Kernel-HID/USB: multiple CVEs

CVE-2014-3181 Kernel: HID: OOB write in magicmouse driver CVE-2014-3182 Kernel: HID: logitech-dj OOB array access CVE-2014-3184 Kernel: HID: off by one error in various _report_fixup routine CVE-2014-3185 Kernel: USB serial: memory corruption flaw References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3181 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3182 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3184 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3185 Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
author: Sona Sarmadi <sona.sarmadi@enea.com> 2015-01-27 09:10:42 +0100
committer: Zhenhua Luo <zhenhua.luo@freescale.com> 2015-02-03 10:04:50 +0800
commit: 2d64414dded202975082a0531fcfb4461256bf2d (patch)
tree: 8c08d5696abac9bc8849e411a1d26413d8f292ad
parent: 42590aa5fb3ae3212c7950f2c71fcf7b3b19ecde (diff)
download: meta-freescale-2d64414dded202975082a0531fcfb4461256bf2d.tar.gz
5 files changed, 286 insertions, 0 deletions
diff --git a/meta-fsl-ppc/recipes-kernel/linux/files/0001-HID-CVE-2014-3181.patch b/meta-fsl-ppc/recipes-kernel/linux/files/0001-HID-CVE-2014-3181.patch
new file mode 100644
index 000000000..4355c68f1
--- /dev/null
+++ b/meta-fsl-ppc/recipes-kernel/linux/files/0001-HID-CVE-2014-3181.patch
@@ -0,0 +1,52 @@
+From c54def7bd64d7c0b6993336abcffb8444795bf38 Mon Sep 17 00:00:00 2001
+From: Jiri Kosina <jkosina@suse.cz>
+Date: Wed, 27 Aug 2014 09:12:24 +0200
+Subject: [PATCH] HID: magicmouse: sanity check report size in raw_event()
+ callback
+The report passed to us from transport driver could potentially be
+arbitrarily large, therefore we better sanity-check it so that
+magicmouse_emit_touch() gets only valid values of raw_id.
+This fixes CVE-2014-3181
+Upstream-Status: Backport
+Cc: stable@vger.kernel.org
+Reported-by: Steven Vittitoe <scvitti@google.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+ drivers/hid/hid-magicmouse.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+diff --git a/drivers/hid/hid-magicmouse.c b/drivers/hid/hid-magicmouse.c
+index ecc2cbf..29a74c1 100644
+--- a/drivers/hid/hid-magicmouse.c
+++ b/drivers/hid/hid-magicmouse.c
+@@ -290,6 +290,11 @@ static int magicmouse_raw_event(struct hid_device *hdev,
+                if (size < 4 || ((size - 4) % 9) != 0)
+                        return 0;
+                npoints = (size - 4) / 9;
+               if (npoints > 15) {
+                       hid_warn(hdev, "invalid size value (%d) for TRACKPAD_REPORT_ID\n",
+                                       size);
+                       return 0;
+               }
+                msc->ntouches = 0;
+                for (ii = 0; ii < npoints; ii++)
+                        magicmouse_emit_touch(msc, ii, data + ii * 9 + 4);
+@@ -307,6 +312,11 @@ static int magicmouse_raw_event(struct hid_device *hdev,
+                if (size < 6 || ((size - 6) % 8) != 0)
+                        return 0;
+                npoints = (size - 6) / 8;
+               if (npoints > 15) {
+                       hid_warn(hdev, "invalid size value (%d) for MOUSE_REPORT_ID\n",
+                                       size);
+                       return 0;
+               }
+                msc->ntouches = 0;
+                for (ii = 0; ii < npoints; ii++)
+                        magicmouse_emit_touch(msc, ii, data + ii * 8 + 6);
+-- 
+1.9.1
diff --git a/meta-fsl-ppc/recipes-kernel/linux/files/0002-HID-CVE-2014-3182.patch b/meta-fsl-ppc/recipes-kernel/linux/files/0002-HID-CVE-2014-3182.patch
new file mode 100644
index 000000000..a90d07996
--- /dev/null
+++ b/meta-fsl-ppc/recipes-kernel/linux/files/0002-HID-CVE-2014-3182.patch
@@ -0,0 +1,65 @@
+From ad3e14d7c5268c2e24477c6ef54bbdf88add5d36 Mon Sep 17 00:00:00 2001
+From: Jiri Kosina <jkosina@suse.cz>
+Date: Thu, 21 Aug 2014 09:57:17 -0500
+Subject: [PATCH] HID: logitech: perform bounds checking on device_id early
+ enough
+device_index is a char type and the size of paired_dj_deivces is 7
+elements, therefore proper bounds checking has to be applied to
+device_index before it is used.
