diff --git a/debian/changelog b/debian/changelog index 0deb91f3a..dfaa97afa 100644 --- a/debian/changelog +++ b/debian/changelog @@ -74,6 +74,13 @@ linux (3.10.11-1) UNRELEASED; urgency=low * [x86] amd64_edac: Fix single-channel setups (Closes: #717473) * [x86] efi: Ensure efi-pstore is loaded on EFI systems * bug script: Prompt to include crash logs from pstore + * ipv6: remove max_addresses check from ipv6_create_tempaddr (CVE-2013-0343) + * HID: validate HID report id size (CVE-2013-2888) + * HID: pantherlord: validate output report details (CVE-2013-2892) + * HID: ntrig: validate feature report details (CVE-2013-2896) + * HID: sensor-hub: validate feature report details (CVE-2013-2898) + * HID: picolcd_core: validate output report details (CVE-2013-2899) + * HID: check for NULL field when setting values [ Ian Campbell ] * [armel]: Enable MVMDIO and USB_EHCI_HCD_ORION on Kirkwood and Orion diff --git a/debian/patches/bugfix/all/HID-check-for-NULL-field-when-setting-values.patch b/debian/patches/bugfix/all/HID-check-for-NULL-field-when-setting-values.patch new file mode 100644 index 000000000..2c204c673 --- /dev/null +++ b/debian/patches/bugfix/all/HID-check-for-NULL-field-when-setting-values.patch @@ -0,0 +1,30 @@ +From: Kees Cook +Date: Wed, 28 Aug 2013 22:32:01 +0200 +Subject: [6/6] HID: check for NULL field when setting values +Origin: https://git.kernel.org/linus/be67b68d52fa28b9b721c47bb42068f0c1214855 + +Defensively check that the field to be worked on is not NULL. + +Signed-off-by: Kees Cook +Cc: stable@kernel.org +Signed-off-by: Jiri Kosina +--- + drivers/hid/hid-core.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/drivers/hid/hid-core.c ++++ b/drivers/hid/hid-core.c +@@ -1156,7 +1156,12 @@ EXPORT_SYMBOL_GPL(hid_output_report); + + int hid_set_field(struct hid_field *field, unsigned offset, __s32 value) + { +- unsigned size = field->report_size; ++ unsigned size; ++ ++ if (!field) ++ return -1; ++ ++ size = field->report_size; + + hid_dump_input(field->report->device, field->usage + offset, value); + diff --git a/debian/patches/bugfix/all/HID-ntrig-validate-feature-report-details.patch b/debian/patches/bugfix/all/HID-ntrig-validate-feature-report-details.patch new file mode 100644 index 000000000..a437fb559 --- /dev/null +++ b/debian/patches/bugfix/all/HID-ntrig-validate-feature-report-details.patch @@ -0,0 +1,37 @@ +From: Kees Cook +Date: Wed, 28 Aug 2013 22:31:28 +0200 +Subject: [3/6] HID: ntrig: validate feature report details +Origin: https://git.kernel.org/linus/875b4e3763dbc941f15143dd1a18d10bb0be303b + +A HID device could send a malicious feature report that would cause the +ntrig HID driver to trigger a NULL dereference during initialization: + +[57383.031190] usb 3-1: New USB device found, idVendor=1b96, idProduct=0001 +... +[57383.315193] BUG: unable to handle kernel NULL pointer dereference at 0000000000000030 +[57383.315308] IP: [] ntrig_probe+0x25e/0x420 [hid_ntrig] + +CVE-2013-2896 + +Signed-off-by: Kees Cook +Cc: stable@kernel.org +Signed-off-by: Rafi Rubin +Signed-off-by: Jiri Kosina +--- + drivers/hid/hid-ntrig.