Linux kernel hid-logitech-dj.c logi_dj_ll_raw_request heap overflow

[GoogleCodeExporter]

Another potential issue (similar but distinct from 
https://code.google.com/p/google-security-research/issues/detail?id=89) exists 
drivers/hid/hid-logitech-dj.c that can result in a heap overflow. The bounds 
check on "count" in logi_dj_ll_raw_request appears to only apply a minimum 
bound on "count", not a maximum. The allocated output buffer is 15 
(DJREPORT_SHORT_LENGTH) bytes in length, but hid_hw_raw_request will issue 
requests up to 4096 (HID_MAX_BUFFER_SIZE), which could result in heap overflow.

This issue has not been triggered/confirmed, but a suggested patch has been 
attached. This assumes that the current behavior of rounding "count" up to a 
bigger value is erroneous (since it could leak a small amount of data 
contiguous to "buf") - this assumption should be confirmed with the device 
driver maintainer.

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

Original issue reported on code.google.com by haw...@google.com on 18 Aug 2014 at 11:03

Attachments:

• logitech-dj-device-index-fix-2.patch

[GoogleCodeExporter]

The patch has been committed by Jiri Kosina: 
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=51217e
69697fba92a06e07e16f55c9a52d8e8945

Thanks for the fast response from security@kernel.org and Jiri.

Original comment by haw...@google.com on 21 Aug 2014 at 11:04

• Changed state: Fixed
• Removed labels: Restrict-View-Commit

[GoogleCodeExporter]

Original comment by haw...@google.com on 11 Sep 2014 at 7:55

• Added labels: CVE-2014-3183