+We are currently performing the bounds checking in
+logi_dj_recv_add_djhid_device(), which is too late, as malicious device
+could send REPORT_TYPE_NOTIF_DEVICE_UNPAIRED early enough and trigger the
+problem in one of the report forwarding functions called from
+logi_dj_raw_event().
+Fix this by performing the check at the earliest possible ocasion in
+logi_dj_raw_event().
+This fixes CVE-2014-3182
+Upstream-Status: Backport
+Cc: stable@vger.kernel.org
+Reported-by: Ben Hawkes <hawkes@google.com>
+Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+ drivers/hid/hid-logitech-dj.c | 13 ++++++-------
+ 1 file changed, 6 insertions(+), 7 deletions(-)
+diff --git a/drivers/hid/hid-logitech-dj.c b/drivers/hid/hid-logitech-dj.c
+index ca0ab51..b7ba829 100644
+--- a/drivers/hid/hid-logitech-dj.c
+++ b/drivers/hid/hid-logitech-dj.c
+@@ -238,13 +238,6 @@ static void logi_dj_recv_add_djhid_device(struct dj_receiver_dev *djrcv_dev,
+                return;
+        }
+ 
+-       if ((dj_report->device_index < DJ_DEVICE_INDEX_MIN) ||
+-           (dj_report->device_index > DJ_DEVICE_INDEX_MAX)) {
+-               dev_err(&djrcv_hdev->dev, "%s: invalid device index:%d\n",
+-                       __func__, dj_report->device_index);
+-               return;
+-       }
+-
+        if (djrcv_dev->paired_dj_devices[dj_report->device_index]) {
+                /* The device is already known. No need to reallocate it. */
+                dbg_hid("%s: device is already known\n", __func__);
+@@ -690,6 +683,12 @@ static int logi_dj_raw_event(struct hid_device *hdev,
+         * device (via hid_input_report() ) and return 1 so hid-core does not do
+         * anything else with it.
+         */
+       if ((dj_report->device_index < DJ_DEVICE_INDEX_MIN) ||
+           (dj_report->device_index > DJ_DEVICE_INDEX_MAX)) {
+               dev_err(&hdev->dev, "%s: invalid device index:%d\n",
+                               __func__, dj_report->device_index);
+               return false;
+       }
+ 
+        spin_lock_irqsave(&djrcv_dev->lock, flags);
+        if (dj_report->report_id == REPORT_ID_DJ_SHORT) {
+-- 
+1.9.1
diff --git a/meta-fsl-ppc/recipes-kernel/linux/files/0003-HID-CVE-2014-3184.patch b/meta-fsl-ppc/recipes-kernel/linux/files/0003-HID-CVE-2014-3184.patch
new file mode 100644
index 000000000..f58b2f0e6
--- /dev/null
+++ b/meta-fsl-ppc/recipes-kernel/linux/files/0003-HID-CVE-2014-3184.patch
@@ -0,0 +1,114 @@
+From 4ab25786c87eb20857bbb715c3ae34ec8fd6a214 Mon Sep 17 00:00:00 2001
+From: Jiri Kosina <jkosina@suse.cz>
+Date: Thu, 21 Aug 2014 09:57:48 -0500
+Subject: [PATCH] HID: fix a couple of off-by-ones
+There are a few very theoretical off-by-one bugs in report descriptor size
+checking when performing a pre-parsing fixup. Fix those.
+This fixes CVE-2014-3184
+Upstream-Status: Backport
+Cc: stable@vger.kernel.org
+Reported-by: Ben Hawkes <hawkes@google.com>
+Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+ drivers/hid/hid-cherry.c   | 2 +-
+ drivers/hid/hid-kye.c      | 2 +-
+ drivers/hid/hid-lg.c       | 4 ++--
+ drivers/hid/hid-monterey.c | 2 +-
+ drivers/hid/hid-petalynx.c | 2 +-
+ drivers/hid/hid-sunplus.c  | 2 +-
+ 6 files changed, 7 insertions(+), 7 deletions(-)
+diff --git a/drivers/hid/hid-cherry.c b/drivers/hid/hid-cherry.c
+index 1bdcccc..f745d2c 100644
+--- a/drivers/hid/hid-cherry.c
+++ b/drivers/hid/hid-cherry.c
+@@ -28,7 +28,7 @@
+ static __u8 *ch_report_fixup(struct hid_device *hdev, __u8 *rdesc,
+                unsigned int *rsize)
+ {
+-       if (*rsize >= 17 && rdesc[11] == 0x3c && rdesc[12] == 0x02) {
+       if (*rsize >= 18 && rdesc[11] == 0x3c && rdesc[12] == 0x02) {
+                hid_info(hdev, "fixing up Cherry Cymotion report descriptor\n");
+                rdesc[11] = rdesc[16] = 0xff;
+                rdesc[12] = rdesc[17] = 0x03;
+diff --git a/drivers/hid/hid-kye.c b/drivers/hid/hid-kye.c
+index e776963..b92bf01 100644
+--- a/drivers/hid/hid-kye.c
+++ b/drivers/hid/hid-kye.c
+@@ -300,7 +300,7 @@ static __u8 *kye_report_fixup(struct hid_device *hdev, __u8 *rdesc,
+                 *   - change the button usage range to 4-7 for the extra
