diff --git a/HID-CVE-fixes.patch b/HID-CVE-fixes.patch deleted file mode 100644 index cad53a3..0000000 --- a/HID-CVE-fixes.patch +++ /dev/null @@ -1,1354 +0,0 @@ -From linux-kernel-owner@vger.kernel.org Wed Sep 11 16:03:58 2013 -Delivered-To: jwboyer@gmail.com -Received: by 10.76.168.104 with SMTP id zv8csp11796oab; - Wed, 11 Sep 2013 13:03:58 -0700 (PDT) -X-Received: by 10.68.212.106 with SMTP id nj10mr3810582pbc.74.1378929838373; - Wed, 11 Sep 2013 13:03:58 -0700 (PDT) -Return-Path: -Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) - by mx.google.com with ESMTP id ar2si22908345pbc.232.1969.12.31.16.00.00; - Wed, 11 Sep 2013 13:03:58 -0700 (PDT) -Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; -Authentication-Results: mx.google.com; - spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mail=linux-kernel-owner@vger.kernel.org -Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand - id S1756767Ab3IKT5P (ORCPT - + 99 others); Wed, 11 Sep 2013 15:57:15 -0400 -Received: from mx1.redhat.com ([209.132.183.28]:61286 "EHLO mx1.redhat.com" - rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP - id S1755250Ab3IKT5M (ORCPT ); - Wed, 11 Sep 2013 15:57:12 -0400 -Received: from int-mx02.intmail.prod.int.phx2.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12]) - by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id r8BJv5ds028134 - (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); - Wed, 11 Sep 2013 15:57:05 -0400 -Received: from t410.redhat.com (ovpn-116-31.ams2.redhat.com [10.36.116.31]) - by int-mx02.intmail.prod.int.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id r8BJv0jX020673; - Wed, 11 Sep 2013 15:57:03 -0400 -From: Benjamin Tissoires -To: Benjamin Tissoires , - Kees Cook , - Henrik Rydberg , - Jiri Kosina , linux-input@vger.kernel.org, - linux-kernel@vger.kernel.org -Subject: [PATCH v3 01/10] HID: provide a helper for validating hid reports -Date: Wed, 11 Sep 2013 21:56:50 +0200 -Message-Id: <1378929419-6269-2-git-send-email-benjamin.tissoires@redhat.com> -In-Reply-To: <1378929419-6269-1-git-send-email-benjamin.tissoires@redhat.com> -References: <1378929419-6269-1-git-send-email-benjamin.tissoires@redhat.com> -X-Scanned-By: MIMEDefang 2.67 on 10.5.11.12 -Sender: linux-kernel-owner@vger.kernel.org -Precedence: bulk -List-ID: -X-Mailing-List: linux-kernel@vger.kernel.org -Status: RO -Content-Length: 3882 -Lines: 115 - -From: Kees Cook - -Many drivers need to validate the characteristics of their HID report -during initialization to avoid misusing the reports. This adds a common -helper to perform validation of the report exisitng, the field existing, -and the expected number of values within the field. - -Signed-off-by: Kees Cook -Cc: stable@vger.kernel.org -Reviewed-by: Benjamin Tissoires ---- -v3: - - no changes - -v2: - - suggestions from Benjamin Tissoires: - - check id too, just to be double-safe. - - updated to check a specific field, moving the for loop to callers. - - drivers/hid/hid-core.c | 58 ++++++++++++++++++++++++++++++++++++++++++++++++++ - include/linux/hid.h | 4 ++++ - 2 files changed, 62 insertions(+) - -diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c -index 2c77854..44b6c68 100644 ---- a/drivers/hid/hid-core.c -+++ b/drivers/hid/hid-core.c -@@ -801,6 +801,64 @@ int hid_parse_report(struct hid_device *hid, __u8 *start, unsigned size) - } - EXPORT_SYMBOL_GPL(hid_parse_report); - -+static const char * const hid_report_names[] = { -+ "HID_INPUT_REPORT", -+ "HID_OUTPUT_REPORT", -+ "HID_FEATURE_REPORT", -+}; -+/** -+ * hid_validate_values - validate existing device report's value indexes -+ * -+ * @device: hid device -+ * @type: which report type to examine -+ * @id: which report ID to examine (0 for first) -+ * @field_index: which report field to examine -+ * @report_counts: expected number of values -+ * -+ * Validate the number of values in a given field of a given report, after -+ * parsing. -+ */ -+struct hid_report *hid_validate_values(struct hid_device *hid, -+ unsigned int type, unsigned int id, -+ unsigned int field_index, -+ unsigned int report_counts) -+{ -+ struct hid_report *report; -+ -+ if (type > HID_FEATURE_REPORT) { -+ hid_err(hid, "invalid HID report type %u\n", type); -+ return NULL; -+ } -+ -+ if (id >= HID_MAX_IDS) { -+ hid_err(hid, "invalid HID report id %u\n", id); -+ return NULL; -+ } -+ -+ /* -+ * Explicitly not using hid_get_report() here since it depends on -+ * ->numbered being checked, which may not always be the case when -+ * drivers go to access report values. -+ */ -+ report = hid->report_enum[type].report_id_hash[id]; -+ if (!report) { -+ hid_err(hid, "missing %s %u\n", hid_report_names[type], id); -+ return NULL; -+ } -+ if (report->maxfield <= field_index) { -+ hid_err(hid, "not enough fields in %s %u\n", -+ hid_report_names[type], id); -+ return NULL; -+ } -+ if (report->field[field_index]->report_count < report_counts) { -+ hid_err(hid, "not enough values in %s %u field %u\n", -+ hid_report_names[type], id, field_index); -+ return NULL; -+ } -+ return report; -+} -+EXPORT_SYMBOL_GPL(hid_validate_values); -+ - /** - * hid_open_report - open a driver-specific device report - * -diff --git a/include/linux/hid.h b/include/linux/hid.h -index ee1ffc5..31b9d29 100644 ---- a/include/linux/hid.h -+++ b/include/linux/hid.h -@@ -756,6 +756,10 @@ u8 *hid_alloc_report_buf(struct hid_report *report, gfp_t flags); - struct hid_device *hid_allocate_device(void); - struct hid_report *hid_register_report(struct hid_device *device, unsigned type, unsigned id); - int hid_parse_report(struct hid_device *hid, __u8 *start, unsigned size); -+struct hid_report *hid_validate_values(struct hid_device *hid, -+ unsigned int type, unsigned int id, -+ unsigned int field_index, -+ unsigned int report_counts); - int hid_open_report(struct hid_device *device); - int hid_check_keys_pressed(struct hid_device *hid); - int hid_connect(struct hid_device *hid, unsigned int connect_mask); --- -1.8.3.1 - --- -To unsubscribe from this list: send the line "unsubscribe linux-kernel" in -the body of a message to majordomo@vger.kernel.org -More majordomo info at http://vger.kernel.org/majordomo-info.html -Please read the FAQ at http://www.tux.org/lkml/ - -From linux-kernel-owner@vger.kernel.org Wed Sep 11 16:03:31 2013 -Delivered-To: jwboyer@gmail.com -Received: by 10.76.168.104 with SMTP id zv8csp11793oab; - Wed, 11 Sep 2013 13:03:31 -0700 (PDT) -X-Received: by 10.66.218.166 with SMTP id ph6mr5787502pac.28.1378929811148; - Wed, 11 Sep 2013 13:03:31 -0700 (PDT) -Return-Path: -Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) - by mx.google.com with ESMTP id r5si6448917pbj.181.1969.12.31.16.00.00; - Wed, 11 Sep 2013 13:03:31 -0700 (PDT) -Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; -Authentication-Results: mx.google.com; - spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mail=linux-kernel-owner@vger.kernel.org -Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand - id S1757217Ab3IKT5Q (ORCPT - + 99 others); Wed, 11 Sep 2013 15:57:16 -0400 -Received: from mx1.redhat.com ([209.132.183.28]:55160 "EHLO mx1.redhat.com" - rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP - id S1756944Ab3IKT5N (ORCPT ); - Wed, 11 Sep 2013 15:57:13 -0400 -Received: from int-mx02.intmail.prod.int.phx2.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12]) - by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id r8BJv7kb002821 - (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); - Wed, 11 Sep 2013 15:57:07 -0400 -Received: from t410.redhat.com (ovpn-116-31.ams2.redhat.com [10.36.116.31]) - by int-mx02.intmail.prod.int.