Kernel-HID/USB: multiple CVEs

CVE-2014-3181 Kernel: HID: OOB write in magicmouse driver
CVE-2014-3182 Kernel: HID: logitech-dj OOB array access
CVE-2014-3184 Kernel: HID: off by one error in various _report_fixup routine
CVE-2014-3185 Kernel: USB serial: memory corruption flaw

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3181
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3182
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3184
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3185

Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>

diff --git a/meta-fsl-ppc/recipes-kernel/linux/files/0001-HID-CVE-2014-3181.patch b/meta-fsl-ppc/recipes-kernel/linux/files/0001-HID-CVE-2014-3181.patch
new file mode 100644 (file)
index 0000000..4355c68
--- /dev/null
+++ b/meta-fsl-ppc/recipes-kernel/linux/files/0001-HID-CVE-2014-3181.patch
@@ -0,0 +1,52 @@
+From c54def7bd64d7c0b6993336abcffb8444795bf38 Mon Sep 17 00:00:00 2001
+From: Jiri Kosina <jkosina@suse.cz>
+Date: Wed, 27 Aug 2014 09:12:24 +0200
+Subject: [PATCH] HID: magicmouse: sanity check report size in raw_event()
+ callback
+
+The report passed to us from transport driver could potentially be
+arbitrarily large, therefore we better sanity-check it so that
+magicmouse_emit_touch() gets only valid values of raw_id.
+
+This fixes CVE-2014-3181
+Upstream-Status: Backport
+
+Cc: stable@vger.kernel.org
+Reported-by: Steven Vittitoe <scvitti@google.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+ drivers/hid/hid-magicmouse.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/drivers/hid/hid-magicmouse.c b/drivers/hid/hid-magicmouse.c
+index ecc2cbf..29a74c1 100644
+--- a/drivers/hid/hid-magicmouse.c
++++ b/drivers/hid/hid-magicmouse.c
+@@ -290,6 +290,11 @@ static int magicmouse_raw_event(struct hid_device *hdev,
+               if (size < 4 || ((size - 4) % 9) != 0)
+                       return 0;
+               npoints = (size - 4) / 9;
++              if (npoints > 15) {
++                      hid_warn(hdev, "invalid size value (%d) for TRACKPAD_REPORT_ID\n",
++                                      size);
++                      return 0;
++              }
+               msc->ntouches = 0;
+               for (ii = 0; ii < npoints; ii++)
+                       magicmouse_emit_touch(msc, ii, data + ii * 9 + 4);
+@@ -307,6 +312,11 @@ static int magicmouse_raw_event(struct hid_device *hdev,
+               if (size < 6 || ((size - 6) % 8) != 0)
+                       return 0;
+               npoints = (size - 6) / 8;
++              if (npoints > 15) {
++                      hid_warn(hdev, "invalid size value (%d) for MOUSE_REPORT_ID\n",
++                                      size);
++                      return 0;
++              }
+               msc->ntouches = 0;
+               for (ii = 0; ii < npoints; ii++)
+                       magicmouse_emit_touch(msc, ii, data + ii * 8 + 6);
+-- 
+1.9.1
+

