From 2d278dc85a6b6fbe8fd1531ea7daeb73537b9cb4 Mon Sep 17 00:00:00 2001
From: Josh Boyer <jwboyer@fedoraproject.org>
Date: Sep 12 2014 16:43:27 +0000
Subject: CVE-2014-3181 HID: OOB write in magicmouse driver (rhbz 1141173 1141179)


---

diff --git a/HID-magicmouse-sanity-check-report-size-in-raw_event.patch b/HID-magicmouse-sanity-check-report-size-in-raw_event.patch
new file mode 100644
index 0000000..32863af
--- /dev/null
+++ b/HID-magicmouse-sanity-check-report-size-in-raw_event.patch
@@ -0,0 +1,51 @@
+From c54def7bd64d7c0b6993336abcffb8444795bf38 Mon Sep 17 00:00:00 2001
+From: Jiri Kosina <jkosina@suse.cz>
+Date: Wed, 27 Aug 2014 09:12:24 +0200
+Subject: [PATCH] HID: magicmouse: sanity check report size in raw_event()
+ callback
+
+The report passed to us from transport driver could potentially be
+arbitrarily large, therefore we better sanity-check it so that
+magicmouse_emit_touch() gets only valid values of raw_id.
+
+Bugzilla: 1141179
+Upstream-status: 3.17 and CC'd stable
+
+Cc: stable@vger.kernel.org
+Reported-by: Steven Vittitoe <scvitti@google.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+---
+ drivers/hid/hid-magicmouse.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/drivers/hid/hid-magicmouse.c b/drivers/hid/hid-magicmouse.c
+index ecc2cbf300cc..29a74c1efcb8 100644
+--- a/drivers/hid/hid-magicmouse.c
++++ b/drivers/hid/hid-magicmouse.c
+@@ -290,6 +290,11 @@ static int magicmouse_raw_event(struct hid_device *hdev,
+ 		if (size < 4 || ((size - 4) % 9) != 0)
+ 			return 0;
+ 		npoints = (size - 4) / 9;
++		if (npoints > 15) {
++			hid_warn(hdev, "invalid size value (%d) for TRACKPAD_REPORT_ID\n",
++					size);
++			return 0;
++		}
+ 		msc->ntouches = 0;
+ 		for (ii = 0; ii < npoints; ii++)
+ 			magicmouse_emit_touch(msc, ii, data + ii * 9 + 4);
+@@ -307,6 +312,11 @@ static int magicmouse_raw_event(struct hid_device *hdev,
+ 		if (size < 6 || ((size - 6) % 8) != 0)
+ 			return 0;
+ 		npoints = (size - 6) / 8;
++		if (npoints > 15) {
++			hid_warn(hdev, "invalid size value (%d) for MOUSE_REPORT_ID\n",
++					size);
++			return 0;
++		}
+ 		msc->ntouches = 0;
+ 		for (ii = 0; ii < npoints; ii++)
+ 			magicmouse_emit_touch(msc, ii, data + ii * 8 + 6);
+-- 
+2.1.0
+
diff --git a/kernel.spec b/kernel.spec
index 439b7de..ba4d295 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -637,6 +637,9 @@ Patch26021: i8042-Also-store-the-aux-firmware-id-in-multi-plexed.patch
 Patch26022: psmouse-Add-psmouse_matches_pnp_id-helper-function.patch
 Patch26023: psmouse-Add-support-for-detecting-FocalTech-PS-2-tou.patch
 
+#CVE-2014-3181 rhbz 1141179 1141173
+Patch26024: HID-magicmouse-sanity-check-report-size-in-raw_event.patch
+
 # git clone ssh://git.fedorahosted.org/git/kernel-arm64.git, git diff master...devel
 Patch30000: kernel-arm64.patch
 
@@ -1367,6 +1370,9 @@ ApplyPatch i8042-Also-store-the-aux-firmware-id-in-multi-plexed.patch
 ApplyPatch psmouse-Add-psmouse_matches_pnp_id-helper-function.patch
 ApplyPatch psmouse-Add-support-for-detecting-FocalTech-PS-2-tou.patch
 
+#CVE-2014-3181 rhbz 1141179 1141173
+ApplyPatch HID-magicmouse-sanity-check-report-size-in-raw_event.patch
+
 %if 0%{?aarch64patches}
 ApplyPatch kernel-arm64.patch
 %ifnarch aarch64 # this is stupid, but i want to notice before secondary koji does.
@@ -2243,6 +2249,9 @@ fi
 #                                    ||----w |
 #                                    ||     ||
 %changelog
+* Fri Sep 12 2014 Josh Boyer <jwboyer@fedoraproject.org>
+- CVE-2014-3181 HID: OOB write in magicmouse driver (rhbz 1141173 1141179)
+
 * Thu Sep 11 2014 Josh Boyer <jwboyer@fedoraproject.org>
 - Add support for touchpad in Asus X450 and X550 (rhbz 1110011)