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id r8BJv0jY020673; - Wed, 11 Sep 2013 15:57:05 -0400 -From: Benjamin Tissoires -To: Benjamin Tissoires , - Kees Cook , - Henrik Rydberg , - Jiri Kosina , linux-input@vger.kernel.org, - linux-kernel@vger.kernel.org -Subject: [PATCH v3 02/10] HID: zeroplus: validate output report details -Date: Wed, 11 Sep 2013 21:56:51 +0200 -Message-Id: <1378929419-6269-3-git-send-email-benjamin.tissoires@redhat.com> -In-Reply-To: <1378929419-6269-1-git-send-email-benjamin.tissoires@redhat.com> -References: <1378929419-6269-1-git-send-email-benjamin.tissoires@redhat.com> -X-Scanned-By: MIMEDefang 2.67 on 10.5.11.12 -Sender: linux-kernel-owner@vger.kernel.org -Precedence: bulk -List-ID: -X-Mailing-List: linux-kernel@vger.kernel.org -Status: RO -Content-Length: 1957 -Lines: 62 - -From: Kees Cook - -The zeroplus HID driver was not checking the size of allocated values -in fields it used. A HID device could send a malicious output report -that would cause the driver to write beyond the output report allocation -during initialization, causing a heap overflow: - -[ 1442.728680] usb 1-1: New USB device found, idVendor=0c12, idProduct=0005 -... -[ 1466.243173] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten - -CVE-2013-2889 - -Signed-off-by: Kees Cook -Cc: stable@vger.kernel.org -Reviewed-by: Benjamin Tissoires ---- -v3: - - no changes - - drivers/hid/hid-zpff.c | 18 +++++------------- - 1 file changed, 5 insertions(+), 13 deletions(-) - -diff --git a/drivers/hid/hid-zpff.c b/drivers/hid/hid-zpff.c -index 6ec28a3..a29756c 100644 ---- a/drivers/hid/hid-zpff.c -+++ b/drivers/hid/hid-zpff.c -@@ -68,21 +68,13 @@ static int zpff_init(struct hid_device *hid) - struct hid_report *report; - struct hid_input *hidinput = list_entry(hid->inputs.next, - struct hid_input, list); -- struct list_head *report_list = -- &hid->report_enum[HID_OUTPUT_REPORT].report_list; - struct input_dev *dev = hidinput->input; -- int error; -+ int i, error; - -- if (list_empty(report_list)) { -- hid_err(hid, "no output report found\n"); -- return -ENODEV; -- } -- -- report = list_entry(report_list->next, struct hid_report, list); -- -- if (report->maxfield < 4) { -- hid_err(hid, "not enough fields in report\n"); -- return -ENODEV; -+ for (i = 0; i < 4; i++) { -+ report = hid_validate_values(hid, HID_OUTPUT_REPORT, 0, i, 1); -+ if (!report) -+ return -ENODEV; - } - - zpff = kzalloc(sizeof(struct zpff_device), GFP_KERNEL); --- -1.8.3.1 - --- -To unsubscribe from this list: send the line "unsubscribe linux-kernel" in -the body of a message to majordomo@vger.kernel.org -More majordomo info at http://vger.kernel.org/majordomo-info.html -Please read the FAQ at http://www.tux.org/lkml/ - -From linux-kernel-owner@vger.kernel.org Wed Sep 11 16:05:30 2013 -Delivered-To: jwboyer@gmail.com -Received: by 10.76.168.104 with SMTP id zv8csp11806oab; - Wed, 11 Sep 2013 13:05:31 -0700 (PDT) -X-Received: by 10.68.245.227 with SMTP id xr3mr3786856pbc.182.1378929930715; - Wed, 11 Sep 2013 13:05:30 -0700 (PDT) -Return-Path: -Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) - by mx.google.com with ESMTP id hk5si3647517pac.9.1969.12.31.16.00.00; - Wed, 11 Sep 2013 13:05:30 -0700 (PDT) -Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; -Authentication-Results: mx.google.com; - spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mail=linux-kernel-owner@vger.kernel.org -Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand - id S1757390Ab3IKT7e (ORCPT - + 99 others); Wed, 11 Sep 2013 15:59:34 -0400 -Received: from mx1.redhat.com ([209.132.183.28]:61377 "EHLO mx1.redhat.com" - rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP - id S1757186Ab3IKT5O (ORCPT ); - Wed, 11 Sep 2013 15:57:14 -0400 -Received: from int-mx02.intmail.prod.int.phx2.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12]) - by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id r8BJv9ae028162 - (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); - Wed, 11 Sep 2013 15:57:09 -0400 -Received: from t410.redhat.com (ovpn-116-31.ams2.redhat.com [10.36.116.31]) - by int-mx02.intmail.prod.int.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id r8BJv0jZ020673; - Wed, 11 Sep 2013 15:57:07 -0400 -From: Benjamin Tissoires -To: Benjamin Tissoires , - Kees Cook , - Henrik Rydberg , - Jiri Kosina , linux-input@vger.kernel.org, - linux-kernel@vger.kernel.org -Subject: [PATCH v3 03/10] HID: sony: validate HID output report details -Date: Wed, 11 Sep 2013 21:56:52 +0200 -Message-Id: <1378929419-6269-4-git-send-email-benjamin.tissoires@redhat.com> -In-Reply-To: <1378929419-6269-1-git-send-email-benjamin.tissoires@redhat.com> -References: <1378929419-6269-1-git-send-email-benjamin.tissoires@redhat.com> -X-Scanned-By: MIMEDefang 2.67 on 10.5.11.12 -Sender: linux-kernel-owner@vger.kernel.org -Precedence: bulk -List-ID: -X-Mailing-List: linux-kernel@vger.kernel.org -Status: RO -Content-Length: 1489 -Lines: 46 - -From: Kees Cook - -This driver must validate the availability of the HID output report and -its size before it can write LED states via buzz_set_leds(). This stops -a heap overflow that is possible if a device provides a malicious HID -output report: - -[ 108.171280] usb 1-1: New USB device found, idVendor=054c, idProduct=0002 -... -[ 117.507877] BUG kmalloc-192 (Not tainted): Redzone overwritten - -CVE-2013-2890 - -Signed-off-by: Kees Cook -Cc: stable@vger.kernel.org -Reviewed-by: Benjamin Tissoires ---- -v3: - - no changes - - drivers/hid/hid-sony.c | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/drivers/hid/hid-sony.c b/drivers/hid/hid-sony.c -index 30dbb6b..b18320d 100644 ---- a/drivers/hid/hid-sony.c -+++ b/drivers/hid/hid-sony.c -@@ -537,6 +537,10 @@ static int buzz_init(struct hid_device *hdev) - drv_data = hid_get_drvdata(hdev); - BUG_ON(!(drv_data->quirks & BUZZ_CONTROLLER)); - -+ /* Validate expected report characteristics. */ -+ if (!hid_validate_values(hdev, HID_OUTPUT_REPORT, 0, 0, 7)) -+ return -ENODEV; -+ - buzz = kzalloc(sizeof(*buzz), GFP_KERNEL); - if (!buzz) { - hid_err(hdev, "Insufficient memory, cannot allocate driver data\n"); --- -1.8.3.1 - --- -To unsubscribe from this list: send the line "unsubscribe linux-kernel" in -the body of a message to majordomo@vger.kernel.org -More majordomo info at http://vger.kernel.org/majordomo-info.html -Please read the FAQ at http://www.tux.org/lkml/ - -From linux-kernel-owner@vger.kernel.org Wed Sep 11 16:01:06 2013 -Delivered-To: jwboyer@gmail.com -Received: by 10.76.168.104 with SMTP id zv8csp11780oab; - Wed, 11 Sep 2013 13:01:07 -0700 (PDT) -X-Received: by 10.68.178.197 with SMTP id da5mr3851703pbc.28.1378929666801; - Wed, 11 Sep 2013 13:01:06 -0700 (PDT) -Return-Path: -Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) - by mx.google.com with ESMTP id yp5si22941669pbb.65.1969.12.31.16.00.00; - Wed, 11 Sep 2013 13:01:06 -0700 (PDT) -Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; -Authentication-Results: mx.google.com; - spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mail=linux-kernel-owner@vger.kernel.org -Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand - id S1757243Ab3IKT5U (ORCPT - + 99 others); Wed, 11 Sep 2013 15:57:20 -0400 -Received: from mx1.redhat.com ([209.132.183.28]:50734 "EHLO mx1.redhat.com" - rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP - id S1756944Ab3IKT5S (ORCPT ); - Wed, 11 Sep 2013 15:57:18 -0400 -Received: from int-mx02.intmail.prod.int.phx2.