search

codenote / google-security-research

Automatically exported from code.google.com/p/google-security-research
0 stars 0 forks source link

Linux kernel hid-logitech-dj.c device_index arbitrary kfree #89

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
A bug exists in drivers/hid/hid-logitech-dj.c that can result in a kfree of an 
arbitrary pointer. The logi_dj_recv_destroy_djhid_device function fails to 
bounds check the device_index that is supplied in the device-controlled 
“struct dj_report”. This leads to an out-of-bounds array access, since 
djrcv_dev->paired_dj_devices has 7 elements and the device_index is a character 
type (i.e. indexes up to 255). 

We consider this a security bug in the context of an attacker who gains 
short-term physical access to a running device with the goal of turning this 
into long-term remote access. We have confirmed that this issue is triggerable 
in practice by modifying QEMU’s “dev-hid.c” to exhibit a malformed 
REPORT_TYPE_NOTIF_DEVICE_UNPAIRED report type. 

I’ve attached a non-tested patch that attempts to address the issue, and also 
variants in logi_dj_recv_forward_null_report and logi_dj_recv_forward_report. 
The idea is to move the device_id bounds check to the earliest possible point 
in logi_dj_raw_event.

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

Original issue reported on code.google.com by haw...@google.com on 18 Aug 2014 at 10:44

Attachments:

GoogleCodeExporter commented 9 years ago 
The patch has been fixed up and committed by Jiri Kosina: 
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=ad3e14
d7c5268c2e24477c6ef54bbdf88add5d36

Thanks for the fast response from security@kernel.org and Jiri.

Original comment by haw...@google.com on 21 Aug 2014 at 11:03

GoogleCodeExporter commented 9 years ago

Original comment by haw...@google.com on 21 Aug 2014 at 11:05

GoogleCodeExporter commented 9 years ago

Original comment by cev...@google.com on 23 Aug 2014 at 6:04

GoogleCodeExporter commented 9 years ago

Original comment by haw...@google.com on 11 Sep 2014 at 7:55