Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 482896 (CVE-2013-2888) - Kernel : HID security flaws (CVE-2013-{2888,2889,2890,2891,2892,2893,2894,2895,2896,2897,2898,2899})
Summary: Kernel : HID security flaws (CVE-2013-{2888,2889,2890,2891,2892,2893,2894,289...
Status: CONFIRMED
Alias: CVE-2013-2888
Product: Gentoo Security
Classification: Unclassified
Component: Kernel (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Kernel Security
URL: http://www.openwall.com/lists/oss-sec...
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2013-08-29 09:11 UTC by Agostino Sarubbo
Modified: 2016-12-07 04:19 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2013-08-29 09:11:01 UTC
From ${URL} :

http://marc.info/?l=linux-input&m=137772180514608&w=1
0001-HID-validate-HID-report-id-size.patch
CVE-2013-2888
Requires CONFIG_HID
Memory write via arbitrary heap array index. This is the most serious,
IMO, as it allows (on 32-bit) access to the entire memory range (the
index is unsigned 32 bit). This is mitigated slightly by the fact that
the starting address is at an "unknown" location on the heap, and that
the value written is an "arbitrary" kernel pointer. Still, this could
almost certainly be turned into full kernel execution given enough
study.

http://marc.info/?l=linux-input&m=137772181214612&w=1
0002-HID-provide-a-helper-for-validating-hid-reports.patch
Routine that many of the driver fixes use to verify their report sanity.

http://marc.info/?l=linux-input&m=137772182014614&w=1
0003-HID-zeroplus-validate-output-report-details.patch
CVE-2013-2889
Requires CONFIG_HID_ZEROPLUS
Small past-end-of-heap-alloc zeroing.

http://marc.info/?l=linux-input&m=137772182814616&w=1
0004-HID-sony-validate-HID-output-report-details.patch
CVE-2013-2890
Requires CONFIG_HID_SONY
Small past-end-of-heap-alloc zeroing

http://marc.info/?l=linux-input&m=137772184614622&w=1
0005-HID-steelseries-validate-output-report-details.patch
CVE-2013-2891
Requires CONFIG_HID_STEELSERIES
16 byte past-end-of-heap-alloc zeroing

http://marc.info/?l=linux-input&m=137772185414625&w=1
0006-HID-pantherlord-validate-output-report-details.patch
CVE-2013-2892
Requires CONFIG_HID_PANTHERLORD
Small past-end-of-heap-alloc zeroing

http://marc.info/?l=linux-input&m=137772186714627&w=1
0007-HID-LG-validate-HID-output-report-details.patch
CVE-2013-2893
Requires CONFIG_LOGITECH_FF or CONFIG_LOGIG940_FF or CONFIG_LOGIWHEELS_FF
Userspace-assisted small past-end-of-heap-alloc zeroing

http://marc.info/?l=linux-input&m=137772187514628&w=1
0008-HID-lenovo-tpkbd-validate-output-report-details.patch
CVE-2013-2894
Requires CONFIG_HID_LENOVO_TPKBD
Small past-end-of-heap-alloc zeroing

http://marc.info/?l=linux-input&m=137772188314631&w=1
0009-HID-logitech-dj-validate-output-report-details.patch
CVE-2013-2895
Requires CONFIG_HID_LOGITECH_DJ
Can leak up to 12K of kernel memory contents to device, or NULL deref Oops
DoS

http://marc.info/?l=linux-input&m=137772189314633&w=1
0010-HID-ntrig-validate-feature-report-details.patch
CVE-2013-2896
Requires CONFIG_HID_NTRIG
Triggers NULL deref Oops DoS

http://marc.info/?l=linux-input&m=137772190214635&w=1
0011-HID-multitouch-validate-feature-report-details.patch
CVE-2013-2897
Requires CONFIG_HID_MULTITOUCH
Slightly flexible heap overwrite with static value 0x2, or NULL deref Oops
DoS

http://marc.info/?l=linux-input&m=137772191114645&w=1
0012-HID-sensor-hub-validate-feature-report-details.patch
CVE-2013-2898
Requires CONFIG_HID_SENSOR_HUB
Potential kernel caller confusion via past-end-of-heap-allocation read

http://marc.info/?l=linux-input&m=137772191714649&w=1
0013-HID-picolcd_core-validate-output-report-details.patch
CVE-2013-2899
Requires CONFIG_HID_PICOLCD
Userspace-assisted NULL deref Oops DoS

http://marc.info/?t=137772196600012&r=1&w=1
0014-HID-check-for-NULL-field-when-setting-values.patch
Just a defensive change, since several drivers would have been less
vulnerable with this check.
Comment 1 Tom Wijsman (TomWij) (RETIRED) gentoo-dev 2013-08-29 12:53:48 UTC
Tried to apply to 3.8.13 and 3.10.7; from the looks of it, seems they need to be backported to apply. They are probably written to target 3.11. I'll wait a small bit for upstream to backport these unless someone is willing to rewrite the patches. If not, I might backport these as I am working on a merge workflow to more easily rewrite patches (for the upcoming experimental patches).
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2013-09-17 22:44:57 UTC
CVE-2013-2899 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2899):
  drivers/hid/hid-picolcd_core.c in the Human Interface Device (HID) subsystem
  in the Linux kernel through 3.11, when CONFIG_HID_PICOLCD is enabled, allows
  physically proximate attackers to cause a denial of service (NULL pointer
  dereference and OOPS) via a crafted device.