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12]) - by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id r8BJvBYq001582 - (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); - Wed, 11 Sep 2013 15:57:11 -0400 -Received: from t410.redhat.com (ovpn-116-31.ams2.redhat.com [10.36.116.31]) - by int-mx02.intmail.prod.int.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id r8BJv0ja020673; - Wed, 11 Sep 2013 15:57:09 -0400 -From: Benjamin Tissoires -To: Benjamin Tissoires , - Kees Cook , - Henrik Rydberg , - Jiri Kosina , linux-input@vger.kernel.org, - linux-kernel@vger.kernel.org -Subject: [PATCH v3 04/10] HID: steelseries: validate output report details -Date: Wed, 11 Sep 2013 21:56:53 +0200 -Message-Id: <1378929419-6269-5-git-send-email-benjamin.tissoires@redhat.com> -In-Reply-To: <1378929419-6269-1-git-send-email-benjamin.tissoires@redhat.com> -References: <1378929419-6269-1-git-send-email-benjamin.tissoires@redhat.com> -X-Scanned-By: MIMEDefang 2.67 on 10.5.11.12 -Sender: linux-kernel-owner@vger.kernel.org -Precedence: bulk -List-ID: -X-Mailing-List: linux-kernel@vger.kernel.org -Status: RO -Content-Length: 1388 -Lines: 46 - -From: Kees Cook - -A HID device could send a malicious output report that would cause the -steelseries HID driver to write beyond the output report allocation -during initialization, causing a heap overflow: - -[ 167.981534] usb 1-1: New USB device found, idVendor=1038, idProduct=1410 -... -[ 182.050547] BUG kmalloc-256 (Tainted: G W ): Redzone overwritten - -CVE-2013-2891 - -Signed-off-by: Kees Cook -Cc: stable@vger.kernel.org -Reviewed-by: Benjamin Tissoires ---- -v3: - - no changes - - drivers/hid/hid-steelseries.c | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/drivers/hid/hid-steelseries.c b/drivers/hid/hid-steelseries.c -index d164911..29f328f 100644 ---- a/drivers/hid/hid-steelseries.c -+++ b/drivers/hid/hid-steelseries.c -@@ -249,6 +249,11 @@ static int steelseries_srws1_probe(struct hid_device *hdev, - goto err_free; - } - -+ if (!hid_validate_values(hdev, HID_OUTPUT_REPORT, 0, 0, 16)) { -+ ret = -ENODEV; -+ goto err_free; -+ } -+ - ret = hid_hw_start(hdev, HID_CONNECT_DEFAULT); - if (ret) { - hid_err(hdev, "hw start failed\n"); --- -1.8.3.1 - --- -To unsubscribe from this list: send the line "unsubscribe linux-kernel" in -the body of a message to majordomo@vger.kernel.org -More majordomo info at http://vger.kernel.org/majordomo-info.html -Please read the FAQ at http://www.tux.org/lkml/ - -From linux-kernel-owner@vger.kernel.org Wed Sep 11 16:03:13 2013 -Delivered-To: jwboyer@gmail.com -Received: by 10.76.168.104 with SMTP id zv8csp11792oab; - Wed, 11 Sep 2013 13:03:14 -0700 (PDT) -X-Received: by 10.68.164.161 with SMTP id yr1mr3875852pbb.40.1378929793546; - Wed, 11 Sep 2013 13:03:13 -0700 (PDT) -Return-Path: -Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) - by mx.google.com with ESMTP id br4si22834818pbd.183.1969.12.31.16.00.00; - Wed, 11 Sep 2013 13:03:13 -0700 (PDT) -Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; -Authentication-Results: mx.google.com; - spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mail=linux-kernel-owner@vger.kernel.org -Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand - id S1757365Ab3IKT6q (ORCPT - + 99 others); Wed, 11 Sep 2013 15:58:46 -0400 -Received: from mx1.redhat.com ([209.132.183.28]:65295 "EHLO mx1.redhat.com" - rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP - id S1757242Ab3IKT5T (ORCPT ); - Wed, 11 Sep 2013 15:57:19 -0400 -Received: from int-mx02.intmail.prod.int.phx2.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12]) - by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id r8BJvD8J001594 - (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); - Wed, 11 Sep 2013 15:57:13 -0400 -Received: from t410.redhat.com (ovpn-116-31.ams2.redhat.com [10.36.116.31]) - by int-mx02.intmail.prod.int.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id r8BJv0jb020673; - Wed, 11 Sep 2013 15:57:11 -0400 -From: Benjamin Tissoires -To: Benjamin Tissoires , - Kees Cook , - Henrik Rydberg , - Jiri Kosina , linux-input@vger.kernel.org, - linux-kernel@vger.kernel.org -Subject: [PATCH v3 05/10] HID: LG: validate HID output report details -Date: Wed, 11 Sep 2013 21:56:54 +0200 -Message-Id: <1378929419-6269-6-git-send-email-benjamin.tissoires@redhat.com> -In-Reply-To: <1378929419-6269-1-git-send-email-benjamin.tissoires@redhat.com> -References: <1378929419-6269-1-git-send-email-benjamin.tissoires@redhat.com> -X-Scanned-By: MIMEDefang 2.67 on 10.5.11.12 -Sender: linux-kernel-owner@vger.kernel.org -Precedence: bulk -List-ID: -X-Mailing-List: linux-kernel@vger.kernel.org -Status: RO -Content-Length: 6409 -Lines: 198 - -From: Kees Cook - -A HID device could send a malicious output report that would cause the -lg, lg3, and lg4 HID drivers to write beyond the output report allocation -during an event, causing a heap overflow: - -[ 325.245240] usb 1-1: New USB device found, idVendor=046d, idProduct=c287 -... -[ 414.518960] BUG kmalloc-4096 (Not tainted): Redzone overwritten - -Additionally, while lg2 did correctly validate the report details, it was -cleaned up and shortened. - -CVE-2013-2893 - -Signed-off-by: Kees Cook -Cc: stable@vger.kernel.org -Reviewed-by: Benjamin Tissoires ---- -v3: - - no changes - - drivers/hid/hid-lg2ff.c | 19 +++---------------- - drivers/hid/hid-lg3ff.c | 29 ++++++----------------------- - drivers/hid/hid-lg4ff.c | 20 +------------------- - drivers/hid/hid-lgff.c | 17 ++--------------- - 4 files changed, 12 insertions(+), 73 deletions(-) - -diff --git a/drivers/hid/hid-lg2ff.c b/drivers/hid/hid-lg2ff.c -index b3cd150..1a42eaa 100644 ---- a/drivers/hid/hid-lg2ff.c -+++ b/drivers/hid/hid-lg2ff.c -@@ -64,26 +64,13 @@ int lg2ff_init(struct hid_device *hid) - struct hid_report *report; - struct hid_input *hidinput = list_entry(hid->inputs.next, - struct hid_input, list); -- struct list_head *report_list = -- &hid->report_enum[HID_OUTPUT_REPORT].report_list; - struct input_dev *dev = hidinput->input; - int error; - -- if (list_empty(report_list)) { -- hid_err(hid, "no output report found\n"); -+ /* Check that the report looks ok */ -+ report = hid_validate_values(hid, HID_OUTPUT_REPORT, 0, 0, 7); -+ if (!report) - return -ENODEV; -- } -- -- report = list_entry(report_list->next, struct hid_report, list); -- -- if (report->maxfield < 1) { -- hid_err(hid, "output report is empty\n"); -- return -ENODEV; -- } -- if (report->field[0]->report_count < 7) { -- hid_err(hid, "not enough values in the field\n"); -- return -ENODEV; -- } - - lg2ff = kmalloc(sizeof(struct lg2ff_device), GFP_KERNEL); - if (!lg2ff) -diff --git a/drivers/hid/hid-lg3ff.c b/drivers/hid/hid-lg3ff.c -index e52f181..8c2da18 100644 ---- a/drivers/hid/hid-lg3ff.c -+++ b/drivers/hid/hid-lg3ff.c -@@ -66,10 +66,11 @@ static int hid_lg3ff_play(struct input_dev *dev, void *data, - int x, y; - - /* -- * Maxusage should always be 63 (maximum fields) -- * likely a better way to ensure this data is clean -+ * Available values in the field should always be 63, but we only use up to -+ * 35. Instead, clear the entire area, however big it is. - */ -- memset(report->field[0]->value, 0, sizeof(__s32)*report->field[0]->maxusage); -+ memset(report->field[0]->value, 0, -+ sizeof(__s32) * report->field[0]->report_count); - - switch (effect->type) { - case FF_CONSTANT: -@@ -129,32 +130,14 @@ static const signed short ff3_joystick_ac[] = { - int lg3ff_init(struct hid_device *hid) - { - struct hid_input *hidinput = list_entry(hid->inputs.next, struct hid_input, list); -- struct list_head *report_list = &hid->report_enum[HID_OUTPUT_REPORT].report_list; - struct input_dev *dev = hidinput->input; -- struct hid_report *report; -- struct hid_field *field; - const signed short *ff_bits = ff3_joystick_ac; - int error; - int i; - -- /* Find the report to use */ -- if (list_empty(report_list)) { -- hid_err(hid, "No output report found\n"); -- return -1; -- } -- - /* Check that the report looks ok */ -- report = list_entry(report_list->next, struct hid_report, list); -- if (!report) { -- hid_err(hid, "NULL output report\n"); -- return -1; -- } -- -- field = report->field[0]; -- if (!field) { -- hid_err(hid, "NULL field\n"); -- return -1; -- } -+ if (!hid_validate_values(hid, HID_OUTPUT_REPORT, 0, 0, 35)) -+ return -ENODEV; - - /* Assume single fixed device G940 */ - for (i = 0; ff_bits[i] >= 0; i++) -diff --git a/drivers/hid/hid-lg4ff.c b/drivers/hid/hid-lg4ff.c -index 0ddae2a..8782fe1 100644 ---- a/drivers/hid/hid-lg4ff.c -+++ b/drivers/hid/hid-lg4ff.c -@@ -484,34 +484,16 @@ static enum led_brightness lg4ff_led_get_brightness(struct led_classdev *led_cde - int lg4ff_init(struct hid_device *hid) - { - struct hid_input *hidinput = list_entry(hid->inputs.next, struct hid_input, list); -- struct list_head *report_list = &hid->report_enum[HID_OUTPUT_REPORT].report_list; - struct input_dev *dev = hidinput->input; -- struct hid_report *report; -- struct hid_field *field; - struct lg4ff_device_entry *entry; - struct lg_drv_data *drv_data; - struct usb_device_descriptor *udesc; - int error, i, j; - __u16 bcdDevice, rev_maj, rev_min; - -- /* Find the report to use */ -- if (list_empty(report_list)) { -- hid_err(hid, "No output report found\n"); -- return -1; -- } -- - /* Check that the report looks ok */ -- report = list_entry(report_list->next, struct hid_report, list); -- if (!report) { -- hid_err(hid, "NULL output report\n"); -+ if (!hid_validate_values(hid, HID_OUTPUT_REPORT, 0, 0, 7)) - return -1; -- } -- -- field = report->field[0]; -- if (!field) { -- hid_err(hid, "NULL field\n"); -- return -1; -- } - - /* Check what wheel has been connected */ - for (i = 0; i < ARRAY_SIZE(lg4ff_devices); i++) { -diff --git a/drivers/hid/hid-lgff.c b/drivers/hid/hid-lgff.c -index d7ea8c8..e1394af 100644 ---- a/drivers/hid/hid-lgff.c -+++ b/drivers/hid/hid-lgff.c -@@ -128,27 +128,14 @@ static void hid_lgff_set_autocenter(struct input_dev *dev, u16 magnitude) - int lgff_init(struct hid_device* hid) - { - struct hid_input *hidinput = list_entry(hid->inputs.next, struct hid_input, list); -- struct list_head *report_list = &hid->report_enum[HID_OUTPUT_REPORT].report_list; - struct input_dev *dev = hidinput->input; -- struct hid_report *report; -- struct hid_field *field; - const signed short *ff_bits = ff_joystick; - int error; - int i; - -- /* Find the report to use */ -- if (list_empty(report_list)) { -- hid_err(hid, "No output report found\n"); -- return -1; -- } -- - /* Check that the report looks ok */ -- report = list_entry(report_list->next, struct hid_report, list); -- field = report->field[0]; -- if (!field) { -- hid_err(hid, "NULL field\n"); -- return -1; -- } -+ if (!hid_validate_values(hid, HID_OUTPUT_REPORT, 0, 0, 7)) -+ return -ENODEV; - - for (i = 0; i < ARRAY_SIZE(devices); i++) { - if (dev->id.vendor == devices[i].idVendor && --- -1.8.3.1 - --- -To unsubscribe from this list: send the line "unsubscribe linux-kernel" in -the body of a message to majordomo@vger.kernel.org -More majordomo info at http://vger.kernel.org/majordomo-info.html -Please read the FAQ at http://www.tux.org/lkml/ - -From linux-kernel-owner@vger.kernel.org Wed Sep 11 16:02:34 2013 -Delivered-To: jwboyer@gmail.com -Received: by 10.76.168.104 with SMTP id zv8csp11790oab; - Wed, 11 Sep 2013 13:02:35 -0700 (PDT) -X-Received: by 10.68.170.133 with SMTP id am5mr3779285pbc.104.1378929754723; - Wed, 11 Sep 2013 13:02:34 -0700 (PDT) -Return-Path: -Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) - by mx.google.com with ESMTP id xn6si22906387pbc.242.1969.12.31.16.00.00; - Wed, 11 Sep 2013 13:02:34 -0700 (PDT) -Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; -Authentication-Results: mx.google.com; - spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mail=linux-kernel-owner@vger.kernel.org -Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand - id S1757267Ab3IKT5Y (ORCPT - + 99 others); Wed, 11 Sep 2013 15:57:24 -0400 -Received: from mx1.redhat.com ([209.132.183.28]:57999 "EHLO mx1.redhat.com" - rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP - id S1756944Ab3IKT5W (ORCPT ); - Wed, 11 Sep 2013 15:57:22 -0400 -Received: from int-mx02.intmail.prod.int.phx2.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12]) - by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id r8BJvFmO002339 - (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); - Wed, 11 Sep 2013 15:57:15 -0400 -Received: from t410.redhat.com (ovpn-116-31.ams2.redhat.com [10.36.116.31]) - by int-mx02.intmail.prod.int.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id r8BJv0jc020673; - Wed, 11 Sep 2013 15:57:13 -0400 -From: Benjamin Tissoires -To: Benjamin Tissoires , - Kees Cook , - Henrik Rydberg , - Jiri Kosina , linux-input@vger.kernel.org, - linux-kernel@vger.kernel.org -Subject: [PATCH v3 06/10] HID: lenovo-tpkbd: validate output report details -Date: Wed, 11 Sep 2013 21:56:55 +0200 -Message-Id: <1378929419-6269-7-git-send-email-benjamin.tissoires@redhat.com> -In-Reply-To: <1378929419-6269-1-git-send-email-benjamin.tissoires@redhat.com> -References: <1378929419-6269-1-git-send-email-benjamin.tissoires@redhat.com> -X-Scanned-By: MIMEDefang 2.67 on 10.5.11.12 -Sender: linux-kernel-owner@vger.kernel.org -Precedence: bulk -List-ID: -X-Mailing-List: linux-kernel@vger.kernel.org -Status: RO -Content-Length: 1714 -Lines: 53 - -From: Kees Cook - -From: Kees Cook - -A HID device could send a malicious output report that would cause the -lenovo-tpkbd HID driver to write just beyond the output report allocation -during initialization, causing a heap overflow: - -[ 76.109807] usb 1-1: New USB device found, idVendor=17ef, idProduct=6009 -... -[ 80.462540] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten - -CVE-2013-2894 - -Signed-off-by: Kees Cook -Cc: stable@vger.kernel.org -Signed-off-by: Benjamin Tissoires ---- -v3: - - fix feature report check for report ID 4 - - drivers/hid/hid-lenovo-tpkbd.c | 10 +++++++++- - 1 file changed, 9 insertions(+), 1 deletion(-) - -diff --git a/drivers/hid/hid-lenovo-tpkbd.c b/drivers/hid/hid-lenovo-tpkbd.c -index 07837f5..762d988 100644 ---- a/drivers/hid/hid-lenovo-tpkbd.c -+++ b/drivers/hid/hid-lenovo-tpkbd.c -@@ -339,7 +339,15 @@ static int tpkbd_probe_tp(struct hid_device *hdev) - struct tpkbd_data_pointer *data_pointer; - size_t name_sz = strlen(dev_name(dev)) + 16; - char *name_mute, *name_micmute; -- int ret; -+ int i, ret; -+ -+ /* Validate required reports. */ -+ for (i = 0; i < 4; i++) { -+ if (!hid_validate_values(hdev, HID_FEATURE_REPORT, 4, i, 1)) -+ return -ENODEV; -+ } -+ if (!hid_validate_values(hdev, HID_OUTPUT_REPORT, 3, 0, 2)) -+ return -ENODEV; - - if (sysfs_create_group(&hdev->dev.kobj, - &tpkbd_attr_group_pointer)) { --- -1.8.3.1 - --- -To unsubscribe from this list: send the line "unsubscribe linux-kernel" in -the body of a message to