Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Sat, 25 Jun 2016 23:01:40 -0600
From: Scotty <>
Subject: CVE Request: Linux kernel HID: hiddev buffer overflows

Good evening,

There is a small buffer overflow in the hiddev driver code which seems to have come due
to a re-factor of the driver in 2008-ish.

If a user-land process calls the hiddev ioctl with the HIDIOCGUSAGES or HIDIOCSUSAGES command,
and passes a report id of HID_REPORT_ID_UNKNOWN it bypasses a series of bounds checks. Later in
the code the attacker can loop on some controlled value and overwrite past the bounds of the
uref_multi array or the value array.

	switch (cmd) {
/* HEAP OVERFLOW, Attacker controls num_values */
			for (i = 0; i < uref_multi->num_values; i++)
				uref_multi->values[i] =
				    field->value[uref->usage_index + i];
			if (copy_to_user(user_arg, uref_multi,
				goto fault;
			goto goodreturn;
/* HEAP OVERFLOW, attacker controls num_values */
			for (i = 0; i < uref_multi->num_values; i++)
				field->value[uref->usage_index + i] =
			goto goodreturn;

The issue has been fixed upstream here:

Attached is a PoC illustrating the issue. 

Thank you.

View attachment "usb_hiddev.c" of type "text/x-csrc" (1677 bytes)

Download attachment "signature.asc" of type "application/pgp-signature" (837 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.