oss-sec mailing list archives
CVE Request: Linux kernel HID: hiddev buffer overflows
From: Scotty <sbauer () plzdonthack me>
Date: Sat, 25 Jun 2016 23:01:40 -0600
Good evening, There is a small buffer overflow in the hiddev driver code which seems to have come due to a re-factor of the driver in 2008-ish. If a user-land process calls the hiddev ioctl with the HIDIOCGUSAGES or HIDIOCSUSAGES command, and passes a report id of HID_REPORT_ID_UNKNOWN it bypasses a series of bounds checks. Later in the code the attacker can loop on some controlled value and overwrite past the bounds of the uref_multi array or the value array. switch (cmd) { ... ... ... case HIDIOCGUSAGES: /* HEAP OVERFLOW, Attacker controls num_values */ for (i = 0; i < uref_multi->num_values; i++) uref_multi->values[i] = field->value[uref->usage_index + i]; if (copy_to_user(user_arg, uref_multi, sizeof(*uref_multi))) goto fault; goto goodreturn; case HIDIOCSUSAGES: /* HEAP OVERFLOW, attacker controls num_values */ for (i = 0; i < uref_multi->num_values; i++) field->value[uref->usage_index + i] = uref_multi->values[i]; goto goodreturn; } The issue has been fixed upstream here: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=93a2001bdfd5376c3dc2158653034c20392d15c5 Attached is a PoC illustrating the issue. Thank you.
Attachment:
usb_hiddev.c
Description:
Attachment:
signature.asc
Description: OpenPGP digital signature
Current thread:
- CVE Request: Linux kernel HID: hiddev buffer overflows Scotty (Jun 25)
- Re: CVE Request: Linux kernel HID: hiddev buffer overflows cve-assign (Jun 26)