HID: validate HID report id size

commit 43622021d2e2b82ea03d883926605bdd0525e1d1 upstream The "Report ID" field of a HID report is used to build indexes of reports. The kernel's index of these is limited to 256 entries, so any malicious device that sets a Report ID greater than 255 will trigger memory corruption on the host: [ 1347.156239] BUG: unable to handle kernel paging request at ffff88094958a878 [ 1347.156261] IP: [<ffffffff813e4da0>] hid_register_report+0x2a/0x8b CVE-2013-2888 Signed-off-by: Kees Cook <keescook@chromium.org> Cc: stable@kernel.org Signed-off-by: Jiri Kosina <jkosina@suse.cz> [jmm: backport to 2.6.32] Signed-off-by: Willy Tarreau <w@1wt.eu>
author: Kees Cook <keescook@chromium.org> 2013-08-28 20:29:55 +0000
committer: Willy Tarreau <w@1wt.eu> 2014-05-19 07:53:27 +0200
commit: dc4108776e19ac3f653c288138b1f23da655eb61 (patch)
tree: c94c56d197852c6f3e99737af234373733ed4285 /include
parent: f9653a5ab3bba8a3ace8174df52776ee98239c4a (diff)
1 files changed, 3 insertions, 1 deletions
diff --git a/include/linux/hid.h b/include/linux/hid.h
index 87093652dda8..481080d0c8f4 100644
--- a/include/linux/hid.h
+++ b/include/linux/hid.h
@@ -410,10 +410,12 @@ struct hid_report {
 	struct hid_device *device;			/* associated device */
 };
 
+#define HID_MAX_IDS 256
+
 struct hid_report_enum {
 	unsigned numbered;
 	struct list_head report_list;
-	struct hid_report *report_id_hash[256];
+	struct hid_report *report_id_hash[HID_MAX_IDS];
 };
 
 #define HID_REPORT_TYPES 3
author	Kees Cook <keescook@chromium.org>	2013-08-28 20:29:55 +0000
committer	Willy Tarreau <w@1wt.eu>	2014-05-19 07:53:27 +0200
commit	dc4108776e19ac3f653c288138b1f23da655eb61 (patch)
tree	c94c56d197852c6f3e99737af234373733ed4285 /include
parent	f9653a5ab3bba8a3ace8174df52776ee98239c4a (diff)