Piteball/android_kernel_samsung_msm8976
1
1
Fork 0
mirror of https://github.com/team-infusion-developers/android_kernel_samsung_msm8976.git synced 2024-11-07 04:09:21 +00:00
Code Issues Projects Releases Wiki Activity
android_kernel_samsung_msm8976/drivers/hid
History
Breno Leitao 9ef5beb2ee HID: hiddev: fix potential Spectre v1 
commit f11274396a538b31bc010f782e05c2ce3f804c13 upstream.

uref->usage_index can be indirectly controlled by userspace, hence leading
to a potential exploitation of the Spectre variant 1 vulnerability.

This field is used as an array index by the hiddev_ioctl_usage() function,
when 'cmd' is either HIDIOCGCOLLECTIONINDEX, HIDIOCGUSAGES or
HIDIOCSUSAGES.

For cmd == HIDIOCGCOLLECTIONINDEX case, uref->usage_index is compared to
field->maxusage and then used as an index to dereference field->usage
array. The same thing happens to the cmd == HIDIOC{G,S}USAGES cases, where
uref->usage_index is checked against an array maximum value and then it is
used as an index in an array.

This is a summary of the HIDIOCGCOLLECTIONINDEX case, which matches the
traditional Spectre V1 first load:

	copy_from_user(uref, user_arg, sizeof(*uref))
	if (uref->usage_index >= field->maxusage)
		goto inval;
	i = field->usage[uref->usage_index].collection_index;
	return i;

This patch fixes this by sanitizing field uref->usage_index before using it
to index field->usage (HIDIOCGCOLLECTIONINDEX) or field->value in
HIDIOC{G,S}USAGES arrays, thus, avoiding speculation in the first load.