+                 *     buttons
+                 */
+-               if (*rsize >= 74 &&
+               if (*rsize >= 75 &&
+                        rdesc[61] == 0x05 && rdesc[62] == 0x08 &&
+                        rdesc[63] == 0x19 && rdesc[64] == 0x08 &&
+                        rdesc[65] == 0x29 && rdesc[66] == 0x0f &&
+diff --git a/drivers/hid/hid-lg.c b/drivers/hid/hid-lg.c
+index a976f48..f91ff14 100644
+--- a/drivers/hid/hid-lg.c
+++ b/drivers/hid/hid-lg.c
+@@ -345,14 +345,14 @@ static __u8 *lg_report_fixup(struct hid_device *hdev, __u8 *rdesc,
+        struct usb_device_descriptor *udesc;
+        __u16 bcdDevice, rev_maj, rev_min;
+ 
+-       if ((drv_data->quirks & LG_RDESC) && *rsize >= 90 && rdesc[83] == 0x26 &&
+       if ((drv_data->quirks & LG_RDESC) && *rsize >= 91 && rdesc[83] == 0x26 &&
+                        rdesc[84] == 0x8c && rdesc[85] == 0x02) {
+                hid_info(hdev,
+                         "fixing up Logitech keyboard report descriptor\n");
+                rdesc[84] = rdesc[89] = 0x4d;
+                rdesc[85] = rdesc[90] = 0x10;
+        }
+-       if ((drv_data->quirks & LG_RDESC_REL_ABS) && *rsize >= 50 &&
+       if ((drv_data->quirks & LG_RDESC_REL_ABS) && *rsize >= 51 &&
+                        rdesc[32] == 0x81 && rdesc[33] == 0x06 &&
+                        rdesc[49] == 0x81 && rdesc[50] == 0x06) {
+                hid_info(hdev,
+diff --git a/drivers/hid/hid-monterey.c b/drivers/hid/hid-monterey.c
+index 9e14c00..25daf28 100644
+--- a/drivers/hid/hid-monterey.c
+++ b/drivers/hid/hid-monterey.c
+@@ -24,7 +24,7 @@
+ static __u8 *mr_report_fixup(struct hid_device *hdev, __u8 *rdesc,
+                unsigned int *rsize)
+ {
+-       if (*rsize >= 30 && rdesc[29] == 0x05 && rdesc[30] == 0x09) {
+       if (*rsize >= 31 && rdesc[29] == 0x05 && rdesc[30] == 0x09) {
+                hid_info(hdev, "fixing up button/consumer in HID report descriptor\n");
+                rdesc[30] = 0x0c;
+        }
+diff --git a/drivers/hid/hid-petalynx.c b/drivers/hid/hid-petalynx.c
+index 736b250..6aca4f2 100644
+--- a/drivers/hid/hid-petalynx.c
+++ b/drivers/hid/hid-petalynx.c
+@@ -25,7 +25,7 @@
+ static __u8 *pl_report_fixup(struct hid_device *hdev, __u8 *rdesc,
+                unsigned int *rsize)
+ {
+-       if (*rsize >= 60 && rdesc[39] == 0x2a && rdesc[40] == 0xf5 &&
+       if (*rsize >= 62 && rdesc[39] == 0x2a && rdesc[40] == 0xf5 &&
+                        rdesc[41] == 0x00 && rdesc[59] == 0x26 &&
+                        rdesc[60] == 0xf9 && rdesc[61] == 0x00) {
+                hid_info(hdev, "fixing up Petalynx Maxter Remote report descriptor\n");
+diff --git a/drivers/hid/hid-sunplus.c b/drivers/hid/hid-sunplus.c
+index 87fc91e..91072fa 100644
+--- a/drivers/hid/hid-sunplus.c
+++ b/drivers/hid/hid-sunplus.c
+@@ -24,7 +24,7 @@
+ static __u8 *sp_report_fixup(struct hid_device *hdev, __u8 *rdesc,
+                unsigned int *rsize)
+ {
+-       if (*rsize >= 107 && rdesc[104] == 0x26 && rdesc[105] == 0x80 &&
+       if (*rsize >= 112 && rdesc[104] == 0x26 && rdesc[105] == 0x80 &&
+                        rdesc[106] == 0x03) {
+                hid_info(hdev, "fixing up Sunplus Wireless Desktop report descriptor\n");
+                rdesc[105] = rdesc[110] = 0x03;
+-- 
+1.9.1
diff --git a/meta-fsl-ppc/recipes-kernel/linux/files/0004-USB-CVE-2014-3185.patch b/meta-fsl-ppc/recipes-kernel/linux/files/0004-USB-CVE-2014-3185.patch
new file mode 100644
index 000000000..082080768
--- /dev/null
+++ b/meta-fsl-ppc/recipes-kernel/linux/files/0004-USB-CVE-2014-3185.patch
@@ -0,0 +1,51 @@
+From 6817ae225cd650fb1c3295d769298c38b1eba818 Mon Sep 17 00:00:00 2001
+From: James Forshaw <forshaw@google.com>
+Date: Sat, 23 Aug 2014 14:39:48 -0700
+Subject: [PATCH] USB: whiteheat: Added bounds checking for bulk command
+ response
+This patch fixes a potential security issue in the whiteheat USB driver
+which might allow a local attacker to cause kernel memory corrpution. This
+is due to an unchecked memcpy into a fixed size buffer (of 64 bytes). On
+EHCI and XHCI busses it's possible to craft responses greater than 64
+bytes leading a buffer overflow.
