Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Sat, 25 Jun 2016 23:01:40 -0600
From: Scotty <>
Subject: CVE Request: Linux kernel HID: hiddev buffer overflows

Good evening,

There is a small buffer overflow in the hiddev driver code which seems to have come due
to a re-factor of the driver in 2008-ish.

If a user-land process calls the hiddev ioctl with the HIDIOCGUSAGES or HIDIOCSUSAGES command,
and passes a report id of HID_REPORT_ID_UNKNOWN it bypasses a series of bounds checks. Later in
the code the attacker can loop on some controlled value and overwrite past the bounds of the
uref_multi array or the value array.

	switch (cmd) {
/* HEAP OVERFLOW, Attacker controls num_values */
			for (i = 0; i < uref_multi->num_values; i++)
				uref_multi->values[i] =
				    field->value[uref->usage_index + i];
			if (copy_to_user(user_arg, uref_multi,
				goto fault;
			goto goodreturn;
/* HEAP OVERFLOW, attacker controls num_values */
			for (i = 0; i < uref_multi->num_values; i++)
				field->value[uref->usage_index + i] =
			goto goodreturn;

The issue has been fixed upstream here:

Attached is a PoC illustrating the issue. 

Thank you.

View attachment "usb_hiddev.c" of type "text/x-csrc" (1677 bytes)

Download attachment "signature.asc" of type "application/pgp-signature" (837 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