *rsize >= 50 &&
++	if ((drv_data->quirks & LG_RDESC_REL_ABS) && *rsize >= 51 &&
+ 			rdesc[32] == 0x81 && rdesc[33] == 0x06 &&
+ 			rdesc[49] == 0x81 && rdesc[50] == 0x06) {
+ 		hid_info(hdev,
+diff --git a/drivers/hid/hid-monterey.c b/drivers/hid/hid-monterey.c
+index 9e14c00..25daf28 100644
+--- a/drivers/hid/hid-monterey.c
++++ b/drivers/hid/hid-monterey.c
+@@ -24,7 +24,7 @@
+ static __u8 *mr_report_fixup(struct hid_device *hdev, __u8 *rdesc,
+ 		unsigned int *rsize)
+ {
+-	if (*rsize >= 30 && rdesc[29] == 0x05 && rdesc[30] == 0x09) {
++	if (*rsize >= 31 && rdesc[29] == 0x05 && rdesc[30] == 0x09) {
+ 		hid_info(hdev, "fixing up button/consumer in HID report descriptor\n");
+ 		rdesc[30] = 0x0c;
+ 	}
+diff --git a/drivers/hid/hid-petalynx.c b/drivers/hid/hid-petalynx.c
+index 736b250..6aca4f2 100644
+--- a/drivers/hid/hid-petalynx.c
++++ b/drivers/hid/hid-petalynx.c
+@@ -25,7 +25,7 @@
+ static __u8 *pl_report_fixup(struct hid_device *hdev, __u8 *rdesc,
+ 		unsigned int *rsize)
+ {
+-	if (*rsize >= 60 && rdesc[39] == 0x2a && rdesc[40] == 0xf5 &&
++	if (*rsize >= 62 && rdesc[39] == 0x2a && rdesc[40] == 0xf5 &&
+ 			rdesc[41] == 0x00 && rdesc[59] == 0x26 &&
+ 			rdesc[60] == 0xf9 && rdesc[61] == 0x00) {
+ 		hid_info(hdev, "fixing up Petalynx Maxter Remote report descriptor\n");
+diff --git a/drivers/hid/hid-sunplus.c b/drivers/hid/hid-sunplus.c
+index 87fc91e..91072fa 100644
+--- a/drivers/hid/hid-sunplus.c
++++ b/drivers/hid/hid-sunplus.c
+@@ -24,7 +24,7 @@
+ static __u8 *sp_report_fixup(struct hid_device *hdev, __u8 *rdesc,
+ 		unsigned int *rsize)
+ {
+-	if (*rsize >= 107 && rdesc[104] == 0x26 && rdesc[105] == 0x80 &&
++	if (*rsize >= 112 && rdesc[104] == 0x26 && rdesc[105] == 0x80 &&
+ 			rdesc[106] == 0x03) {
+ 		hid_info(hdev, "fixing up Sunplus Wireless Desktop report descriptor\n");
+ 		rdesc[105] = rdesc[110] = 0x03;
+-- 
+1.9.1
+
diff --git a/recipes-kernel/linux/files/0004-USB-CVE-2014-3185.patch b/recipes-kernel/linux/files/0004-USB-CVE-2014-3185.patch
new file mode 100644
index 0000000..0820807
--- /dev/null
+++ b/recipes-kernel/linux/files/0004-USB-CVE-2014-3185.patch
@@ -0,0 +1,51 @@
+From 6817ae225cd650fb1c3295d769298c38b1eba818 Mon Sep 17 00:00:00 2001
+From: James Forshaw <forshaw at google.com>
+Date: Sat, 23 Aug 2014 14:39:48 -0700
+Subject: [PATCH] USB: whiteheat: Added bounds checking for bulk command
+ response
+
+This patch fixes a potential security issue in the whiteheat USB driver
+which might allow a local attacker to cause kernel memory corrpution. This
+is due to an unchecked memcpy into a fixed size buffer (of 64 bytes). On
+EHCI and XHCI busses it's possible to craft responses greater than 64
+bytes leading a buffer overflow.
+
+This fixes CVE-2014-3185
+Upstream-Status: Backport
+
+Signed-off-by: James Forshaw <forshaw at google.com>
+Cc: stable <stable at vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
+Signed-off-by: Sona Sarmadi <sona.sarmadi at enea.com>
+---
+ drivers/usb/serial/whiteheat.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/usb/serial/whiteheat.c b/drivers/usb/serial/whiteheat.c
+index e62f2df..6c3734d 100644
+--- a/drivers/usb/serial/whiteheat.c
++++ b/drivers/usb/serial/whiteheat.c
+@@ -514,6 +514,10 @@ static void command_port_read_callback(struct urb *urb)
+ 		dev_dbg(&urb->dev->dev, "%s - command_info is NULL, exiting.\n", __func__);
+ 		return;
+ 	}
++	if (!urb->actual_length) {
++		dev_dbg(&urb->dev->dev, "%s - empty response, exiting.\n", __func__);
++		return;
++	}
+ 	if (status) {
+ 		dev_dbg(&urb->dev->dev, "%s - nonzero urb status: %d\n", __func__, status);
+ 		if (status != -ENOENT)
+@@ -534,7 +538,8 @@ static void command_port_read_callback(struct urb *urb)
+ 		/* These are unsolicited reports from the firmware, hence no
+ 		   waiting command to wakeup */
+ 		dev_dbg(&urb->dev->dev, "%s - event received\n", __func__);
+-	} else if (data[0] == WHITEHEAT_GET_DTR_RTS) {
++	} else if ((data[0] == WHITEHEAT_GET_DTR_RTS) &&
++		(urb->actual_length - 1 <= sizeof(command_info->result_buffer))) {
+ 		memcpy(command_info->result_buffer, &data[1],
+ 						urb->actual_length - 1);
+ 		command_info->command_finished = WHITEHEAT_CMD_COMPLETE;
+-- 
+1.9.1
+
diff --git a/recipes-kernel/linux/linux-qoriq_3.12.bb b/recipes-kernel/linux/linux-qoriq_3.12.bb
index 874a3f2..195b477 100644
--- a/recipes-kernel/linux/linux-qoriq_3.12.bb
+++ b/recipes-kernel/linux/linux-qoriq_3.12.bb
@@ -13,6 +13,10 @@ SRC_URI = "git://git.freescale.com/ppc/sdk/linux.git;nobranch=1 \
     file://0005-mnt-CVE-2014-5206_CVE-2014-5207.patch \
     file://udf-CVE-2014-6410.patch \
     file://net-sctp-CVE-2014-0101.patch \
+    file://0001-HID-CVE-2014-3181.patch \
+    file://0002-HID-CVE-2014-3182.patch \
+    file://0003-HID-CVE-2014-3184.patch \
+    file://0004-USB-CVE-2014-3185.patch \
 "
 SRCREV = "6619b8b55796cdf0cec04b66a71288edd3057229"
 
-- 
1.9.1

More information about the meta-freescale mailing list