majordomo@vger.kernel.org -More majordomo info at http://vger.kernel.org/majordomo-info.html -Please read the FAQ at http://www.tux.org/lkml/ - -From linux-kernel-owner@vger.kernel.org Wed Sep 11 16:01:42 2013 -Delivered-To: jwboyer@gmail.com -Received: by 10.76.168.104 with SMTP id zv8csp11787oab; - Wed, 11 Sep 2013 13:01:42 -0700 (PDT) -X-Received: by 10.68.114.132 with SMTP id jg4mr3706613pbb.109.1378929702143; - Wed, 11 Sep 2013 13:01:42 -0700 (PDT) -Return-Path: -Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) - by mx.google.com with ESMTP id l10si3649592pav.4.1969.12.31.16.00.00; - Wed, 11 Sep 2013 13:01:42 -0700 (PDT) -Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; -Authentication-Results: mx.google.com; - spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mail=linux-kernel-owner@vger.kernel.org -Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand - id S1757311Ab3IKT5a (ORCPT - + 99 others); Wed, 11 Sep 2013 15:57:30 -0400 -Received: from mx1.redhat.com ([209.132.183.28]:43211 "EHLO mx1.redhat.com" - rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP - id S1757287Ab3IKT51 (ORCPT ); - Wed, 11 Sep 2013 15:57:27 -0400 -Received: from int-mx02.intmail.prod.int.phx2.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12]) - by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id r8BJvHJA002860 - (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); - Wed, 11 Sep 2013 15:57:18 -0400 -Received: from t410.redhat.com (ovpn-116-31.ams2.redhat.com [10.36.116.31]) - by int-mx02.intmail.prod.int.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id r8BJv0jd020673; - Wed, 11 Sep 2013 15:57:16 -0400 -From: Benjamin Tissoires -To: Benjamin Tissoires , - Kees Cook , - Henrik Rydberg , - Jiri Kosina , linux-input@vger.kernel.org, - linux-kernel@vger.kernel.org -Subject: [PATCH v3 07/10] HID: logitech-dj: validate output report details -Date: Wed, 11 Sep 2013 21:56:56 +0200 -Message-Id: <1378929419-6269-8-git-send-email-benjamin.tissoires@redhat.com> -In-Reply-To: <1378929419-6269-1-git-send-email-benjamin.tissoires@redhat.com> -References: <1378929419-6269-1-git-send-email-benjamin.tissoires@redhat.com> -X-Scanned-By: MIMEDefang 2.67 on 10.5.11.12 -Sender: linux-kernel-owner@vger.kernel.org -Precedence: bulk -List-ID: -X-Mailing-List: linux-kernel@vger.kernel.org -Status: RO -Content-Length: 2335 -Lines: 66 - -From: Kees Cook - -A HID device could send a malicious output report that would cause the -logitech-dj HID driver to leak kernel memory contents to the device, or -trigger a NULL dereference during initialization: - -[ 304.424553] usb 1-1: New USB device found, idVendor=046d, idProduct=c52b -... -[ 304.780467] BUG: unable to handle kernel NULL pointer dereference at 0000000000000028 -[ 304.781409] IP: [] logi_dj_recv_send_report.isra.11+0x1a/0x90 - -CVE-2013-2895 - -Signed-off-by: Kees Cook -Cc: stable@vger.kernel.org -Signed-off-by: Benjamin Tissoires ---- -v3: - - check for the whole size of the DJ report, as per the spec - - drivers/hid/hid-logitech-dj.c | 10 ++++++++-- - 1 file changed, 8 insertions(+), 2 deletions(-) - -diff --git a/drivers/hid/hid-logitech-dj.c b/drivers/hid/hid-logitech-dj.c -index 7800b14..2e53024 100644 ---- a/drivers/hid/hid-logitech-dj.c -+++ b/drivers/hid/hid-logitech-dj.c -@@ -461,7 +461,7 @@ static int logi_dj_recv_send_report(struct dj_receiver_dev *djrcv_dev, - struct hid_report *report; - struct hid_report_enum *output_report_enum; - u8 *data = (u8 *)(&dj_report->device_index); -- int i; -+ unsigned int i; - - output_report_enum = &hdev->report_enum[HID_OUTPUT_REPORT]; - report = output_report_enum->report_id_hash[REPORT_ID_DJ_SHORT]; -@@ -471,7 +471,7 @@ static int logi_dj_recv_send_report(struct dj_receiver_dev *djrcv_dev, - return -ENODEV; - } - -- for (i = 0; i < report->field[0]->report_count; i++) -+ for (i = 0; i < DJREPORT_SHORT_LENGTH - 1; i++) - report->field[0]->value[i] = data[i]; - - hid_hw_request(hdev, report, HID_REQ_SET_REPORT); -@@ -791,6 +791,12 @@ static int logi_dj_probe(struct hid_device *hdev, - goto hid_parse_fail; - } - -+ if (!hid_validate_values(hdev, HID_OUTPUT_REPORT, REPORT_ID_DJ_SHORT, -+ 0, DJREPORT_SHORT_LENGTH - 1)) { -+ retval = -ENODEV; -+ goto hid_parse_fail; -+ } -+ - /* Starts the usb device and connects to upper interfaces hiddev and - * hidraw */ - retval = hid_hw_start(hdev, HID_CONNECT_DEFAULT); --- -1.8.3.1 - --- -To unsubscribe from this list: send the line "unsubscribe linux-kernel" in -the body of a message to majordomo@vger.kernel.org -More majordomo info at http://vger.kernel.org/majordomo-info.html -Please read the FAQ at http://www.tux.org/lkml/ - -From linux-kernel-owner@vger.kernel.org Wed Sep 11 16:05:44 2013 -Delivered-To: jwboyer@gmail.com -Received: by 10.76.168.104 with SMTP id zv8csp11807oab; - Wed, 11 Sep 2013 13:05:44 -0700 (PDT) -X-Received: by 10.66.217.166 with SMTP id oz6mr5752976pac.22.1378929944218; - Wed, 11 Sep 2013 13:05:44 -0700 (PDT) -Return-Path: -Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) - by mx.google.com with ESMTP id ar2si22935873pbc.82.1969.12.31.16.00.00; - Wed, 11 Sep 2013 13:05:44 -0700 (PDT) -Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; -Authentication-Results: mx.google.com; - spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mail=linux-kernel-owner@vger.kernel.org -Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand - id S1757288Ab3IKT51 (ORCPT - + 99 others); Wed, 11 Sep 2013 15:57:27 -0400 -Received: from mx1.redhat.com ([209.132.183.28]:2642 "EHLO mx1.redhat.com" - rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP - id S1756944Ab3IKT5Z (ORCPT ); - Wed, 11 Sep 2013 15:57:25 -0400 -Received: from int-mx02.intmail.prod.int.phx2.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12]) - by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id r8BJvJjC028198 - (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); - Wed, 11 Sep 2013 15:57:19 -0400 -Received: from t410.redhat.com (ovpn-116-31.ams2.redhat.com [10.36.116.31]) - by int-mx02.intmail.prod.int.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id r8BJv0je020673; - Wed, 11 Sep 2013 15:57:18 -0400 -From: Benjamin Tissoires -To: Benjamin Tissoires , - Kees Cook , - Henrik Rydberg , - Jiri Kosina , linux-input@vger.kernel.org, - linux-kernel@vger.kernel.org -Subject: [PATCH v3 08/10] HID: validate feature and input report details -Date: Wed, 11 Sep 2013 21:56:57 +0200 -Message-Id: <1378929419-6269-9-git-send-email-benjamin.tissoires@redhat.com> -In-Reply-To: <1378929419-6269-1-git-send-email-benjamin.tissoires@redhat.com> -References: <1378929419-6269-1-git-send-email-benjamin.tissoires@redhat.com> -X-Scanned-By: MIMEDefang 2.67 on 10.5.11.12 -Sender: linux-kernel-owner@vger.kernel.org -Precedence: bulk -List-ID: -X-Mailing-List: linux-kernel@vger.kernel.org -Status: RO -Content-Length: 4930 -Lines: 138 - -When dealing with usage_index, be sure to properly use unsigned instead of -int to avoid overflows. - -When working on report fields, always validate that their report_counts are -in bounds. -Without this, a HID device could report a malicious feature report that -could trick the driver into a heap overflow: - -[ 634.885003] usb 1-1: New USB device found, idVendor=0596, idProduct=0500 -... -[ 676.469629] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten - -CVE-2013-2897 - -Cc: stable@vger.kernel.org -Signed-off-by: Benjamin Tissoires ---- -v3: - - new patch: extract from the hid-multitouch patch, the generic checks