Linux kernel stable tree (mirror) https://git.radix-linux.su/kernel/linux.git/atom?h=v3.0.97 2013-09-26T23:52:48+00:00 2013-09-26T23:52:48+00:00 Kees Cook keescook@chromium.org 2013-08-28T20:32:01+00:00 urn:sha1:fc4a8fd8746dcd6ff011bc61c06fe9cf5ed2015a commit be67b68d52fa28b9b721c47bb42068f0c1214855 upstream. Defensively check that the field to be worked on is not NULL. Signed-off-by: Kees Cook <keescook@chromium.org> Signed-off-by: Jiri Kosina <jkosina@suse.cz> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2013-09-26T23:52:48+00:00 Kees Cook keescook@chromium.org 2013-08-28T20:31:28+00:00 urn:sha1:0d564bb5984ae5b94233bc0bdb0e38073fc1b038 commit 875b4e3763dbc941f15143dd1a18d10bb0be303b upstream. A HID device could send a malicious feature report that would cause the ntrig HID driver to trigger a NULL dereference during initialization: [57383.031190] usb 3-1: New USB device found, idVendor=1b96, idProduct=0001 ... [57383.315193] BUG: unable to handle kernel NULL pointer dereference at 0000000000000030 [57383.315308] IP: [<ffffffffa08102de>] ntrig_probe+0x25e/0x420 [hid_ntrig] CVE-2013-2896 Signed-off-by: Kees Cook <keescook@chromium.org> Signed-off-by: Rafi Rubin <rafi@seas.upenn.edu> Signed-off-by: Jiri Kosina <jkosina@suse.cz> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2013-09-26T23:52:48+00:00 Kees Cook keescook@chromium.org 2013-08-28T20:29:55+00:00 urn:sha1:645c9dcabb2c234e6d4a546125830d04988a1f90 commit 43622021d2e2b82ea03d883926605bdd0525e1d1 upstream. The "Report ID" field of a HID report is used to build indexes of reports. The kernel's index of these is limited to 256 entries, so any malicious device that sets a Report ID greater than 255 will trigger memory corruption on the host: [ 1347.156239] BUG: unable to handle kernel paging request at ffff88094958a878 [ 1347.156261] IP: [<ffffffff813e4da0>] hid_register_report+0x2a/0x8b CVE-2013-2888 Signed-off-by: Kees Cook <keescook@chromium.org> Signed-off-by: Jiri Kosina <jkosina@suse.cz> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2013-09-26T23:52:47+00:00 Kees Cook keescook@chromium.org 2013-08-28T20:30:49+00:00 urn:sha1:c993386d8c99c60ffb1161076040f3ffb46c0794 commit 412f30105ec6735224535791eed5cdc02888ecb4 upstream. A HID device could send a malicious output report that would cause the pantherlord HID driver to write beyond the output report allocation during initialization, causing a heap overflow: [ 310.939483] usb 1-1: New USB device found, idVendor=0e8f, idProduct=0003 ... [ 315.980774] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten CVE-2013-2892 Signed-off-by: Kees Cook <keescook@chromium.org> Signed-off-by: Jiri Kosina <jkosina@suse.cz> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2013-09-26T23:52:47+00:00 Felix Fietkau nbd@openwrt.org 2013-08-13T10:33:28+00:00 urn:sha1:8600be1d3927e177b80c7ee9263ef3b28a0ba115 commit a1c781bb20ac1e03280e420abd47a99eb8bbdd3b upstream. They are not implemented, and accessing them might trigger errors Signed-off-by: Felix Fietkau <nbd@openwrt.org> Signed-off-by: John W. Linville <linville@tuxdriver.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2013-09-26T23:52:47+00:00 Felix Fietkau nbd@openwrt.org 2013-08-06T12:18:10+00:00 urn:sha1:be84480edb2b552c2fb9ca940c6bb07464306108 commit 026d5b07c03458f9c0ccd19c3850564a5409c325 upstream. Otherwise in some cases, EAPOL frames might be filtered during the initial handshake, causing delays and assoc failures. Signed-off-by: Felix Fietkau <nbd@openwrt.org> Signed-off-by: John W. Linville <linville@tuxdriver.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2013-09-26T23:52:47+00:00 Hans de Goede hdegoede@redhat.com 2013-08-03T14:37:48+00:00 urn:sha1:ff819a0c7f12179d197aa06841087964dd2be7d3 commit b4f17a488ae2e09bfcf95c0e0b4219c246f1116a upstream. While reading the config parsing code I noticed this check is missing, without this check config->desc.wTotalLength can end up with a value larger then the dev->rawdescriptors length for the config, and when userspace then tries to get the rawdescriptors bad things may happen. Signed-off-by: Hans de Goede <hdegoede@redhat.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2013-09-26T23:52:46+00:00 Oliver Neukum oneukum@suse.de 2013-08-06T12:22:59+00:00 urn:sha1:fe3efa501f32fc05483a095334573799a954d1ab commit 6dd433e6cf2475ce8abec1b467720858c24450eb upstream. Both could want to submit the same URB. Some checks of the flag intended to prevent that were missing. Signed-off-by: Oliver Neukum <oneukum@suse.de> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2013-09-26T23:52:46+00:00 Johan Hovold jhovold@gmail.com 2013-08-19T11:05:45+00:00 urn:sha1:5f8ce0764bb3d54090856cca1c8562c0435003ca commit 3b716caf190ccc6f2a09387210e0e6a26c1d81a4 upstream. Fix endianess bugs in parallel-port code which caused corrupt control-requests to be issued on big-endian machines. Reported-by: kbuild test robot <fengguang.wu@intel.com> Signed-off-by: Johan Hovold <jhovold@gmail.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2013-09-26T23:52:46+00:00 Dan Carpenter dan.carpenter@oracle.com 2013-08-16T07:16:59+00:00 urn:sha1:d723c89020d4f5f54b42997ae5e90f13bc620d8b commit d0bd9a41186e076ea543c397ad8a67a6cf604b55 upstream. The write_parport_reg_nonblock() function shouldn't sleep because it's called with spinlocks held. Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Acked-by: Johan Hovold <jhovold@gmail.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>