Signed-off-by: Breno Leitao <leitao@debian.org>
--

v2: Contemplate cmd == HIDIOC{G,S}USAGES case
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
2019-07-27 22:06:00 +02:00
..
i2c-hid HID: i2c-hid: allocate hid buffers for real worst case 2019-07-27 21:45:51 +02:00
usbhid HID: hiddev: fix potential Spectre v1 2019-07-27 22:06:00 +02:00
hid-a4tech.c
hid-apple.c HID: apple: option to swap the 'Option' ("Alt") and 'Command' ("Flag") keys. 2013-12-04 10:57:34 -08:00
hid-appleir.c HID: appleir: add support for Apple ir devices 2013-04-18 19:06:20 -07:00
hid-aureal.c
hid-axff.c HID: enable Mayflash USB Gamecube Adapter 2013-12-04 10:57:34 -08:00
hid-belkin.c
hid-cherry.c HID: fix a couple of off-by-ones 2014-09-05 16:28:34 -07:00
hid-chicony.c
hid-core.c This is the 3.10.96 stable release 2017-04-18 17:16:02 +02:00
hid-cypress.c HID: hid-cypress: validate length of report 2019-07-27 21:43:43 +02:00
hid-debug.c HID: debug: check length before copy_to_user() 2019-07-27 21:51:21 +02:00
hid-dr.c
hid-elecom.c
hid-emsff.c
hid-ezkey.c
hid-gaff.c
hid-generic.c
hid-gyration.c
hid-holtek-kbd.c
hid-holtekff.c
hid-hyperv.c
hid-icade.c HID: icade: u16 which never < 0 2013-04-24 16:32:27 +02:00
hid-ids.h Import latest Samsung release 2017-04-18 03:43:52 +02:00
hid-input.c HID: hid-input: Add parentheses to quell gcc warning 2019-07-27 21:42:01 +02:00
hid-kensington.c
hid-keytouch.c
hid-kye.c HID: Add a new id 0x501a for Genius MousePen i608X 2015-01-16 06:59:01 -08:00
hid-lcpower.c
hid-lenovo-tpkbd.c HID: lenovo-tpkbd: validate output report details 2013-10-01 09:17:46 -07:00
hid-lg.c HID: hid-lg: Fix immediate disconnection of Logitech Rumblepad 2 2019-07-27 21:44:06 +02:00
hid-lg.h
hid-lg2ff.c HID: logitech - lg2ff: Add IDs for Formula Vibration Feedback Wheel 2013-12-04 10:57:19 -08:00
hid-lg3ff.c HID: LG: validate HID output report details 2013-10-01 09:17:46 -07:00
hid-lg4ff.c HID:hid-lg4ff: Initialize device properties before we touch autocentering. 2013-12-04 10:57:20 -08:00
hid-lgff.c HID: LG: validate HID output report details 2013-10-01 09:17:46 -07:00
hid-logitech-dj.c HID: logitech-dj: prevent false errors to be shown 2014-10-05 14:54:08 -07:00
hid-logitech-dj.h HID: logitech-dj: prevent false errors to be shown 2014-10-05 14:54:08 -07:00
hid-magicmouse.c This is the 3.10.67 stable release 2015-04-24 18:04:40 -07:00
hid-microsoft.c HID: Add PID for Japanese version of NE4K keyboard 2013-04-29 10:16:55 +02:00
hid-monterey.c HID: fix a couple of off-by-ones 2014-09-05 16:28:34 -07:00
hid-multitouch.c Merge upstream linux-stable v3.10.28 into msm-3.10 2014-03-24 14:28:34 -07:00
hid-ntrig.c hid: hid-ntrig: Fix input_configured function 2017-04-18 12:19:41 +02:00
hid-ortek.c
hid-petalynx.c HID: fix a couple of off-by-ones 2014-09-05 16:28:34 -07:00
hid-picolcd.h Merge branches 'for-3.10/multitouch', 'for-3.10/roccat' and 'for-3.10/upstream' into for-linus 2013-04-30 10:19:07 +02:00
hid-picolcd_backlight.c
hid-picolcd_cir.c HID: picolcd: Prevent NULL pointer dereference on _remove() 2013-09-26 17:18:16 -07:00
hid-picolcd_core.c HID: picolcd: sanity check report size in raw_event() callback 2014-10-05 14:54:08 -07:00
hid-picolcd_debugfs.c HID: fix data access in implement() 2013-10-13 16:08:28 -07:00
hid-picolcd_fb.c HID: picolcd: Prevent NULL pointer dereference on _remove() 2013-09-26 17:18:16 -07:00
hid-picolcd_lcd.c
hid-picolcd_leds.c
hid-pl.c HID: pantherlord: validate output report details 2013-09-26 17:18:15 -07:00
hid-primax.c
hid-prodikeys.c
hid-ps3remote.c
hid-roccat-arvo.c
hid-roccat-arvo.h
hid-roccat-common.c HID: roccat: add new device return value 2013-12-04 10:57:34 -08:00
hid-roccat-common.h
hid-roccat-isku.c HID: roccat: add support for IskuFX 2013-03-14 11:50:49 +01:00
hid-roccat-isku.h HID: roccat: add support for IskuFX 2013-03-14 11:50:49 +01:00
hid-roccat-kone.c HID: roccat: added media key support for Kone 2013-04-08 10:33:13 +02:00
hid-roccat-kone.h HID: roccat: added media key support for Kone 2013-04-08 10:33:13 +02:00
hid-roccat-koneplus.c
hid-roccat-koneplus.h
hid-roccat-konepure.c HID: roccat: add support for KonePureOptical v2 2013-10-13 16:08:35 -07:00
hid-roccat-konepure.h HID: roccat: add support for Roccat Kone Pure gaming mouse 2013-03-14 11:50:49 +01:00
hid-roccat-kovaplus.c HID: roccat: fix Coverity CID 141438 2013-12-04 10:57:34 -08:00
hid-roccat-kovaplus.h
hid-roccat-lua.c
hid-roccat-lua.h
hid-roccat-pyra.c HID: roccat: potential out of bounds in pyra_sysfs_write_settings() 2015-01-16 06:59:01 -08:00
hid-roccat-pyra.h
hid-roccat-savu.c
hid-roccat-savu.h
hid-roccat.c HID: roccat: fix comments on chardevice 2013-03-14 11:50:49 +01:00
hid-saitek.c
hid-samsung.c Import latest Samsung release 2017-04-18 03:43:52 +02:00
hid-sensor-hub.c HID: hid-sensor-hub: fix report size 2013-12-04 10:57:19 -08:00
hid-sjoy.c
hid-sony.c
hid-speedlink.c HID: Fix Speedlink VAD Cezanne support for some devices 2013-09-26 17:18:16 -07:00
hid-steelseries.c HID: steelseries: validate output report details 2013-10-01 09:17:46 -07:00
hid-sunplus.c HID: fix a couple of off-by-ones 2014-09-05 16:28:34 -07:00
hid-synaptics-bt.c Import latest Samsung release 2017-04-18 03:43:52 +02:00
hid-thingm.c
hid-tivo.c
hid-tmff.c
hid-topseed.c
hid-twinhan.c
hid-uclogic.c
hid-wacom.c
hid-waltop.c
hid-wiimote-core.c HID: wiimote: parse reduced status reports 2013-04-04 09:38:43 +02:00
hid-wiimote-debug.c
hid-wiimote-ext.c
hid-wiimote.h
hid-zpff.c HID: zeroplus: validate output report details 2013-10-01 09:17:46 -07:00
hid-zydacron.c
hidraw.c HID: hidraw: Fix crash on HIDIOCGFEATURE with a destroyed device 2019-07-27 21:52:17 +02:00
Kconfig Import latest Samsung release 2017-04-18 03:43:52 +02:00
Makefile Import latest Samsung release 2017-04-18 03:43:52 +02:00
uhid.c HID: uhid: forbid UHID_CREATE under KERNEL_DS or elevated privileges 2019-07-27 21:53:06 +02:00