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/hid/hid-ntrig.c b/drivers/hid/hid-ntrig.c +index 98d1fdf..600f207 100644 +--- a/drivers/hid/hid-ntrig.c ++++ b/drivers/hid/hid-ntrig.c +@@ -115,7 +115,8 @@ static inline int ntrig_get_mode(struct hid_device *hdev) + struct hid_report *report = hdev->report_enum[HID_FEATURE_REPORT]. + report_id_hash[0x0d]; + +- if (!report) ++ if (!report || report->maxfield < 1 || ++ report->field[0]->report_count < 1) + return -EINVAL; + + hid_hw_request(hdev, report, HID_REQ_GET_REPORT); diff --git a/debian/patches/bugfix/all/HID-pantherlord-validate-output-report-details.patch b/debian/patches/bugfix/all/HID-pantherlord-validate-output-report-details.patch new file mode 100644 index 000000000..82b3f6930 --- /dev/null +++ b/debian/patches/bugfix/all/HID-pantherlord-validate-output-report-details.patch @@ -0,0 +1,43 @@ +From: Kees Cook +Date: Wed, 28 Aug 2013 22:30:49 +0200 +Subject: [2/6] HID: pantherlord: validate output report details +Origin: https://git.kernel.org/linus/412f30105ec6735224535791eed5cdc02888ecb4 + +A HID device could send a malicious output report that would cause the +pantherlord HID driver to write beyond the output report allocation +during initialization, causing a heap overflow: + +[ 310.939483] usb 1-1: New USB device found, idVendor=0e8f, idProduct=0003 +... +[ 315.980774] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten + +CVE-2013-2892 + +Signed-off-by: Kees Cook +Cc: stable@kernel.org +Signed-off-by: Jiri Kosina +--- + drivers/hid/hid-pl.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/drivers/hid/hid-pl.c b/drivers/hid/hid-pl.c +index d29112f..2dcd7d9 100644 +--- a/drivers/hid/hid-pl.c ++++ b/drivers/hid/hid-pl.c +@@ -132,8 +132,14 @@ static int plff_init(struct hid_device *hid) + strong = &report->field[0]->value[2]; + weak = &report->field[0]->value[3]; + debug("detected single-field device"); +- } else if (report->maxfield >= 4 && report->field[0]->maxusage == 1 && +- report->field[0]->usage[0].hid == (HID_UP_LED | 0x43)) { ++ } else if (report->field[0]->maxusage == 1 && ++ report->field[0]->usage[0].hid == ++ (HID_UP_LED | 0x43) && ++ report->maxfield >= 4 && ++ report->field[0]->report_count >= 1 && ++ report->field[1]->report_count >= 1 && ++ report->field[2]->report_count >= 1 && ++ report->field[3]->report_count >= 1) { + report->field[0]->value[0] = 0x00; + report->field[1]->value[0] = 0x00; + strong = &report->field[2]->value[0]; diff --git a/debian/patches/bugfix/all/HID-picolcd_core-validate-output-report-details.patch b/debian/patches/bugfix/all/HID-picolcd_core-validate-output-report-details.patch new file mode 100644 index 000000000..fe0b5f481 --- /dev/null +++ b/debian/patches/bugfix/all/HID-picolcd_core-validate-output-report-details.patch @@ -0,0 +1,45 @@ +From: Kees Cook +Date: Wed, 28 Aug 2013 22:31:52 +0200 +Subject: [5/6] HID: picolcd_core: validate output report details +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit +Origin: https://git.kernel.org/linus/1e87a2456b0227ca4ab881e19a11bb99d164e792 + +A HID device could send a malicious output report that would cause the +picolcd HID driver to trigger a NULL dereference during attr file writing. + +[jkosina@suse.cz: changed + + report->maxfield < 1 + +to + + report->maxfield != 1 + +as suggested by Bruno]. + +CVE-2013-2899 + +Signed-off-by: Kees Cook +Cc: stable@kernel.org +Reviewed-by: Bruno Prémont +Acked-by: Bruno Prémont +Signed-off-by: Jiri Kosina +--- + drivers/hid/hid-picolcd_core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/hid/hid-picolcd_core.c b/drivers/hid/hid-picolcd_core.c +index b48092d..acbb0210 100644 +--- a/drivers/hid/hid-picolcd_core.c ++++ b/drivers/hid/hid-picolcd_core.c +@@ -290,7 +290,7 @@ static ssize_t picolcd_operation_mode_store(struct device *dev, + buf += 10; + cnt -= 10; + } +- if (!report) ++ if (!report || report->maxfield != 1) + return -EINVAL; + + while (cnt > 0 && (buf[cnt-1] == '\n' || buf[cnt-1] == '\r')) diff --git a/debian/patches/bugfix/all/HID-sensor-hub-validate-feature-report-details.patch