so that - every hid drivers will benefit from them - - drivers/hid/hid-core.c | 16 +++++++--------- - drivers/hid/hid-input.c | 11 ++++++++++- - 2 files changed, 17 insertions(+), 10 deletions(-) - -diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c -index 44b6c68..329e24e 100644 ---- a/drivers/hid/hid-core.c -+++ b/drivers/hid/hid-core.c -@@ -94,7 +94,6 @@ EXPORT_SYMBOL_GPL(hid_register_report); - static struct hid_field *hid_register_field(struct hid_report *report, unsigned usages, unsigned values) - { - struct hid_field *field; -- int i; - - if (report->maxfield == HID_MAX_FIELDS) { - hid_err(report->device, "too many fields in report\n"); -@@ -113,9 +112,6 @@ static struct hid_field *hid_register_field(struct hid_report *report, unsigned - field->value = (s32 *)(field->usage + usages); - field->report = report; - -- for (i = 0; i < usages; i++) -- field->usage[i].usage_index = i; -- - return field; - } - -@@ -226,9 +222,9 @@ static int hid_add_field(struct hid_parser *parser, unsigned report_type, unsign - { - struct hid_report *report; - struct hid_field *field; -- int usages; -+ unsigned usages; - unsigned offset; -- int i; -+ unsigned i; - - report = hid_register_report(parser->device, report_type, parser->global.report_id); - if (!report) { -@@ -255,7 +251,8 @@ static int hid_add_field(struct hid_parser *parser, unsigned report_type, unsign - if (!parser->local.usage_index) /* Ignore padding fields */ - return 0; - -- usages = max_t(int, parser->local.usage_index, parser->global.report_count); -+ usages = max_t(unsigned, parser->local.usage_index, -+ parser->global.report_count); - - field = hid_register_field(report, usages, parser->global.report_count); - if (!field) -@@ -266,13 +263,14 @@ static int hid_add_field(struct hid_parser *parser, unsigned report_type, unsign - field->application = hid_lookup_collection(parser, HID_COLLECTION_APPLICATION); - - for (i = 0; i < usages; i++) { -- int j = i; -+ unsigned j = i; - /* Duplicate the last usage we parsed if we have excess values */ - if (i >= parser->local.usage_index) - j = parser->local.usage_index - 1; - field->usage[i].hid = parser->local.usage[j]; - field->usage[i].collection_index = - parser->local.collection_index[j]; -+ field->usage[i].usage_index = i; - } - - field->maxusage = usages; -@@ -1354,7 +1352,7 @@ int hid_report_raw_event(struct hid_device *hid, int type, u8 *data, int size, - goto out; - } - -- if (hid->claimed != HID_CLAIMED_HIDRAW) { -+ if (hid->claimed != HID_CLAIMED_HIDRAW && report->maxfield) { - for (a = 0; a < report->maxfield; a++) - hid_input_field(hid, report->field[a], cdata, interrupt); - hdrv = hid->driver; -diff --git a/drivers/hid/hid-input.c b/drivers/hid/hid-input.c -index b420f4a..8741d95 100644 ---- a/drivers/hid/hid-input.c -+++ b/drivers/hid/hid-input.c -@@ -485,6 +485,10 @@ static void hidinput_configure_usage(struct hid_input *hidinput, struct hid_fiel - if (field->flags & HID_MAIN_ITEM_CONSTANT) - goto ignore; - -+ /* Ignore if report count is out of bounds. */ -+ if (field->report_count < 1) -+ goto ignore; -+ - /* only LED usages are supported in output fields */ - if (field->report_type == HID_OUTPUT_REPORT && - (usage->hid & HID_USAGE_PAGE) != HID_UP_LED) { -@@ -1236,7 +1240,11 @@ static void report_features(struct hid_device *hid) - - rep_enum = &hid->report_enum[HID_FEATURE_REPORT]; - list_for_each_entry(rep, &rep_enum->report_list, list) -- for (i = 0; i < rep->maxfield; i++) -+ for (i = 0; i < rep->maxfield; i++) { -+ /* Ignore if report count is out of bounds. */ -+ if (rep->field[i]->report_count < 1) -+ continue; -+ - for (j = 0; j < rep->field[i]->maxusage; j++) { - /* Verify if Battery Strength feature is available */ - hidinput_setup_battery(hid, HID_FEATURE_REPORT, rep->field[i]); -@@ -1245,6 +1253,7 @@ static void report_features(struct hid_device *hid) - drv->feature_mapping(hid, rep->field[i], - rep->field[i]->usage + j); - } -+ } - } - - static struct hid_input *hidinput_allocate(struct hid_device *hid) --- -1.8.3.1 - --- -To unsubscribe from this list: send the line "unsubscribe linux-kernel" in -the body of a message to majordomo@vger.kernel.org -More majordomo info at http://vger.kernel.org/majordomo-info.html -Please read the FAQ at http://www.tux.org/lkml/ - -From linux-kernel-owner@vger.kernel.org Wed Sep 11 16:01:25 2013 -Delivered-To: jwboyer@gmail.com -Received: by 10.76.168.104 with SMTP id zv8csp11783oab; - Wed, 11 Sep 2013 13:01:25 -0700 (PDT) -X-Received: by 10.67.1.228 with SMTP id bj4mr5448135pad.157.1378929685422; - Wed, 11 Sep 2013 13:01:25 -0700 (PDT) -Return-Path: -Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) - by mx.google.com with ESMTP id pi7si3124468pbc.51.1969.12.31.16.00.00; - Wed, 11 Sep 2013 13:01:25 -0700 (PDT) -Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; -Authentication-Results: mx.google.com; - spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mail=linux-kernel-owner@vger.kernel.org -Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand - id S1757329Ab3IKT5c (ORCPT - + 99 others); Wed, 11 Sep 2013 15:57:32 -0400 -Received: from mx1.redhat.com ([209.132.183.28]:55015 "EHLO mx1.redhat.com" - rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP - id S1756944Ab3IKT52 (ORCPT ); - Wed, 11 Sep 2013 15:57:28 -0400 -Received: from int-mx02.intmail.prod.int.phx2.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12]) - by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id r8BJvLrf002879 - (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); - Wed, 11 Sep 2013 15:57:21 -0400 -Received: from t410.redhat.com (ovpn-116-31.ams2.redhat.com [10.36.116.31]) - by int-mx02.intmail.prod.int.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id r8BJv0jf020673; - Wed, 11 Sep 2013 15:57:20 -0400 -From: Benjamin Tissoires -To: Benjamin Tissoires , - Kees Cook , - Henrik Rydberg , - Jiri Kosina , linux-input@vger.kernel.org, - linux-kernel@vger.kernel.org -Subject: [PATCH v3 09/10] HID: multitouch: validate indexes details -Date: Wed, 11 Sep 2013 21:56:58 +0200 -Message-Id: <1378929419-6269-10-git-send-email-benjamin.tissoires@redhat.com> -In-Reply-To: <1378929419-6269-1-git-send-email-benjamin.tissoires@redhat.com> -References: <1378929419-6269-1-git-send-email-benjamin.tissoires@redhat.com> -X-Scanned-By: MIMEDefang 2.67 on 10.5.11.12 -Sender: linux-kernel-owner@vger.kernel.org -Precedence: bulk -List-ID: -X-Mailing-List: linux-kernel@vger.kernel.org -Status: RO -Content-Length: 3416 -Lines: 90 - -When working on report indexes, always validate that they are in bounds. -Without this, a HID device could report a malicious feature report that -could trick the driver into a heap overflow: - -[ 634.885003] usb 1-1: New USB device found, idVendor=0596, idProduct=0500 -... -[ 676.469629] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten - -Note that we need to change the indexes from s8 to s16 as they can -be between -1 and 255. - -CVE-2013-2897 - -Cc: stable@vger.kernel.org -Signed-off-by: Benjamin Tissoires ---- -v3: - - extract from hid-multitouch the generic checks so that every hid drivers will - benefit from them - - change __s8 index declarations into __s16 - - use usage_index for the input_mode index instead of a half working code - - check the indexes validities only once - - drivers/hid/hid-multitouch.c | 26 ++++++++++++++------------ - 1 file changed, 14 insertions(+), 12 deletions(-) - -diff --git a/drivers/hid/hid-multitouch.c b/drivers/hid/hid-multitouch.c -index