Jiri Kosina 27ce405039 HID: fix data access in implement() ... implement() is setting bytes in LE data stream. In case the data is not aligned to 64bits, it reads past the allocated buffer. It doesn't really change any value there (it's properly bitmasked), but in case that this read past the boundary hits a page boundary, pagefault happens when accessing 64bits of 'x' in implement(), and kernel oopses. This happens much more often when numbered reports are in use, as the initial 8bit skip in the buffer makes the whole process work on values which are not aligned to 64bits. This problem dates back to attempts in 2005 and 2006 to make implement() and extract() as generic as possible, and even back then the problem was realized by Adam Kroperlin, but falsely assumed to be impossible to cause any harm: http://www.mail-archive.com/linux-usb-devel@lists.sourceforge.net/msg47690.html I have made several attempts at fixing it "on the spot" directly in implement(), but the results were horrible; the special casing for processing last 64bit chunk and switching to different math makes it unreadable mess. I therefore took a path to allocate a few bytes more which will never make it into final report, but are there as a cushion for all the 64bit math operations happening in implement() and extract(). All callers of hid_output_report() are converted at the same time to allocate the buffer by newly introduced hid_alloc_report_buf() helper. Bruno noticed that the whole raw_size test can be dropped as well, as hid_alloc_report_buf() makes sure that the buffer is always of a proper size. Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com> Acked-by: Gustavo Padovan <gustavo.padovan@collabora.co.uk> Signed-off-by: Jiri Kosina <jkosina@suse.cz>		2013-07-22 16:16:40 +02:00
..
9p	zero copy error fix	2013-06-10 17:35:25 -07:00
802	net/802/mrp: fix lockdep splat	2013-05-14 13:02:30 -07:00
8021q	net: vlan,ethtool: netdev_features_t is more than 32 bit	2013-05-02 13:58:12 -04:00
appletalk	appletalk: info leak in ->getname()	2013-04-25 01:47:58 -04:00
atm	Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs	2013-05-01 17:51:54 -07:00
ax25	ax25: fix info leak via msg_name in ax25_recvmsg()	2013-04-07 16:28:00 -04:00
batman-adv	batman-adv: Don't handle address updates when bla is disabled	2013-06-10 08:42:18 +02:00
bluetooth	HID: fix data access in implement()	2013-07-22 16:16:40 +02:00
bridge	bridge: fix switched interval for MLD Query types	2013-06-17 17:11:22 -07:00
caif	caif: Remove bouncing address for Daniel Martensson	2013-04-23 13:25:51 -04:00
can	Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs	2013-05-01 17:51:54 -07:00
ceph	libceph: must hold mutex for reset_changed_osds()	2013-05-17 12:45:40 -05:00
core	Char/Misc merge for 3.11-rc1	2013-07-02 11:43:33 -07:00
dcb	rtnetlink: Remove passing of attributes into rtnl_doit functions	2013-03-22 10:31:16 -04:00
dccp	tcp: Remove TCPCT	2013-03-17 14:35:13 -04:00
decnet	decnet: remove duplicated include from dn_table.c	2013-04-07 17:12:01 -04:00
dns_resolver
dsa	dsa: fix freeing of sparse port allocation	2013-03-25 12:23:41 -04:00
ethernet	net: add ETH_P_802_3_MIN	2013-03-28 01:20:42 -04:00
ieee802154	ieee802154/nl-mac.c: make some MLME operations optional	2013-04-08 12:00:16 -04:00
ipv4	mm: use totalram_pages instead of num_physpages at runtime	2013-07-03 16:07:35 -07:00
ipv6	ipv6: ip6_sk_dst_check() must not assume ipv6 dst	2013-06-26 15:13:47 -07:00
ipx
irda	net: irda: using kzalloc() instead of kmalloc() to avoid strncpy() issue.	2013-05-19 15:10:47 -07:00
iucv	Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net	2013-04-22 20:32:51 -04:00
key	af_key: fix info leaks in notify messages	2013-06-26 15:15:54 -07:00
l2tp	l2tp: Fix sendmsg() return value	2013-06-13 02:39:04 -07:00
lapb
llc	llc: Fix missing msg_namelen update in llc_ui_recvmsg()	2013-04-07 16:28:01 -04:00
mac80211	drivers: avoid format strings in names passed to alloc_workqueue()	2013-07-03 16:07:41 -07:00
mac802154	Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net	2013-04-30 03:55:20 -04:00
netfilter	netfilter: ctnetlink: send event when conntrack label was modified	2013-06-24 11:32:56 +02:00
netlabel	netlabel: improve domain mapping validation	2013-05-19 14:49:55 -07:00
netlink	netlink: fix error propagation in netlink_mmap()	2013-06-11 02:52:47 -07:00
netrom	netrom: info leak in ->getname()	2013-04-25 01:47:58 -04:00
nfc	NFC: Remove commented out LLCP related Makefile line	2013-05-21 10:47:41 +02:00
openvswitch	openvswitch: Remove unneeded ovs_netdev_get_ifindex()	2013-04-30 00:19:11 -04:00
packet	packet: packet_getname_spkt: make sure string is always 0-terminated	2013-06-13 01:38:36 -07:00
phonet	rtnetlink: Remove passing of attributes into rtnl_doit functions	2013-03-22 10:31:16 -04:00
rds
rfkill	Merge branch 'for-john' of git://git.kernel.org/pub/scm/linux/kernel/git/jberg/mac80211-next	2013-04-22 14:58:14 -04:00
rose	rose: fix info leak via msg_name in rose_recvmsg()	2013-04-07 16:28:02 -04:00
rxrpc
sched	net_sched: qdisc_get_rtab() must check data[] array	2013-06-07 15:24:04 -07:00
sctp	sctp: fully initialize sctp_outq in sctp_outq_init	2013-06-13 18:05:24 -07:00
sunrpc	Merge branch 'akpm' (updates from Andrew Morton)	2013-07-03 17:12:13 -07:00
tipc	tipc: potential divide by zero in tipc_link_recv_fragment()	2013-05-06 16:16:52 -04:00
unix	af_unix: use freezable blocking calls in read	2013-05-12 14:16:23 +02:00
vmw_vsock	Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net	2013-04-30 03:55:20 -04:00
wimax
wireless	nl80211: fix attrbuf access race by allocating a separate one	2013-06-19 18:31:20 +02:00
x25	x25: use proc_remove_subtree()	2013-04-09 14:13:35 -04:00
xfrm	xfrm: force a garbage collection after deleting a policy	2013-05-31 17:30:07 -07:00
compat.c	net: Unbreak compat_sys_{send,recv}msg	2013-06-06 11:52:14 -07:00
Kconfig	net: core: move mac_pton() to lib/net_utils.c	2013-06-05 12:00:27 -07:00
Makefile
nonet.c
socket.c	net: Unbreak compat_sys_{send,recv}msg	2013-06-06 11:52:14 -07:00
sysctl_net.c