diff --git a/meta-fsl-ppc/recipes-kernel/linux/files/0002-HID-CVE-2014-3182.patch b/meta-fsl-ppc/recipes-kernel/linux/files/0002-HID-CVE-2014-3182.patch
new file mode 100644 (file)
index 0000000..a90d079
--- /dev/null
+++ b/meta-fsl-ppc/recipes-kernel/linux/files/0002-HID-CVE-2014-3182.patch
@@ -0,0 +1,65 @@
+From ad3e14d7c5268c2e24477c6ef54bbdf88add5d36 Mon Sep 17 00:00:00 2001
+From: Jiri Kosina <jkosina@suse.cz>
+Date: Thu, 21 Aug 2014 09:57:17 -0500
+Subject: [PATCH] HID: logitech: perform bounds checking on device_id early
+ enough
+
+device_index is a char type and the size of paired_dj_deivces is 7
+elements, therefore proper bounds checking has to be applied to
+device_index before it is used.
+
+We are currently performing the bounds checking in
+logi_dj_recv_add_djhid_device(), which is too late, as malicious device
+could send REPORT_TYPE_NOTIF_DEVICE_UNPAIRED early enough and trigger the
+problem in one of the report forwarding functions called from
+logi_dj_raw_event().
+
+Fix this by performing the check at the earliest possible ocasion in
+logi_dj_raw_event().
+
+This fixes CVE-2014-3182
+Upstream-Status: Backport
+
+Cc: stable@vger.kernel.org
+Reported-by: Ben Hawkes <hawkes@google.com>
+Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+ drivers/hid/hid-logitech-dj.c | 13 ++++++-------
+ 1 file changed, 6 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/hid/hid-logitech-dj.c b/drivers/hid/hid-logitech-dj.c
+index ca0ab51..b7ba829 100644
+--- a/drivers/hid/hid-logitech-dj.c
++++ b/drivers/hid/hid-logitech-dj.c
+@@ -238,13 +238,6 @@ static void logi_dj_recv_add_djhid_device(struct dj_receiver_dev *djrcv_dev,
+               return;
+       }
+ 
+-      if ((dj_report->device_index < DJ_DEVICE_INDEX_MIN) ||
+-          (dj_report->device_index > DJ_DEVICE_INDEX_MAX)) {
+-              dev_err(&djrcv_hdev->dev, "%s: invalid device index:%d\n",
+-                      __func__, dj_report->device_index);
+-              return;
+-      }
+-
+       if (djrcv_dev->paired_dj_devices[dj_report->device_index]) {
+               /* The device is already known. No need to reallocate it. */
+               dbg_hid("%s: device is already known\n", __func__);
+@@ -690,6 +683,12 @@ static int logi_dj_raw_event(struct hid_device *hdev,
+        * device (via hid_input_report() ) and return 1 so hid-core does not do
+        * anything else with it.
+        */
++      if ((dj_report->device_index < DJ_DEVICE_INDEX_MIN) ||
++          (dj_report->device_index > DJ_DEVICE_INDEX_MAX)) {
++              dev_err(&hdev->dev, "%s: invalid device index:%d\n",
++                              __func__, dj_report->device_index);
++              return false;
++      }
+ 
+       spin_lock_irqsave(&djrcv_dev->lock, flags);
+       if (dj_report->report_id == REPORT_ID_DJ_SHORT) {
+-- 
+1.9.1
+