ac28f08..5e5fe1b 100644 ---- a/drivers/hid/hid-multitouch.c -+++ b/drivers/hid/hid-multitouch.c -@@ -101,9 +101,9 @@ struct mt_device { - unsigned last_slot_field; /* the last field of a slot */ - unsigned mt_report_id; /* the report ID of the multitouch device */ - unsigned pen_report_id; /* the report ID of the pen device */ -- __s8 inputmode; /* InputMode HID feature, -1 if non-existent */ -- __s8 inputmode_index; /* InputMode HID feature index in the report */ -- __s8 maxcontact_report_id; /* Maximum Contact Number HID feature, -+ __s16 inputmode; /* InputMode HID feature, -1 if non-existent */ -+ __s16 inputmode_index; /* InputMode HID feature index in the report */ -+ __s16 maxcontact_report_id; /* Maximum Contact Number HID feature, - -1 if non-existent */ - __u8 num_received; /* how many contacts we received */ - __u8 num_expected; /* expected last contact index */ -@@ -312,20 +312,18 @@ static void mt_feature_mapping(struct hid_device *hdev, - struct hid_field *field, struct hid_usage *usage) - { - struct mt_device *td = hid_get_drvdata(hdev); -- int i; - - switch (usage->hid) { - case HID_DG_INPUTMODE: -- td->inputmode = field->report->id; -- td->inputmode_index = 0; /* has to be updated below */ -- -- for (i=0; i < field->maxusage; i++) { -- if (field->usage[i].hid == usage->hid) { -- td->inputmode_index = i; -- break; -- } -+ /* Ignore if value index is out of bounds. */ -+ if (usage->usage_index >= field->report_count) { -+ dev_err(&hdev->dev, "HID_DG_INPUTMODE out of range\n"); -+ break; - } - -+ td->inputmode = field->report->id; -+ td->inputmode_index = usage->usage_index; -+ - break; - case HID_DG_CONTACTMAX: - td->maxcontact_report_id = field->report->id; -@@ -511,6 +509,10 @@ static int mt_touch_input_mapping(struct hid_device *hdev, struct hid_input *hi, - mt_store_field(usage, td, hi); - return 1; - case HID_DG_CONTACTCOUNT: -+ /* Ignore if indexes are out of bounds. */ -+ if (field->index >= field->report->maxfield || -+ usage->usage_index >= field->report_count) -+ return 1; - td->cc_index = field->index; - td->cc_value_index = usage->usage_index; - return 1; --- -1.8.3.1 - --- -To unsubscribe from this list: send the line "unsubscribe linux-kernel" in -the body of a message to majordomo@vger.kernel.org -More majordomo info at http://vger.kernel.org/majordomo-info.html -Please read the FAQ at http://www.tux.org/lkml/ - -From linux-kernel-owner@vger.kernel.org Wed Sep 11 16:02:04 2013 -Delivered-To: jwboyer@gmail.com -Received: by 10.76.168.104 with SMTP id zv8csp11788oab; - Wed, 11 Sep 2013 13:02:04 -0700 (PDT) -X-Received: by 10.66.158.72 with SMTP id ws8mr5663660pab.39.1378929724125; - Wed, 11 Sep 2013 13:02:04 -0700 (PDT) -Return-Path: -Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) - by mx.google.com with ESMTP id rt3si22933801pbc.113.1969.12.31.16.00.00; - Wed, 11 Sep 2013 13:02:04 -0700 (PDT) -Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; -Authentication-Results: mx.google.com; - spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mail=linux-kernel-owner@vger.kernel.org -Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand - id S1757009Ab3IKT55 (ORCPT - + 99 others); Wed, 11 Sep 2013 15:57:57 -0400 -Received: from mx1.redhat.com ([209.132.183.28]:25059 "EHLO mx1.redhat.com" - rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP - id S1757308Ab3IKT53 (ORCPT ); - Wed, 11 Sep 2013 15:57:29 -0400 -Received: from int-mx02.intmail.prod.int.phx2.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12]) - by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id r8BJvNSJ001923 - (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); - Wed, 11 Sep 2013 15:57:23 -0400 -Received: from t410.redhat.com (ovpn-116-31.ams2.redhat.com [10.36.116.31]) - by int-mx02.intmail.prod.int.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id r8BJv0jg020673; - Wed, 11 Sep 2013 15:57:22 -0400 -From: Benjamin Tissoires -To: Benjamin Tissoires , - Kees Cook , - Henrik Rydberg , - Jiri Kosina , linux-input@vger.kernel.org, - linux-kernel@vger.kernel.org -Subject: [PATCH v3 10/10] HID: lenovo-tpkbd: fix leak if tpkbd_probe_tp fails -Date: Wed, 11 Sep 2013 21:56:59 +0200 -Message-Id: <1378929419-6269-11-git-send-email-benjamin.tissoires@redhat.com> -In-Reply-To: <1378929419-6269-1-git-send-email-benjamin.tissoires@redhat.com> -References: <1378929419-6269-1-git-send-email-benjamin.tissoires@redhat.com> -X-Scanned-By: MIMEDefang 2.67 on 10.5.11.12 -Sender: linux-kernel-owner@vger.kernel.org -Precedence: bulk -List-ID: -X-Mailing-List: linux-kernel@vger.kernel.org -Status: RO -Content-Length: 1436 -Lines: 60 - -If tpkbd_probe_tp() bails out, the probe() function return an error, -but hid_hw_stop() is never called. - -fixes: -https://bugzilla.redhat.com/show_bug.cgi?id=1003998 - -Cc: stable@vger.kernel.org -Signed-off-by: Benjamin Tissoires ---- -v3: - - new patch - - drivers/hid/hid-lenovo-tpkbd.c | 15 ++++++++++----- - 1 file changed, 10 insertions(+), 5 deletions(-) - -diff --git a/drivers/hid/hid-lenovo-tpkbd.c b/drivers/hid/hid-lenovo-tpkbd.c -index 762d988..31cf29a 100644 ---- a/drivers/hid/hid-lenovo-tpkbd.c -+++ b/drivers/hid/hid-lenovo-tpkbd.c -@@ -414,22 +414,27 @@ static int tpkbd_probe(struct hid_device *hdev, - ret = hid_parse(hdev); - if (ret) { - hid_err(hdev, "hid_parse failed\n"); -- goto err_free; -+ goto err; - } - - ret = hid_hw_start(hdev, HID_CONNECT_DEFAULT); - if (ret) { - hid_err(hdev, "hid_hw_start failed\n"); -- goto err_free; -+ goto err; - } - - uhdev = (struct usbhid_device *) hdev->driver_data; - -- if (uhdev->ifnum == 1) -- return tpkbd_probe_tp(hdev); -+ if (uhdev->ifnum == 1) { -+ ret = tpkbd_probe_tp(hdev); -+ if (ret) -+ goto err_hid; -+ } - - return 0; --err_free: -+err_hid: -+ hid_hw_stop(hdev); -+err: - return ret; - } - --- -1.8.3.1 - --- -To unsubscribe from this list: send the line "unsubscribe linux-kernel" in -the body of a message to majordomo@vger.kernel.org -More majordomo info at http://vger.kernel.org/majordomo-info.html -Please read the FAQ at http://www.tux.org/lkml/ - diff --git a/config-generic b/config-generic index 97962d2..7bd40db 100644 --- a/config-generic +++ b/config-generic @@ -1603,13 +1603,13 @@ CONFIG_B43_SDIO=y CONFIG_B43_BCMA=y # CONFIG_B43_BCMA_EXTRA is not set CONFIG_B43_BCMA_PIO=y -# CONFIG_B43_DEBUG is not set +CONFIG_B43_DEBUG=y CONFIG_B43_PHY_LP=y CONFIG_B43_PHY_N=y CONFIG_B43_PHY_HT=y # CONFIG_B43_FORCE_PIO is not set CONFIG_B43LEGACY=m -# CONFIG_B43LEGACY_DEBUG is not set +CONFIG_B43LEGACY_DEBUG=y CONFIG_B43LEGACY_DMA=y CONFIG_B43LEGACY_PIO=y CONFIG_B43LEGACY_DMA_AND_PIO_MODE=y @@ -3292,7 +3292,7 @@ CONFIG_USB_STORAGE_REALTEK=m CONFIG_REALTEK_AUTOPM=y CONFIG_USB_STORAGE_ENE_UB6250=m # CONFIG_USB_LIBUSUAL is not set -# CONFIG_USB_UAS is not set +CONFIG_USB_UAS=m # @@ -4336,7 +4336,7 @@ CONFIG_PM_STD_PARTITION="" CONFIG_PM_DEBUG=y CONFIG_PM_TRACE=y CONFIG_PM_TRACE_RTC=y -# CONFIG_PM_TEST_SUSPEND is not set +CONFIG_PM_TEST_SUSPEND=y CONFIG_PM_RUNTIME=y # CONFIG_PM_OPP is not set # CONFIG_PM_AUTOSLEEP is not set diff --git a/config-nodebug b/config-nodebug index 75fc220..66b8caa 100644 --- a/config-nodebug +++ b/config-nodebug @@ -2,100 +2,100 @@ CONFIG_SND_VERBOSE_PRINTK=y CONFIG_SND_DEBUG=y CONFIG_SND_PCM_XRUN_DEBUG=y -# CONFIG_DEBUG_ATOMIC_SLEEP is not set - -# CONFIG_DEBUG_MUTEXES is not set -# CONFIG_DEBUG_WW_MUTEX_SLOWPATH is not set -# CONFIG_DEBUG_RT_MUTEXES is not set -# CONFIG_DEBUG_LOCK_ALLOC is not set -# CONFIG_PROVE_LOCKING is not set -# CONFIG_DEBUG_SPINLOCK