Linux HID ntrig NULL pointer dereference

2013.09.02
Credit: Kees Cook
Risk: Medium
Local: Yes
Remote: No
CWE: CWE-Other


CVSS Base Score: 4.7/10
Impact Subscore: 6.9/10
Exploitability Subscore: 3.4/10
Exploit range: Local
Attack complexity: Medium
Authentication: No required
Confidentiality impact: None
Integrity impact: None
Availability impact: Complete

I've found several issues in the Linux HID code. They are making their way into the Linux kernel via the linux-input tree now: http://marc.info/?l=linux-input&m=137772180514608&w=10001-HID-validate-HID-report-id-size.patch http://marc.info/?l=linux-input&m=137772189314633&w=10010-HID-ntrig-validate-feature-report-details.patch CVE-2013-2896 Requires CONFIG_HID_NTRIG Triggers NULL deref Oops DoS A HID device could send a malicious feature report that would cause the ntrig HID driver to trigger a NULL dereference during initialization: [57383.031190] usb 3-1: New USB device found, idVendor=1b96, idProduct=0001 ... [57383.315193] BUG: unable to handle kernel NULL pointer dereference at 0000000000000030 [57383.315308] IP: [<ffffffffa08102de>] ntrig_probe+0x25e/0x420 [hid_ntrig] CVE-2013-2896 Signed-off-by: Kees Cook <keescook@chromium.org> Cc: stable@kernel.org --- drivers/hid/hid-ntrig.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/hid/hid-ntrig.c b/drivers/hid/hid-ntrig.c index ef95102..5482156 100644 --- a/drivers/hid/hid-ntrig.c +++ b/drivers/hid/hid-ntrig.c @@ -115,7 +115,8 @@ static inline int ntrig_get_mode(struct hid_device *hdev) struct hid_report *report = hdev->report_enum[HID_FEATURE_REPORT]. report_id_hash[0x0d]; - if (!report) + if (!report || report->maxfield < 1 || + report->field[0]->report_count < 1) return -EINVAL; hid_hw_request(hdev, report, HID_REQ_GET_REPORT);

References:

http://marc.info/?l=linux-input&m=137772180514608&w=10001-HID-validate-HID-report-id-size.patch
http://marc.info/?l=linux-input&m=137772189314633&w=10010-HID-ntrig-validate-feature-report-details.patch
http://cxsecurity.com/issue/WLB-2013090003
http://cxsecurity.com/issue/WLB-2013090005
http://cxsecurity.com/issue/WLB-2013090006
http://cxsecurity.com/issue/WLB-2013090007
http://cxsecurity.com/issue/WLB-2013090008
http://cxsecurity.com/issue/WLB-2013090009
http://cxsecurity.com/issue/WLB-2013090010
http://cxsecurity.com/issue/WLB-2013090011
http://cxsecurity.com/issue/WLB-2013090012
http://cxsecurity.com/issue/WLB-2013090013
http://cxsecurity.com/issue/WLB-2013090014
http://cxsecurity.com/issue/WLB-2013090015


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top