diff --git a/meta-fsl-ppc/recipes-kernel/linux/files/0003-HID-CVE-2014-3184.patch b/meta-fsl-ppc/recipes-kernel/linux/files/0003-HID-CVE-2014-3184.patch
new file mode 100644 (file)
index 0000000..f58b2f0
--- /dev/null
+++ b/meta-fsl-ppc/recipes-kernel/linux/files/0003-HID-CVE-2014-3184.patch
@@ -0,0 +1,114 @@
+From 4ab25786c87eb20857bbb715c3ae34ec8fd6a214 Mon Sep 17 00:00:00 2001
+From: Jiri Kosina <jkosina@suse.cz>
+Date: Thu, 21 Aug 2014 09:57:48 -0500
+Subject: [PATCH] HID: fix a couple of off-by-ones
+
+There are a few very theoretical off-by-one bugs in report descriptor size
+checking when performing a pre-parsing fixup. Fix those.
+
+This fixes CVE-2014-3184
+Upstream-Status: Backport
+
+Cc: stable@vger.kernel.org
+Reported-by: Ben Hawkes <hawkes@google.com>
+Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+ drivers/hid/hid-cherry.c   | 2 +-
+ drivers/hid/hid-kye.c      | 2 +-
+ drivers/hid/hid-lg.c       | 4 ++--
+ drivers/hid/hid-monterey.c | 2 +-
+ drivers/hid/hid-petalynx.c | 2 +-
+ drivers/hid/hid-sunplus.c  | 2 +-
+ 6 files changed, 7 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/hid/hid-cherry.c b/drivers/hid/hid-cherry.c
+index 1bdcccc..f745d2c 100644
+--- a/drivers/hid/hid-cherry.c
++++ b/drivers/hid/hid-cherry.c
+@@ -28,7 +28,7 @@
+ static __u8 *ch_report_fixup(struct hid_device *hdev, __u8 *rdesc,
+               unsigned int *rsize)
+ {
+-      if (*rsize >= 17 && rdesc[11] == 0x3c && rdesc[12] == 0x02) {
++      if (*rsize >= 18 && rdesc[11] == 0x3c && rdesc[12] == 0x02) {
+               hid_info(hdev, "fixing up Cherry Cymotion report descriptor\n");
+               rdesc[11] = rdesc[16] = 0xff;
+               rdesc[12] = rdesc[17] = 0x03;
+diff --git a/drivers/hid/hid-kye.c b/drivers/hid/hid-kye.c
+index e776963..b92bf01 100644
+--- a/drivers/hid/hid-kye.c
++++ b/drivers/hid/hid-kye.c
+@@ -300,7 +300,7 @@ static __u8 *kye_report_fixup(struct hid_device *hdev, __u8 *rdesc,
+                *   - change the button usage range to 4-7 for the extra
+                *     buttons
+                */
+-              if (*rsize >= 74 &&
++              if (*rsize >= 75 &&
+                       rdesc[61] == 0x05 && rdesc[62] == 0x08 &&
+                       rdesc[63] == 0x19 && rdesc[64] == 0x08 &&
+                       rdesc[65] == 0x29 && rdesc[66] == 0x0f &&
+diff --git a/drivers/hid/hid-lg.c b/drivers/hid/hid-lg.c
+index a976f48..f91ff14 100644
+--- a/drivers/hid/hid-lg.c
++++ b/drivers/hid/hid-lg.c
+@@ -345,14 +345,14 @@ static __u8 *lg_report_fixup(struct hid_device *hdev, __u8 *rdesc,
+       struct usb_device_descriptor *udesc;
+       __u16 bcdDevice, rev_maj, rev_min;
+ 
+-      if ((drv_data->quirks & LG_RDESC) && *rsize >= 90 && rdesc[83] == 0x26 &&
++      if ((drv_data->quirks & LG_RDESC) && *rsize >= 91 && rdesc[83] == 0x26 &&
+                       rdesc[84] == 0x8c && rdesc[85] == 0x02) {
+               hid_info(hdev,
+                        "fixing up Logitech keyboard report descriptor\n");
+               rdesc[84] = rdesc[89] = 0x4d;
+               rdesc[85] = rdesc[90] = 0x10;
+       }
+-      if ((drv_data->quirks & LG_RDESC_REL_ABS) && *rsize >= 50 &&
++      if ((drv_data->quirks & LG_RDESC_REL_ABS) && *rsize >= 51 &&
+                       rdesc[32] == 0x81 && rdesc[33] == 0x06 &&
+                       rdesc[49] == 0x81 && rdesc[50] == 0x06) {
+               hid_info(hdev,
+diff --git a/drivers/hid/hid-monterey.c b/drivers/hid/hid-monterey.c
+index 9e14c00..25daf28 100644
+--- a/drivers/hid/hid-monterey.c
++++ b/drivers/hid/hid-monterey.c
+@@ -24,7 +24,7 @@
+ static __u8 *mr_report_fixup(struct hid_device *hdev, __u8 *rdesc,
+               unsigned int *rsize)
+ {
+-      if (*rsize >= 30 && rdesc[29] == 0x05 && rdesc[30] == 0x09) {
++      if (*rsize >= 31 && rdesc[29] == 0x05 && rdesc[30] == 0x09) {
+               hid_info(hdev, "fixing up button/consumer in HID report descriptor\n");
+               rdesc[30] = 0x0c;
+       }
+diff --git a/drivers/hid/hid-petalynx.c b/drivers/hid/hid-petalynx.c
+index 736b250..6aca4f2 100644
+--- a/drivers/hid/hid-petalynx.c
++++ b/drivers/hid/hid-petalynx.c
+@@ -25,7 +25,7 @@
+ static __u8 *pl_report_fixup(struct hid_device *hdev, __u8 *rdesc,
+               unsigned int *rsize)
+ {
+-      if (*rsize >= 60 && rdesc[39] == 0x2a && rdesc[40] == 0xf5 &&
++      if (*rsize >= 62 && rdesc[39] == 0x2a && rdesc[40] == 0xf5 &&
+                       rdesc[41] == 0x00 && rdesc[59] == 0x26 &&
+                       rdesc[60] == 0xf9 && rdesc[61] == 0x00) {
+               hid_info(hdev, "fixing up Petalynx Maxter Remote report descriptor\n");
+diff --git a/drivers/hid/hid-sunplus.c b/drivers/hid/hid-sunplus.c
+index 87fc91e..91072fa 100644
+--- a/drivers/hid/hid-sunplus.c
++++ b/drivers/hid/hid-sunplus.c
+@@ -24,7 +24,7 @@
+ static __u8 *sp_report_fixup(struct hid_device *hdev, __u8 *rdesc,
+               unsigned int *rsize)
+ {
+-      if (*rsize >= 107 && rdesc[104] == 0x26 && rdesc[105] == 0x80 &&
++      if (*rsize >= 112 && rdesc[104] == 0x26 && rdesc[105] == 0x80 &&
+                       rdesc[106] == 0x03) {
+               hid_info(hdev, "fixing up Sunplus Wireless Desktop report descriptor\n");
+               rdesc[105] = rdesc[110] = 0x03;
+-- 
+1.9.1
+