+This fixes CVE-2014-3185
+Upstream-Status: Backport
+Signed-off-by: James Forshaw <forshaw@google.com>
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+ drivers/usb/serial/whiteheat.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+diff --git a/drivers/usb/serial/whiteheat.c b/drivers/usb/serial/whiteheat.c
+index e62f2df..6c3734d 100644
+--- a/drivers/usb/serial/whiteheat.c
+++ b/drivers/usb/serial/whiteheat.c
+@@ -514,6 +514,10 @@ static void command_port_read_callback(struct urb *urb)
+                dev_dbg(&urb->dev->dev, "%s - command_info is NULL, exiting.\n", __func__);
+                return;
+        }
+       if (!urb->actual_length) {
+               dev_dbg(&urb->dev->dev, "%s - empty response, exiting.\n", __func__);
+               return;
+       }
+        if (status) {
+                dev_dbg(&urb->dev->dev, "%s - nonzero urb status: %d\n", __func__, status);
+                if (status != -ENOENT)
+@@ -534,7 +538,8 @@ static void command_port_read_callback(struct urb *urb)
+                /* These are unsolicited reports from the firmware, hence no
+                   waiting command to wakeup */
+                dev_dbg(&urb->dev->dev, "%s - event received\n", __func__);
+-       } else if (data[0] == WHITEHEAT_GET_DTR_RTS) {
+       } else if ((data[0] == WHITEHEAT_GET_DTR_RTS) &&
+               (urb->actual_length - 1 <= sizeof(command_info->result_buffer))) {
+                memcpy(command_info->result_buffer, &data[1],
+                                                urb->actual_length - 1);
+                command_info->command_finished = WHITEHEAT_CMD_COMPLETE;
+-- 
+1.9.1
diff --git a/meta-fsl-ppc/recipes-kernel/linux/linux-qoriq_3.12.bb b/meta-fsl-ppc/recipes-kernel/linux/linux-qoriq_3.12.bb
index 874a3f2b5..195b47771 100644
--- a/meta-fsl-ppc/recipes-kernel/linux/linux-qoriq_3.12.bb
+++ b/meta-fsl-ppc/recipes-kernel/linux/linux-qoriq_3.12.bb
@@ -13,6 +13,10 @@ SRC_URI = "git://git.freescale.com/ppc/sdk/linux.git;nobranch=1 \
    file://0005-mnt-CVE-2014-5206_CVE-2014-5207.patch \
    file://udf-CVE-2014-6410.patch \
    file://net-sctp-CVE-2014-0101.patch \
+    file://0001-HID-CVE-2014-3181.patch \
+    file://0002-HID-CVE-2014-3182.patch \
+    file://0003-HID-CVE-2014-3184.patch \
+    file://0004-USB-CVE-2014-3185.patch \
 "
 SRCREV = "6619b8b55796cdf0cec04b66a71288edd3057229"
author	Sona Sarmadi <sona.sarmadi@enea.com>	2015-01-27 09:10:42 +0100
committer	Zhenhua Luo <zhenhua.luo@freescale.com>	2015-02-03 10:04:50 +0800
commit	2d64414dded202975082a0531fcfb4461256bf2d (patch)
tree	8c08d5696abac9bc8849e411a1d26413d8f292ad
parent	42590aa5fb3ae3212c7950f2c71fcf7b3b19ecde (diff)
download	meta-freescale-2d64414dded202975082a0531fcfb4461256bf2d.tar.gz

diff --git a/meta-fsl-ppc/recipes-kernel/linux/files/0001-HID-CVE-2014-3181.patch b/meta-fsl-ppc/recipes-kernel/linux/files/0001-HID-CVE-2014-3181.patch new file mode 100644 index 000000000..4355c68f1 --- /dev/null +++ b/meta-fsl-ppc/recipes-kernel/linux/files/0001-HID-CVE-2014-3181.patch
@@ -0,0 +1,52 @@
		1	From c54def7bd64d7c0b6993336abcffb8444795bf38 Mon Sep 17 00:00:00 2001
		2	From: Jiri Kosina <jkosina@suse.cz>
		3	Date: Wed, 27 Aug 2014 09:12:24 +0200
		4	Subject: [PATCH] HID: magicmouse: sanity check report size in raw_event()
		5	callback
		6
		7	The report passed to us from transport driver could potentially be
		8	arbitrarily large, therefore we better sanity-check it so that
		9	magicmouse_emit_touch() gets only valid values of raw_id.