b/debian/patches/bugfix/all/HID-sensor-hub-validate-feature-report-details.patch new file mode 100644 index 000000000..0bbdc3963 --- /dev/null +++ b/debian/patches/bugfix/all/HID-sensor-hub-validate-feature-report-details.patch @@ -0,0 +1,33 @@ +From: Kees Cook +Date: Wed, 28 Aug 2013 22:31:44 +0200 +Subject: [4/6] HID: sensor-hub: validate feature report details +Origin: https://git.kernel.org/linus/9e8910257397372633e74b333ef891f20c800ee4 + +A HID device could send a malicious feature report that would cause the +sensor-hub HID driver to read past the end of heap allocation, leaking +kernel memory contents to the caller. + +CVE-2013-2898 + +Signed-off-by: Kees Cook +Cc: stable@kernel.org +Reviewed-by: Mika Westerberg +Signed-off-by: Jiri Kosina +--- + drivers/hid/hid-sensor-hub.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/hid/hid-sensor-hub.c b/drivers/hid/hid-sensor-hub.c +index ffc80cf..6fca30e 100644 +--- a/drivers/hid/hid-sensor-hub.c ++++ b/drivers/hid/hid-sensor-hub.c +@@ -221,7 +221,8 @@ int sensor_hub_get_feature(struct hid_sensor_hub_device *hsdev, u32 report_id, + + mutex_lock(&data->mutex); + report = sensor_hub_report(report_id, hsdev->hdev, HID_FEATURE_REPORT); +- if (!report || (field_index >= report->maxfield)) { ++ if (!report || (field_index >= report->maxfield) || ++ report->field[field_index]->report_count < 1) { + ret = -EINVAL; + goto done_proc; + } diff --git a/debian/patches/bugfix/all/HID-validate-HID-report-id-size.patch b/debian/patches/bugfix/all/HID-validate-HID-report-id-size.patch new file mode 100644 index 000000000..556801a0b --- /dev/null +++ b/debian/patches/bugfix/all/HID-validate-HID-report-id-size.patch @@ -0,0 +1,57 @@ +From: Kees Cook +Date: Wed, 28 Aug 2013 22:29:55 +0200 +Subject: [1/6] HID: validate HID report id size +Origin: https://git.kernel.org/linus/43622021d2e2b82ea03d883926605bdd0525e1d1 + +The "Report ID" field of a HID report is used to build indexes of +reports. The kernel's index of these is limited to 256 entries, so any +malicious device that sets a Report ID greater than 255 will trigger +memory corruption on the host: + +[ 1347.156239] BUG: unable to handle kernel paging request at ffff88094958a878 +[ 1347.156261] IP: [] hid_register_report+0x2a/0x8b + +CVE-2013-2888 + +Signed-off-by: Kees Cook +Cc: stable@kernel.org +Signed-off-by: Jiri Kosina +--- + drivers/hid/hid-core.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c +index 36668d1..5ea7d51 100644 +--- a/drivers/hid/hid-core.c ++++ b/drivers/hid/hid-core.c +@@ -63,6 +63,8 @@ struct hid_report *hid_register_report(struct hid_device *device, unsigned type, + struct hid_report_enum *report_enum = device->report_enum + type; + struct hid_report *report; + ++ if (id >= HID_MAX_IDS) ++ return NULL; + if (report_enum->report_id_hash[id]) + return report_enum->report_id_hash[id]; + +@@ -404,8 +406,10 @@ static int hid_parser_global(struct hid_parser *parser, struct hid_item *item) + + case HID_GLOBAL_ITEM_TAG_REPORT_ID: + parser->global.report_id = item_udata(item); +- if (parser->global.report_id == 0) { +- hid_err(parser->device, "report_id 0 is invalid\n"); ++ if (parser->global.report_id == 0 || ++ parser->global.report_id >= HID_MAX_IDS) { ++ hid_err(parser->device, "report_id %u is invalid\n", ++ parser->global.report_id); + return -1; + } + return 0; +@@ -575,7 +579,7 @@ static void hid_close_report(struct hid_device *device) + for (i = 0; i < HID_REPORT_TYPES; i++) { + struct hid_report_enum *report_enum = device->report_enum + i; + +- for (j = 0; j < 256; j++) { ++ for (j = 0; j < HID_MAX_IDS; j++) { + struct hid_report *report = report_enum->report_id_hash[j]; + if (report) + hid_free_report(report); diff --git a/debian/patches/bugfix/all/ipv6-remove-max_addresses-check-from-ipv6_create_tem.patch b/debian/patches/bugfix/all/ipv6-remove-max_addresses-check-from-ipv6_create_tem.patch new file mode 100644 index 000000000..1babd5c9f --- /dev/null +++ b/debian/patches/bugfix/all/ipv6-remove-max_addresses-check-from-ipv6_create_tem.patch @@ -0,0 +1,60 @@ +From: Hannes Frederic Sowa +Date: Fri, 16 Aug 2013 13:02:27 +0200 +Subject: ipv6: remove max_addresses check from ipv6_create_tempaddr +Origin: https://git.kernel.org/linus/4b08a8f1bd8cb4541c93ec170027b4d0782dab52 + +Because of the max_addresses check attackers were able to disable privacy +extensions on an interface by creating enough autoconfigured addresses: + + + +But the check is not actually needed: max_addresses protects the +kernel to install too many ipv6 addresses on an interface and guards +addrconf_prefix_rcv to install further addresses as soon as this limit +is reached. We only generate temporary addresses in direct response of +a new address showing up. As soon as we filled up the maximum number of +addresses of an interface, we stop installing more addresses and thus +also stop generating more temp addresses. + +Even if the attacker tries to generate a lot of temporary addresses +by announcing a prefix and removing it again (lifetime == 0) we won't +install more temp addresses, because the temporary addresses do count +to the maximum number of addresses, thus we would stop installing new +autoconfigured addresses when the limit is reached. + +This patch fixes CVE-2013-0343 (but other layer-2 attacks are still +possible). + +Thanks to Ding Tianhong to bring this topic up again. + +Cc: Ding Tianhong +Cc: George Kargiotakis +Cc: P J P +Cc: YOSHIFUJI Hideaki +Signed-off-by: Hannes Frederic Sowa +Acked-by: Ding Tianhong +Signed-off-by: David S. Miller +[bwh: Backported to 3.10: adjust ipv6_add_addr() parameter list] +--- + net/ipv6/addrconf.c | 10 ++++------ + 1 file changed, 4 insertions(+), 6 deletions(-) + +--- a/net/ipv6/addrconf.c ++++ b/net/ipv6/addrconf.c +@@ -1124,12 +1124,10 @@ retry: + if (ifp->flags & IFA_F_OPTIMISTIC) + addr_flags |= IFA_F_OPTIMISTIC; + +- ift = !max_addresses || +- ipv6_count_addresses(idev) < max_addresses ? +- ipv6_add_addr(idev, &addr, tmp_plen, +- ipv6_addr_type(&addr)&IPV6_ADDR_SCOPE_MASK, +- addr_flags) : NULL; +- if (IS_ERR_OR_NULL(ift)) { ++ ift = ipv6_add_addr(idev, &addr, tmp_plen, ++ ipv6_addr_type(&addr)&IPV6_ADDR_SCOPE_MASK, ++ addr_flags); ++ if (IS_ERR(ift)) { + in6_ifa_put(ifp); + in6_dev_put(idev); + pr_info("%s: retry temporary address regeneration\n", __func__); diff --git a/debian/patches/series b/debian/patches/series index a369a61cf..59113b42f 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -117,3 +117,10 @@ bugfix/arm/I2C-mv64xxx-move-mv64xxx_i2c_prepare_for_io.patch bugfix/arm/I2C-mv64xxx-fix-race-between-FSM-interrupt-and-proce.patch bugfix/arm/ARM-Fix-the-world-famous-typo-with-is_gate_vma.patch bugfix/x86/amd64_edac-Fix-single-channel-setups.patch +bugfix/all/ipv6-remove-max_addresses-check-from-ipv6_create_tem.patch +bugfix/all/HID-validate-HID-report-id-size.patch +bugfix/all/HID-pantherlord-validate-output-report-details.patch +bugfix/all/HID-ntrig-validate-feature-report-details.patch +bugfix/all/HID-sensor-hub-validate-feature-report-details.patch +bugfix/all/HID-picolcd_core-validate-output-report-details.patch +bugfix/all/HID-check-for-NULL-field-when-setting-values.patch