diff --git a/meta-fsl-ppc/recipes-kernel/linux/files/0004-USB-CVE-2014-3185.patch b/meta-fsl-ppc/recipes-kernel/linux/files/0004-USB-CVE-2014-3185.patch
new file mode 100644 (file)
index 0000000..0820807
--- /dev/null
+++ b/meta-fsl-ppc/recipes-kernel/linux/files/0004-USB-CVE-2014-3185.patch
@@ -0,0 +1,51 @@
+From 6817ae225cd650fb1c3295d769298c38b1eba818 Mon Sep 17 00:00:00 2001
+From: James Forshaw <forshaw@google.com>
+Date: Sat, 23 Aug 2014 14:39:48 -0700
+Subject: [PATCH] USB: whiteheat: Added bounds checking for bulk command
+ response
+
+This patch fixes a potential security issue in the whiteheat USB driver
+which might allow a local attacker to cause kernel memory corrpution. This
+is due to an unchecked memcpy into a fixed size buffer (of 64 bytes). On
+EHCI and XHCI busses it's possible to craft responses greater than 64
+bytes leading a buffer overflow.
+
+This fixes CVE-2014-3185
+Upstream-Status: Backport
+
+Signed-off-by: James Forshaw <forshaw@google.com>
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+ drivers/usb/serial/whiteheat.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/usb/serial/whiteheat.c b/drivers/usb/serial/whiteheat.c
+index e62f2df..6c3734d 100644
+--- a/drivers/usb/serial/whiteheat.c
++++ b/drivers/usb/serial/whiteheat.c
+@@ -514,6 +514,10 @@ static void command_port_read_callback(struct urb *urb)
+               dev_dbg(&urb->dev->dev, "%s - command_info is NULL, exiting.\n", __func__);
+               return;
+       }
++      if (!urb->actual_length) {
++              dev_dbg(&urb->dev->dev, "%s - empty response, exiting.\n", __func__);
++              return;
++      }
+       if (status) {
+               dev_dbg(&urb->dev->dev, "%s - nonzero urb status: %d\n", __func__, status);
+               if (status != -ENOENT)
+@@ -534,7 +538,8 @@ static void command_port_read_callback(struct urb *urb)
+               /* These are unsolicited reports from the firmware, hence no
+                  waiting command to wakeup */
+               dev_dbg(&urb->dev->dev, "%s - event received\n", __func__);
+-      } else if (data[0] == WHITEHEAT_GET_DTR_RTS) {
++      } else if ((data[0] == WHITEHEAT_GET_DTR_RTS) &&
++              (urb->actual_length - 1 <= sizeof(command_info->result_buffer))) {
+               memcpy(command_info->result_buffer, &data[1],
+                                               urb->actual_length - 1);
+               command_info->command_finished = WHITEHEAT_CMD_COMPLETE;
+-- 
+1.9.1
+

diff --git a/meta-fsl-ppc/recipes-kernel/linux/linux-qoriq_3.12.bb b/meta-fsl-ppc/recipes-kernel/linux/linux-qoriq_3.12.bb
index 874a3f2b5603b03b74c34cf1befeb0fa105d7778..195b47771db90114760d44b1fff790d23879b721 100644 (file)
--- a/meta-fsl-ppc/recipes-kernel/linux/linux-qoriq_3.12.bb
+++ b/meta-fsl-ppc/recipes-kernel/linux/linux-qoriq_3.12.bb
@@ -13,6 +13,10 @@ SRC_URI = "git://git.freescale.com/ppc/sdk/linux.git;nobranch=1 \
     file://0005-mnt-CVE-2014-5206_CVE-2014-5207.patch \
     file://udf-CVE-2014-6410.patch \
     file://net-sctp-CVE-2014-0101.patch \
+    file://0001-HID-CVE-2014-3181.patch \
+    file://0002-HID-CVE-2014-3182.patch \
+    file://0003-HID-CVE-2014-3184.patch \
+    file://0004-USB-CVE-2014-3185.patch \
 "
 SRCREV = "6619b8b55796cdf0cec04b66a71288edd3057229"