is not set -# CONFIG_PROVE_RCU is not set +CONFIG_DEBUG_ATOMIC_SLEEP=y + +CONFIG_DEBUG_MUTEXES=y +CONFIG_DEBUG_WW_MUTEX_SLOWPATH=y +CONFIG_DEBUG_RT_MUTEXES=y +CONFIG_DEBUG_LOCK_ALLOC=y +CONFIG_PROVE_LOCKING=y +CONFIG_DEBUG_SPINLOCK=y +CONFIG_PROVE_RCU=y # CONFIG_PROVE_RCU_REPEATEDLY is not set -# CONFIG_DEBUG_PER_CPU_MAPS is not set +CONFIG_DEBUG_PER_CPU_MAPS=y CONFIG_CPUMASK_OFFSTACK=y -# CONFIG_CPU_NOTIFIER_ERROR_INJECT is not set +CONFIG_CPU_NOTIFIER_ERROR_INJECT=m -# CONFIG_FAULT_INJECTION is not set -# CONFIG_FAILSLAB is not set -# CONFIG_FAIL_PAGE_ALLOC is not set -# CONFIG_FAIL_MAKE_REQUEST is not set -# CONFIG_FAULT_INJECTION_DEBUG_FS is not set -# CONFIG_FAULT_INJECTION_STACKTRACE_FILTER is not set -# CONFIG_FAIL_IO_TIMEOUT is not set -# CONFIG_FAIL_MMC_REQUEST is not set +CONFIG_FAULT_INJECTION=y +CONFIG_FAILSLAB=y +CONFIG_FAIL_PAGE_ALLOC=y +CONFIG_FAIL_MAKE_REQUEST=y +CONFIG_FAULT_INJECTION_DEBUG_FS=y +CONFIG_FAULT_INJECTION_STACKTRACE_FILTER=y +CONFIG_FAIL_IO_TIMEOUT=y +CONFIG_FAIL_MMC_REQUEST=y -# CONFIG_SLUB_DEBUG_ON is not set +CONFIG_SLUB_DEBUG_ON=y -# CONFIG_LOCK_STAT is not set +CONFIG_LOCK_STAT=y -# CONFIG_DEBUG_STACK_USAGE is not set +CONFIG_DEBUG_STACK_USAGE=y -# CONFIG_ACPI_DEBUG is not set +CONFIG_ACPI_DEBUG=y # CONFIG_ACPI_DEBUG_FUNC_TRACE is not set -# CONFIG_DEBUG_SG is not set +CONFIG_DEBUG_SG=y # CONFIG_DEBUG_PAGEALLOC is not set -# CONFIG_DEBUG_WRITECOUNT is not set -# CONFIG_DEBUG_OBJECTS is not set +CONFIG_DEBUG_WRITECOUNT=y +CONFIG_DEBUG_OBJECTS=y # CONFIG_DEBUG_OBJECTS_SELFTEST is not set -# CONFIG_DEBUG_OBJECTS_FREE is not set -# CONFIG_DEBUG_OBJECTS_TIMERS is not set -# CONFIG_DEBUG_OBJECTS_RCU_HEAD is not set +CONFIG_DEBUG_OBJECTS_FREE=y +CONFIG_DEBUG_OBJECTS_TIMERS=y +CONFIG_DEBUG_OBJECTS_RCU_HEAD=y CONFIG_DEBUG_OBJECTS_ENABLE_DEFAULT=1 -# CONFIG_X86_PTDUMP is not set +CONFIG_X86_PTDUMP=y -# CONFIG_CAN_DEBUG_DEVICES is not set +CONFIG_CAN_DEBUG_DEVICES=y -# CONFIG_MODULE_FORCE_UNLOAD is not set +CONFIG_MODULE_FORCE_UNLOAD=y -# CONFIG_SYSCTL_SYSCALL_CHECK is not set +CONFIG_SYSCTL_SYSCALL_CHECK=y -# CONFIG_DEBUG_NOTIFIERS is not set +CONFIG_DEBUG_NOTIFIERS=y -# CONFIG_DMA_API_DEBUG is not set +CONFIG_DMA_API_DEBUG=y -# CONFIG_MMIOTRACE is not set +CONFIG_MMIOTRACE=y -# CONFIG_DEBUG_CREDENTIALS is not set +CONFIG_DEBUG_CREDENTIALS=y # off in both production debug and nodebug builds, # on in rawhide nodebug builds -# CONFIG_DEBUG_FORCE_WEAK_PER_CPU is not set +CONFIG_DEBUG_FORCE_WEAK_PER_CPU=y -# CONFIG_EXT4_DEBUG is not set +CONFIG_EXT4_DEBUG=y # CONFIG_XFS_WARN is not set -# CONFIG_DEBUG_PERF_USE_VMALLOC is not set +CONFIG_DEBUG_PERF_USE_VMALLOC=y -# CONFIG_JBD2_DEBUG is not set +CONFIG_JBD2_DEBUG=y -# CONFIG_NFSD_FAULT_INJECTION is not set +CONFIG_NFSD_FAULT_INJECTION=y -# CONFIG_DEBUG_BLK_CGROUP is not set +CONFIG_DEBUG_BLK_CGROUP=y -# CONFIG_DRBD_FAULT_INJECTION is not set +CONFIG_DRBD_FAULT_INJECTION=y -# CONFIG_ATH_DEBUG is not set -# CONFIG_CARL9170_DEBUGFS is not set -# CONFIG_IWLWIFI_DEVICE_TRACING is not set +CONFIG_ATH_DEBUG=y +CONFIG_CARL9170_DEBUGFS=y +CONFIG_IWLWIFI_DEVICE_TRACING=y # CONFIG_RTLWIFI_DEBUG is not set -# CONFIG_DEBUG_OBJECTS_WORK is not set +CONFIG_DEBUG_OBJECTS_WORK=y -# CONFIG_DMADEVICES_DEBUG is not set -# CONFIG_DMADEVICES_VDEBUG is not set +CONFIG_DMADEVICES_DEBUG=y +CONFIG_DMADEVICES_VDEBUG=y CONFIG_PM_ADVANCED_DEBUG=y -# CONFIG_CEPH_LIB_PRETTYDEBUG is not set -# CONFIG_QUOTA_DEBUG is not set +CONFIG_CEPH_LIB_PRETTYDEBUG=y +CONFIG_QUOTA_DEBUG=y CONFIG_PCI_DEFAULT_USE_CRS=y @@ -103,17 +103,17 @@ CONFIG_KGDB_KDB=y CONFIG_KDB_KEYBOARD=y CONFIG_KDB_CONTINUE_CATASTROPHIC=0 -# CONFIG_DEBUG_OBJECTS_PERCPU_COUNTER is not set -# CONFIG_TEST_LIST_SORT is not set +CONFIG_DEBUG_OBJECTS_PERCPU_COUNTER=y +CONFIG_TEST_LIST_SORT=y # CONFIG_TEST_STRING_HELPERS is not set -# CONFIG_DETECT_HUNG_TASK is not set +CONFIG_DETECT_HUNG_TASK=y CONFIG_DEFAULT_HUNG_TASK_TIMEOUT=120 # CONFIG_BOOTPARAM_HUNG_TASK_PANIC is not set -# CONFIG_X86_BOOTPARAM_MEMORY_CORRUPTION_CHECK is not set +CONFIG_X86_BOOTPARAM_MEMORY_CORRUPTION_CHECK=y -# CONFIG_DEBUG_KMEMLEAK is not set +CONFIG_DEBUG_KMEMLEAK=y CONFIG_DEBUG_KMEMLEAK_EARLY_LOG_SIZE=1024 # CONFIG_DEBUG_KMEMLEAK_TEST is not set CONFIG_DEBUG_KMEMLEAK_DEFAULT_OFF=y @@ -124,7 +124,7 @@ CONFIG_DEBUG_KMEMLEAK_DEFAULT_OFF=y # CONFIG_SPI_DEBUG is not set -# CONFIG_X86_DEBUG_STATIC_CPU_HAS is not set +CONFIG_X86_DEBUG_STATIC_CPU_HAS=y # CONFIG_SCHEDSTATS is not set # CONFIG_LATENCYTOP is not set diff --git a/config-x86-generic b/config-x86-generic index f0a253e..133cb85 100644 --- a/config-x86-generic +++ b/config-x86-generic @@ -323,7 +323,7 @@ CONFIG_SP5100_TCO=m # CONFIG_MEMTEST is not set # CONFIG_DEBUG_TLBFLUSH is not set -# CONFIG_MAXSMP is not set +CONFIG_MAXSMP=y CONFIG_HP_ILO=m diff --git a/kernel.spec b/kernel.spec index 65bfc0a..7096942 100644 --- a/kernel.spec +++ b/kernel.spec @@ -95,7 +95,7 @@ Summary: The Linux kernel # The rc snapshot level %define rcrev 1 # The git snapshot level -%define gitrev 0 +%define gitrev 1 # Set rpm version accordingly %define rpmversion 3.%{upstream_sublevel}.0 %endif @@ -158,7 +158,7 @@ Summary: The Linux kernel # Set debugbuildsenabled to 1 for production (build separate debug kernels) # and 0 for rawhide (all kernels are debug kernels). # See also 'make debug' and 'make release'. -%define debugbuildsenabled 1 +%define debugbuildsenabled 0 # Want to build a vanilla kernel build without any non-upstream patches? %define with_vanilla %{?_with_vanilla: 1} %{?!_with_vanilla: 0} @@ -171,7 +171,7 @@ Summary: The Linux kernel %define doc_build_fail true %endif -%define rawhide_skip_docs 0 +%define rawhide_skip_docs 1 %if 0%{?rawhide_skip_docs} %define with_doc 0 %define doc_build_fail true @@ -754,13 +754,6 @@ Patch25032: cve-2013-2147-ciss-info-leak.patch Patch25047: drm-radeon-Disable-writeback-by-default-on-ppc.patch -#CVE-2013-2888 rhbz 1000451 1002543 CVE-2013-2889 rhbz 999890 1002548 -#CVE-2013-2891 rhbz 999960 1002555 CVE-2013-2892 rhbz 1000429 1002570 -#CVE-2013-2893 rhbz 1000414 1002575 CVE-2013-2894 rhbz 1000137 1002579 -#CVE-2013-2895 rhbz 1000360 1002581 CVE-2013-2896 rhbz 1000494 1002594 -#CVE-2013-2897 rhbz 1000536 1002600 CVE-2013-2899 rhbz 1000373 1002604 -Patch25099: HID-CVE-fixes.patch - #CVE-2013-4343 rhbz 1007733 1007741 Patch25100: tuntap-correctly-handle-error-in-tun_set_iff.patch @@ -1486,13 +1479,6 @@ ApplyPatch cve-2013-2147-ciss-info-leak.patch ApplyPatch drm-radeon-Disable-writeback-by-default-on-ppc.patch -#CVE-2013-2888 rhbz 1000451 1002543 CVE-2013-2889 rhbz 999890 1002548 -#CVE-2013-2891 rhbz 999960 1002555 CVE-2013-2892 rhbz 1000429 1002570 -#CVE-2013-2893 rhbz 1000414 1002575 CVE-2013-2894 rhbz 1000137 1002579 -#CVE-2013-2895 rhbz 1000360 1002581 CVE-2013-2896 rhbz 1000494 1002594 -#CVE-2013-2897 rhbz 1000536 1002600 CVE-2013-2899 rhbz 1000373 1002604 -ApplyPatch HID-CVE-fixes.patch - ApplyPatch fix-arm-btrfs-build.patch #CVE-2013-4343 rhbz 1007733 1007741 @@ -2308,6 +2294,10 @@ fi # ||----w | # || || %changelog +* Wed Sep 18 2013 Josh Boyer - 3.12.0-0.rc1.git1.1 +- Linux v3.12-rc1-27-g62d228b +- Reenable debugging options. + * Tue Sep 17 2013 Josh Boyer - CVE-2013-4345 ansi_cprng: off by one error in non-block size request (rhbz 1007690 1009136) diff --git a/sources b/sources index 28d2d8e..0b360aa 100644 --- a/sources +++ b/sources @@ -1,2 +1,3 @@ fea363551ff45fbe4cb88497b863b261 linux-3.11.tar.xz 9e56aa52fa00092499ba943557f197eb patch-3.12-rc1.xz +b820d2b88ba5a1e643389e91983fbc0b patch-3.12-rc1-git1.xz