Linux kernel HID report fixup multiple off-by-one issues

[GoogleCodeExporter]

A variety of HID drivers have off-by-one or similar bugs in their report 
descriptor fixup code. The following cases were identified:

- In hid-cherry.c, ch_report_fixup checks for rsize >= 17 and then sets 
rdesc[17].
- In hid-kye.c, kye_report_fixup checks for rsize >= 74 and then sets rdesc[74].
- In hid-lg.c, lg_report_fixup checks for rsize >= 90 and then sets rdesc[90]. 
Similar case with (quirks & LG_RDESC_REL_ABS) condition in same function.
- In hid-monterey.c, mr_report_fixup checks for rsize >= 30 and then sets 
rdesc[30].
- In hid-petalynx.c, pl_report_fixup checks for rsize >= 60 and then sets 
rdesc[60].
- In hid-sunplus.c, sp_report_fixup checks for rsize >= 107 and then sets both 
rdesc[110] and rdesc[111].

In practice it doesn't look like any of these would be exploitable due to 
kmalloc size alignment - i.e. none of these constant offsets appear to straddle 
a slab size class.

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

Original issue reported on code.google.com by haw...@google.com on 19 Aug 2014 at 12:31

Attachments:

• hid-off-by-one-fix.patch

[GoogleCodeExporter]

The patch has been committed by Jiri Kosina: 
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=4ab257
86c87eb20857bbb715c3ae34ec8fd6a214

Thanks for the fast response from security@kernel.org and Jiri.

Original comment by haw...@google.com on 21 Aug 2014 at 11:05

• Changed state: Fixed
• Added labels: ****
• Removed labels: Restrict-View-Commit

[GoogleCodeExporter]

Original comment by haw...@google.com on 11 Sep 2014 at 7:56

• Added labels: CVE-2014-3184
• Removed labels: ****