|
Message-ID: <576F61B4.1020505@plzdonthack.me> Date: Sat, 25 Jun 2016 23:01:40 -0600 From: Scotty <sbauer@...donthack.me> To: oss-security@...ts.openwall.com Cc: cve-assign@...re.org Subject: CVE Request: Linux kernel HID: hiddev buffer overflows Good evening, There is a small buffer overflow in the hiddev driver code which seems to have come due to a re-factor of the driver in 2008-ish. If a user-land process calls the hiddev ioctl with the HIDIOCGUSAGES or HIDIOCSUSAGES command, and passes a report id of HID_REPORT_ID_UNKNOWN it bypasses a series of bounds checks. Later in the code the attacker can loop on some controlled value and overwrite past the bounds of the uref_multi array or the value array. switch (cmd) { ... ... ... case HIDIOCGUSAGES: /* HEAP OVERFLOW, Attacker controls num_values */ for (i = 0; i < uref_multi->num_values; i++) uref_multi->values[i] = field->value[uref->usage_index + i]; if (copy_to_user(user_arg, uref_multi, sizeof(*uref_multi))) goto fault; goto goodreturn; case HIDIOCSUSAGES: /* HEAP OVERFLOW, attacker controls num_values */ for (i = 0; i < uref_multi->num_values; i++) field->value[uref->usage_index + i] = uref_multi->values[i]; goto goodreturn; } The issue has been fixed upstream here: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=93a2001bdfd5376c3dc2158653034c20392d15c5 Attached is a PoC illustrating the issue. Thank you. View attachment "usb_hiddev.c" of type "text/x-csrc" (1677 bytes) Download attachment "signature.asc" of type "application/pgp-signature" (837 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.