Linux HID picolcd NULL pointer dereference

2013.09.02
Credit: Kees Cook
Risk: Medium
Local: Yes
Remote: No
CWE: N/A


CVSS Base Score: 4.7/10
Impact Subscore: 6.9/10
Exploitability Subscore: 3.4/10
Exploit range: Local
Attack complexity: Medium
Authentication: No required
Confidentiality impact: None
Integrity impact: None
Availability impact: Complete

I've found several issues in the Linux HID code. They are making their way into the Linux kernel via the linux-input tree now: http://marc.info/?l=linux-input&m=137772180514608&w=10001-HID-validate-HID-report-id-size.patch http://marc.info/?l=linux-input&m=137772191714649&w=10013-HID-picolcd_core-validate-output-report-details.patch CVE-2013-2899 Requires CONFIG_HID_PICOLCD Userspace-assisted NULL deref Oops DoS A HID device could send a malicious output report that would cause the picolcd HID driver to trigger a NULL dereference during attr file writing. CVE-2013-2899 Signed-off-by: Kees Cook <keescook@chromium.org> Cc: stable@kernel.org --- drivers/hid/hid-picolcd_core.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/hid/hid-picolcd_core.c b/drivers/hid/hid-picolcd_core.c index b48092d..72bba1e 100644 --- a/drivers/hid/hid-picolcd_core.c +++ b/drivers/hid/hid-picolcd_core.c @@ -290,7 +290,7 @@ static ssize_t picolcd_operation_mode_store(struct device *dev, buf += 10; cnt -= 10; } - if (!report) + if (!report || report->maxfield < 1) return -EINVAL; while (cnt > 0 && (buf[cnt-1] == '\n' || buf[cnt-1] == '\r'))

References:

http://marc.info/?l=linux-input&m=137772180514608&w=10001-HID-validate-HID-report-id-size.patch
http://marc.info/?l=linux-input&m=137772191714649&w=10013-HID-picolcd_core-validate-output-report-details.patch
http://cxsecurity.com/issue/WLB-2013090003
http://cxsecurity.com/issue/WLB-2013090005
http://cxsecurity.com/issue/WLB-2013090006
http://cxsecurity.com/issue/WLB-2013090007
http://cxsecurity.com/issue/WLB-2013090008
http://cxsecurity.com/issue/WLB-2013090009
http://cxsecurity.com/issue/WLB-2013090010
http://cxsecurity.com/issue/WLB-2013090011
http://cxsecurity.com/issue/WLB-2013090012
http://cxsecurity.com/issue/WLB-2013090013
http://cxsecurity.com/issue/WLB-2013090014
http://cxsecurity.com/issue/WLB-2013090015


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top