Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Sat, 25 Jun 2016 23:01:40 -0600
From: Scotty <sbauer@...donthack.me>
To: oss-security@...ts.openwall.com
Cc: cve-assign@...re.org
Subject: CVE Request: Linux kernel HID: hiddev buffer overflows

Good evening,

There is a small buffer overflow in the hiddev driver code which seems to have come due
to a re-factor of the driver in 2008-ish.

If a user-land process calls the hiddev ioctl with the HIDIOCGUSAGES or HIDIOCSUSAGES command,
and passes a report id of HID_REPORT_ID_UNKNOWN it bypasses a series of bounds checks. Later in
the code the attacker can loop on some controlled value and overwrite past the bounds of the
uref_multi array or the value array.


	switch (cmd) {
...
...
...
		case HIDIOCGUSAGES:
/* HEAP OVERFLOW, Attacker controls num_values */
			for (i = 0; i < uref_multi->num_values; i++)
				uref_multi->values[i] =
				    field->value[uref->usage_index + i];
			if (copy_to_user(user_arg, uref_multi,
					 sizeof(*uref_multi)))
				goto fault;
			goto goodreturn;
		case HIDIOCSUSAGES:
/* HEAP OVERFLOW, attacker controls num_values */
			for (i = 0; i < uref_multi->num_values; i++)
				field->value[uref->usage_index + i] =
				    uref_multi->values[i];
			goto goodreturn;
		}

The issue has been fixed upstream here:
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=93a2001bdfd5376c3dc2158653034c20392d15c5

Attached is a PoC illustrating the issue. 

Thank you.


View attachment "usb_hiddev.c" of type "text/x-csrc" (1677 bytes)

Download attachment "signature.asc" of type "application/pgp-signature" (837 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.