		10
		11	This fixes CVE-2014-3181
		12	Upstream-Status: Backport
		13
		14	Cc: stable@vger.kernel.org
		15	Reported-by: Steven Vittitoe <scvitti@google.com>
		16	Signed-off-by: Jiri Kosina <jkosina@suse.cz>
		17	Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
		18	---
		19	drivers/hid/hid-magicmouse.c \| 10 ++++++++++
		20	1 file changed, 10 insertions(+)
		21
		22	diff --git a/drivers/hid/hid-magicmouse.c b/drivers/hid/hid-magicmouse.c
		23	index ecc2cbf..29a74c1 100644
		24	--- a/drivers/hid/hid-magicmouse.c
		25	+++ b/drivers/hid/hid-magicmouse.c
		26	@@ -290,6 +290,11 @@ static int magicmouse_raw_event(struct hid_device *hdev,
		27	if (size < 4 \|\| ((size - 4) % 9) != 0)
		28	return 0;
		29	npoints = (size - 4) / 9;
		30	+ if (npoints > 15) {
		31	+ hid_warn(hdev, "invalid size value (%d) for TRACKPAD_REPORT_ID\n",
		32	+ size);
		33	+ return 0;
		34	+ }
		35	msc->ntouches = 0;
		36	for (ii = 0; ii < npoints; ii++)
		37	magicmouse_emit_touch(msc, ii, data + ii * 9 + 4);
		38	@@ -307,6 +312,11 @@ static int magicmouse_raw_event(struct hid_device *hdev,
		39	if (size < 6 \|\| ((size - 6) % 8) != 0)
		40	return 0;
		41	npoints = (size - 6) / 8;
		42	+ if (npoints > 15) {
		43	+ hid_warn(hdev, "invalid size value (%d) for MOUSE_REPORT_ID\n",
		44	+ size);
		45	+ return 0;
		46	+ }
		47	msc->ntouches = 0;
		48	for (ii = 0; ii < npoints; ii++)
		49	magicmouse_emit_touch(msc, ii, data + ii * 8 + 6);
		50	--
		51	1.9.1
		52


diff --git a/meta-fsl-ppc/recipes-kernel/linux/files/0002-HID-CVE-2014-3182.patch b/meta-fsl-ppc/recipes-kernel/linux/files/0002-HID-CVE-2014-3182.patch new file mode 100644 index 000000000..a90d07996 --- /dev/null +++ b/meta-fsl-ppc/recipes-kernel/linux/files/0002-HID-CVE-2014-3182.patch
@@ -0,0 +1,65 @@
		1	From ad3e14d7c5268c2e24477c6ef54bbdf88add5d36 Mon Sep 17 00:00:00 2001
		2	From: Jiri Kosina <jkosina@suse.cz>
		3	Date: Thu, 21 Aug 2014 09:57:17 -0500
		4	Subject: [PATCH] HID: logitech: perform bounds checking on device_id early
		5	enough
		6
		7	device_index is a char type and the size of paired_dj_deivces is 7
		8	elements, therefore proper bounds checking has to be applied to
		9	device_index before it is used.
		10
		11	We are currently performing the bounds checking in
		12	logi_dj_recv_add_djhid_device(), which is too late, as malicious device
		13	could send REPORT_TYPE_NOTIF_DEVICE_UNPAIRED early enough and trigger the
		14	problem in one of the report forwarding functions called from
		15	logi_dj_raw_event().
		16
		17	Fix this by performing the check at the earliest possible ocasion in
		18	logi_dj_raw_event().
