Skip to content
Commit 43622021 authored by Kees Cook's avatar Kees Cook Committed by Jiri Kosina
Browse files

HID: validate HID report id size 



The "Report ID" field of a HID report is used to build indexes of
reports. The kernel's index of these is limited to 256 entries, so any
malicious device that sets a Report ID greater than 255 will trigger
memory corruption on the host:

[ 1347.156239] BUG: unable to handle kernel paging request at ffff88094958a878
[ 1347.156261] IP: [<ffffffff813e4da0>] hid_register_report+0x2a/0x8b

CVE-2013-2888

Signed-off-by: default avatarKees Cook <keescook@chromium.org>
Cc: stable@kernel.org
Signed-off-by: default avatarJiri Kosina <jkosina@suse.cz>
parent 58c59bc9
Hide whitespace changes
Inline Side-by-side
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment