linux-sg2042/drivers/hid/usbhid
Breno Leitao f11274396a HID: hiddev: fix potential Spectre v1
uref->usage_index can be indirectly controlled by userspace, hence leading
to a potential exploitation of the Spectre variant 1 vulnerability.

This field is used as an array index by the hiddev_ioctl_usage() function,
when 'cmd' is either HIDIOCGCOLLECTIONINDEX, HIDIOCGUSAGES or
HIDIOCSUSAGES.

For cmd == HIDIOCGCOLLECTIONINDEX case, uref->usage_index is compared to
field->maxusage and then used as an index to dereference field->usage
array. The same thing happens to the cmd == HIDIOC{G,S}USAGES cases, where
uref->usage_index is checked against an array maximum value and then it is
used as an index in an array.

This is a summary of the HIDIOCGCOLLECTIONINDEX case, which matches the
traditional Spectre V1 first load:

	copy_from_user(uref, user_arg, sizeof(*uref))
	if (uref->usage_index >= field->maxusage)
		goto inval;
	i = field->usage[uref->usage_index].collection_index;
	return i;

This patch fixes this by sanitizing field uref->usage_index before using it
to index field->usage (HIDIOCGCOLLECTIONINDEX) or field->value in
HIDIOC{G,S}USAGES arrays, thus, avoiding speculation in the first load.

Cc: <stable@vger.kernel.org>
Signed-off-by: Breno Leitao <leitao@debian.org>
--

v2: Contemplate cmd == HIDIOC{G,S}USAGES case
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
2018-10-26 17:06:24 +02:00
..
Kconfig docs: fix broken references with multiple hints 2018-06-15 18:10:01 -03:00
Makefile HID: core: move the dynamic quirks handling in core 2017-11-21 11:14:48 +01:00
hid-core.c HID: usbhid: use irqsave() in USB's complete callback 2018-06-25 15:24:46 +02:00
hid-pidff.c HID: pidff: effect can't be NULL 2015-03-27 16:03:26 +01:00
hiddev.c HID: hiddev: fix potential Spectre v1 2018-10-26 17:06:24 +02:00
usbhid.h HID: usbhid: do not rely on hid->open when deciding to do IO 2017-06-08 13:56:09 +02:00
usbkbd.c HID: usbkbd: constify usb_device_id and fix space before '[' error. 2017-08-10 11:07:49 +02:00
usbmouse.c HID: usbmouse: constify usb_device_id and fix space before '[' error 2017-08-10 11:07:49 +02:00