CVE-2013-2898 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2898):
  drivers/hid/hid-sensor-hub.c in the Human Interface Device (HID) subsystem
  in the Linux kernel through 3.11, when CONFIG_HID_SENSOR_HUB is enabled,
  allows physically proximate attackers to obtain sensitive information from
  kernel memory via a crafted device.

CVE-2013-2897 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2897):
  Multiple array index errors in drivers/hid/hid-multitouch.c in the Human
  Interface Device (HID) subsystem in the Linux kernel through 3.11, when
  CONFIG_HID_MULTITOUCH is enabled, allow physically proximate attackers to
  cause a denial of service (heap memory corruption, or NULL pointer
  dereference and OOPS) via a crafted device.

CVE-2013-2896 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2896):
  drivers/hid/hid-ntrig.c in the Human Interface Device (HID) subsystem in the
  Linux kernel through 3.11, when CONFIG_HID_NTRIG is enabled, allows
  physically proximate attackers to cause a denial of service (NULL pointer
  dereference and OOPS) via a crafted device.

CVE-2013-2895 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2895):
  drivers/hid/hid-logitech-dj.c in the Human Interface Device (HID) subsystem
  in the Linux kernel through 3.11, when CONFIG_HID_LOGITECH_DJ is enabled,
  allows physically proximate attackers to cause a denial of service (NULL
  pointer dereference and OOPS) or obtain sensitive information from kernel
  memory via a crafted device.

CVE-2013-2894 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2894):
  drivers/hid/hid-lenovo-tpkbd.c in the Human Interface Device (HID) subsystem
  in the Linux kernel through 3.11, when CONFIG_HID_LENOVO_TPKBD is enabled,
  allows physically proximate attackers to cause a denial of service
  (heap-based out-of-bounds write) via a crafted device.

CVE-2013-2893 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2893):
  The Human Interface Device (HID) subsystem in the Linux kernel through 3.11,
  when CONFIG_LOGITECH_FF, CONFIG_LOGIG940_FF, or CONFIG_LOGIWHEELS_FF is
  enabled, allows physically proximate attackers to cause a denial of service
  (heap-based out-of-bounds write) via a crafted device, related to (1)
  drivers/hid/hid-lgff.c, (2) drivers/hid/hid-lg3ff.c, and (3)
  drivers/hid/hid-lg4ff.c.

CVE-2013-2892 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2892):
  drivers/hid/hid-pl.c in the Human Interface Device (HID) subsystem in the
  Linux kernel through 3.11, when CONFIG_HID_PANTHERLORD is enabled, allows
  physically proximate attackers to cause a denial of service (heap-based
  out-of-bounds write) via a crafted device.

CVE-2013-2891 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2891):
  drivers/hid/hid-steelseries.c in the Human Interface Device (HID) subsystem
  in the Linux kernel through 3.11, when CONFIG_HID_STEELSERIES is enabled,
  allows physically proximate attackers to cause a denial of service
  (heap-based out-of-bounds write) via a crafted device.

CVE-2013-2890 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2890):
  drivers/hid/hid-sony.c in the Human Interface Device (HID) subsystem in the
  Linux kernel through 3.11, when CONFIG_HID_SONY is enabled, allows
  physically proximate attackers to cause a denial of service (heap-based
  out-of-bounds write) via a crafted device.

CVE-2013-2889 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2889):
  drivers/hid/hid-zpff.c in the Human Interface Device (HID) subsystem in the
  Linux kernel through 3.11, when CONFIG_HID_ZEROPLUS is enabled, allows
  physically proximate attackers to cause a denial of service (heap-based
  out-of-bounds write) via a crafted device.

CVE-2013-2888 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2888):
  Multiple array index errors in drivers/hid/hid-core.c in the Human Interface
  Device (HID) subsystem in the Linux kernel through 3.11 allow physically
  proximate attackers to execute arbitrary code or cause a denial of service
  (heap memory corruption) via a crafted device that provides an invalid
  Report ID.
Comment 3 Tom Wijsman (TomWij) (RETIRED) gentoo-dev 2013-09-25 14:42:37 UTC
Now that this is revised in stable queue I have managed to apply these; 2890 has been covered by the revised patch for 2888, 2893 I couldn't find and 2897 a revised patch was made because the original has shown to be problematic @ Fedora.

We can be glad to have not backported some of these earlier...

Will be part of 3.10.7-r1 and new version bumps.