		19
		20	This fixes CVE-2014-3182
		21	Upstream-Status: Backport
		22
		23	Cc: stable@vger.kernel.org
		24	Reported-by: Ben Hawkes <hawkes@google.com>
		25	Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
		26	Signed-off-by: Jiri Kosina <jkosina@suse.cz>
		27	Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
		28	---
		29	drivers/hid/hid-logitech-dj.c \| 13 ++++++-------
		30	1 file changed, 6 insertions(+), 7 deletions(-)
		31
		32	diff --git a/drivers/hid/hid-logitech-dj.c b/drivers/hid/hid-logitech-dj.c
		33	index ca0ab51..b7ba829 100644
		34	--- a/drivers/hid/hid-logitech-dj.c
		35	+++ b/drivers/hid/hid-logitech-dj.c
		36	@@ -238,13 +238,6 @@ static void logi_dj_recv_add_djhid_device(struct dj_receiver_dev *djrcv_dev,
		37	return;
		38	}
		39
		40	- if ((dj_report->device_index < DJ_DEVICE_INDEX_MIN) \|\|
		41	- (dj_report->device_index > DJ_DEVICE_INDEX_MAX)) {
		42	- dev_err(&djrcv_hdev->dev, "%s: invalid device index:%d\n",
		43	- __func__, dj_report->device_index);
		44	- return;
		45	- }
		46	-
		47	if (djrcv_dev->paired_dj_devices[dj_report->device_index]) {
		48	/* The device is already known. No need to reallocate it. */
		49	dbg_hid("%s: device is already known\n", __func__);
		50	@@ -690,6 +683,12 @@ static int logi_dj_raw_event(struct hid_device *hdev,
		51	* device (via hid_input_report() ) and return 1 so hid-core does not do
		52	* anything else with it.
		53	*/
		54	+ if ((dj_report->device_index < DJ_DEVICE_INDEX_MIN) \|\|
		55	+ (dj_report->device_index > DJ_DEVICE_INDEX_MAX)) {
		56	+ dev_err(&hdev->dev, "%s: invalid device index:%d\n",
		57	+ __func__, dj_report->device_index);
		58	+ return false;
		59	+ }
		60
		61	spin_lock_irqsave(&djrcv_dev->lock, flags);
		62	if (dj_report->report_id == REPORT_ID_DJ_SHORT) {
		63	--
		64	1.9.1
		65


diff --git a/meta-fsl-ppc/recipes-kernel/linux/files/0003-HID-CVE-2014-3184.patch b/meta-fsl-ppc/recipes-kernel/linux/files/0003-HID-CVE-2014-3184.patch new file mode 100644 index 000000000..f58b2f0e6 --- /dev/null +++ b/meta-fsl-ppc/recipes-kernel/linux/files/0003-HID-CVE-2014-3184.patch
@@ -0,0 +1,114 @@
		1	From 4ab25786c87eb20857bbb715c3ae34ec8fd6a214 Mon Sep 17 00:00:00 2001
		2	From: Jiri Kosina <jkosina@suse.cz>
		3	Date: Thu, 21 Aug 2014 09:57:48 -0500
		4	Subject: [PATCH] HID: fix a couple of off-by-ones
		5
		6	There are a few very theoretical off-by-one bugs in report descriptor size
		7	checking when performing a pre-parsing fixup. Fix those.
		8
		9	This fixes CVE-2014-3184
		10	Upstream-Status: Backport
		11
		12	Cc: stable@vger.kernel.org
		13	Reported-by: Ben Hawkes <hawkes@google.com>
		14	Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
		15	Signed-off-by: Jiri Kosina <jkosina@suse.cz>
		16	Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
		17	---
		18	drivers/hid/hid-cherry.c \| 2 +-
		19	drivers/hid/hid-kye.c \| 2 +-
		20	drivers/hid/hid-lg.c \| 4 ++--
		21	drivers/hid/hid-monterey.c \| 2 +-
		22	drivers/hid/hid-petalynx.c \| 2 +-
		23	drivers/hid/hid-sunplus.c \| 2 +-
		24	6 files changed, 7 insertions(+), 7 deletions(-)
		25
		26	diff --git a/drivers/hid/hid-cherry.c b/drivers/hid/hid-cherry.c
		27	index 1bdcccc..f745d2c 100644
		28	--- a/drivers/hid/hid-cherry.c
		29	+++ b/drivers/hid/hid-cherry.c
		30	@@ -28,7 +28,7 @@
		31	static __u8 ch_report_fixup(struct hid_device hdev, __u8 *rdesc,
		32	unsigned int *rsize)
		33	{
		34	- if (*rsize >= 17 && rdesc[11] == 0x3c && rdesc[12] == 0x02) {
		35	+ if (*rsize >= 18 && rdesc[11] == 0x3c && rdesc[12] == 0x02) {
		36	hid_info(hdev, "fixing up Cherry Cymotion report descriptor\n");
		37	rdesc[11] = rdesc[16] = 0xff;
		38	rdesc[12] = rdesc[17] = 0x03;
		39	diff --git a/drivers/hid/hid-kye.c b/drivers/hid/hid-kye.c
		40	index e776963..b92bf01 100644
		41	--- a/drivers/hid/hid-kye.c
		42	+++ b/drivers/hid/hid-kye.c
		43	@@ -300,7 +300,7 @@ static __u8 kye_report_fixup(struct hid_device hdev, __u8 *rdesc,
		44	* - change the button usage range to 4-7 for the extra
		45	* buttons
		46	*/
		47	- if (*rsize >= 74 &&
		48	+ if (*rsize >= 75 &&
		49	rdesc[61] == 0x05 && rdesc[62] == 0x08 &&
		50	rdesc[63] == 0x19 && rdesc[64] == 0x08 &&
		51	rdesc[65] == 0x29 && rdesc[66] == 0x0f &&
		52	diff --git a/drivers/hid/hid-lg.c b/drivers/hid/hid-lg.c
		53	index a976f48..f91ff14 100644
		54	--- a/drivers/hid/hid-lg.c
		55	+++ b/drivers/hid/hid-lg.c
		56	@@ -345,14 +345,14 @@ static __u8 lg_report_fixup(struct hid_device hdev, __u8 *rdesc,
		57	struct usb_device_descriptor *udesc;
		58	__u16 bcdDevice, rev_maj, rev_min;
		59
		60	- if ((drv_data->quirks & LG_RDESC) && *rsize >= 90 && rdesc[83] == 0x26 &&
		61	+ if ((drv_data->quirks & LG_RDESC) && *rsize >= 91 && rdesc[83] == 0x26 &&
		62	rdesc[84] == 0x8c && rdesc[85] == 0x02) {
		63	hid_info(hdev,
		64	"fixing up Logitech keyboard report descriptor\n");
		65	rdesc[84] = rdesc[89] = 0x4d;
		66	rdesc[85] = rdesc[90] = 0x10;
		67	}
		68	- if ((drv_data->quirks & LG_RDESC_REL_ABS) && *rsize >= 50 &&
		69	+ if ((drv_data->quirks & LG_RDESC_REL_ABS) && *rsize >= 51 &&
		70	rdesc[32] == 0x81 && rdesc[33] == 0x06 &&
		71	rdesc[49] == 0x81 && rdesc[50] == 0x06) {
		72	hid_info(hdev,
		73	diff --git a/drivers/hid/hid-monterey.c b/drivers/hid/hid-monterey.c
		74	index 9e14c00..25daf28 100644
		75	--- a/drivers/hid/hid-monterey.c
		76	+++ b/drivers/hid/hid-monterey.c
		77	@@ -24,7 +24,7 @@
		78	static __u8 mr_report_fixup(struct hid_device hdev, __u8 *rdesc,
		79	unsigned int *rsize)
		80	{
		81	- if (*rsize >= 30 && rdesc[29] == 0x05 && rdesc[30] == 0x09) {
		82	+ if (*rsize >= 31 && rdesc[29] == 0x05 && rdesc[30] == 0x09) {
		83	hid_info(hdev, "fixing up button/consumer in HID report descriptor\n");
		84	rdesc[30] = 0x0c;
		85	}
		86	diff --git a/drivers/hid/hid-petalynx.c b/drivers/hid/hid-petalynx.c
		87	index 736b250..6aca4f2 100644
		88	--- a/drivers/hid/hid-petalynx.c
		89	+++ b/drivers/hid/hid-petalynx.c
		90	@@ -25,7 +25,7 @@
		91	static __u8 pl_report_fixup(struct hid_device hdev, __u8 *rdesc,
		92	unsigned int *rsize)
		93	{
		94	- if (*rsize >= 60 && rdesc[39] == 0x2a && rdesc[40] == 0xf5 &&
		95	+ if (*rsize >= 62 && rdesc[39] == 0x2a && rdesc[40] == 0xf5 &&
		96	rdesc[41] == 0x00 && rdesc[59] == 0x26 &&
		97	rdesc[60] == 0xf9 && rdesc[61] == 0x00) {
		98	hid_info(hdev, "fixing up Petalynx Maxter Remote report descriptor\n");
		99	diff --git a/drivers/hid/hid-sunplus.c b/drivers/hid/hid-sunplus.c
		100	index 87fc91e..91072fa 100644
		101	--- a/drivers/hid/hid-sunplus.c
		102	+++ b/drivers/hid/hid-sunplus.c
		103	@@ -24,7 +24,7 @@
		104	static __u8 sp_report_fixup(struct hid_device hdev, __u8 *rdesc,
		105	unsigned int *rsize)
		106	{
		107	- if (*rsize >= 107 && rdesc[104] == 0x26 && rdesc[105] == 0x80 &&
		108	+ if (*rsize >= 112 && rdesc[104] == 0x26 && rdesc[105] == 0x80 &&
		109	rdesc[106] == 0x03) {
		110	hid_info(hdev, "fixing up Sunplus Wireless Desktop report descriptor\n");
		111	rdesc[105] = rdesc[110] = 0x03;
		112	--
		113	1.9.1
		114


diff --git a/meta-fsl-ppc/recipes-kernel/linux/files/0004-USB-CVE-2014-3185.patch b/meta-fsl-ppc/recipes-kernel/linux/files/0004-USB-CVE-2014-3185.patch new file mode 100644 index 000000000..082080768 --- /dev/null +++ b/meta-fsl-ppc/recipes-kernel/linux/files/0004-USB-CVE-2014-3185.patch
@@ -0,0 +1,51 @@
		1	From 6817ae225cd650fb1c3295d769298c38b1eba818 Mon Sep 17 00:00:00 2001
		2	From: James Forshaw <forshaw@google.com>
		3	Date: Sat, 23 Aug 2014 14:39:48 -0700
		4	Subject: [PATCH] USB: whiteheat: Added bounds checking for bulk command
		5	response
		6
		7	This patch fixes a potential security issue in the whiteheat USB driver
		8	which might allow a local attacker to cause kernel memory corrpution. This
		9	is due to an unchecked memcpy into a fixed size buffer (of 64 bytes). On
		10	EHCI and XHCI busses it's possible to craft responses greater than 64
		11	bytes leading a buffer overflow.
		12
		13	This fixes CVE-2014-3185
		14	Upstream-Status: Backport
		15
		16	Signed-off-by: James Forshaw <forshaw@google.com>
		17	Cc: stable <stable@vger.kernel.org>
		18	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
		19	Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
		20	---
		21	drivers/usb/serial/whiteheat.c \| 7 ++++++-
		22	1 file changed, 6 insertions(+), 1 deletion(-)
		23
		24	diff --git a/drivers/usb/serial/whiteheat.c b/drivers/usb/serial/whiteheat.c
		25	index e62f2df..6c3734d 100644
		26	--- a/drivers/usb/serial/whiteheat.c
		27	+++ b/drivers/usb/serial/whiteheat.c
		28	@@ -514,6 +514,10 @@ static void command_port_read_callback(struct urb *urb)
		29	dev_dbg(&urb->dev->dev, "%s - command_info is NULL, exiting.\n", __func__);
		30	return;
		31	}
		32	+ if (!urb->actual_length) {
		33	+ dev_dbg(&urb->dev->dev, "%s - empty response, exiting.\n", __func__);
		34	+ return;
		35	+ }
		36	if (status) {
		37	dev_dbg(&urb->dev->dev, "%s - nonzero urb status: %d\n", __func__, status);
		38	if (status != -ENOENT)
		39	@@ -534,7 +538,8 @@ static void command_port_read_callback(struct urb *urb)
		40	/* These are unsolicited reports from the firmware, hence no
		41	waiting command to wakeup */
		42	dev_dbg(&urb->dev->dev, "%s - event received\n", __func__);
		43	- } else if (data[0] == WHITEHEAT_GET_DTR_RTS) {
		44	+ } else if ((data[0] == WHITEHEAT_GET_DTR_RTS) &&
		45	+ (urb->actual_length - 1 <= sizeof(command_info->result_buffer))) {
		46	memcpy(command_info->result_buffer, &data[1],
		47	urb->actual_length - 1);
		48	command_info->command_finished = WHITEHEAT_CMD_COMPLETE;
		49	--
		50	1.9.1
		51


diff --git a/meta-fsl-ppc/recipes-kernel/linux/linux-qoriq_3.12.bb b/meta-fsl-ppc/recipes-kernel/linux/linux-qoriq_3.12.bb index 874a3f2b5..195b47771 100644 --- a/meta-fsl-ppc/recipes-kernel/linux/linux-qoriq_3.12.bb +++ b/meta-fsl-ppc/recipes-kernel/linux/linux-qoriq_3.12.bb
@@ -13,6 +13,10 @@ SRC_URI = "git://git.freescale.com/ppc/sdk/linux.git;nobranch=1 \
13	file://0005-mnt-CVE-2014-5206_CVE-2014-5207.patch \	13	file://0005-mnt-CVE-2014-5206_CVE-2014-5207.patch \
14	file://udf-CVE-2014-6410.patch \	14	file://udf-CVE-2014-6410.patch \
15	file://net-sctp-CVE-2014-0101.patch \	15	file://net-sctp-CVE-2014-0101.patch \
		16	file://0001-HID-CVE-2014-3181.patch \
		17	file://0002-HID-CVE-2014-3182.patch \
		18	file://0003-HID-CVE-2014-3184.patch \
		19	file://0004-USB-CVE-2014-3185.patch \
16	"	20	"
17	SRCREV = "6619b8b55796cdf0cec04b66a71288edd3057229"	21	SRCREV = "6619b8b55796cdf0cec04b66a71288edd3057229"
18		22