leandrof/linux
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
8c01db7619f07c85c5cd81ec5eb83608b56c88f5
linux/drivers/hid
History
Eric Biggers 8c01db7619 HID: uhid: forbid UHID_CREATE under KERNEL_DS or elevated privileges 
When a UHID_CREATE command is written to the uhid char device, a
copy_from_user() is done from a user pointer embedded in the command.
When the address limit is KERNEL_DS, e.g. as is the case during
sys_sendfile(), this can read from kernel memory.  Alternatively,
information can be leaked from a setuid binary that is tricked to write
to the file descriptor.  Therefore, forbid UHID_CREATE in these cases.

No other commands in uhid_char_write() are affected by this bug and
UHID_CREATE is marked as "obsolete", so apply the restriction to
UHID_CREATE only rather than to uhid_char_write() entirely.

Thanks to Dmitry Vyukov for adding uhid definitions to syzkaller and to
Jann Horn for commit 9da3f2b740 ("x86/fault: BUG() when uaccess
helpers fault on kernel addresses"), allowing this bug to be found.

Reported-by: syzbot+72473edc9bf4eb1c6556@syzkaller.appspotmail.com
Fixes: d365c6cfd3 ("HID: uhid: add UHID_CREATE and UHID_DESTROY events")
Cc: <stable@vger.kernel.org> # v3.6+
Cc: Jann Horn <jannh@google.com>
Cc: Andy Lutomirski <luto@kernel.org>
Signed-off-by: Eric Biggers <ebiggers@google.com>
Reviewed-by: Jann Horn <jannh@google.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
2018-11-19 14:25:15 +01:00
..
i2c-hid
Merge branch 'master' into for-4.20/upstream-fixes
2018-11-06 13:57:02 +01:00
intel-ish-hid
Merge branch 'for-4.20/i2c-hid' into for-linus
2018-10-23 13:34:28 +02:00
usbhid
HID: hiddev: fix potential Spectre v1
2018-10-26 17:06:24 +02:00
hid-a4tech.c
hid-accutouch.c
HID: Accutouch: Add driver for ELO Accutouch 2216 USB Touchscreens
2017-03-21 15:03:55 +01:00
hid-alps.c
HID: alps: allow incoming reports when only the trackstick is opened
2018-10-26 17:27:13 +02:00
hid-apple.c
HID: add support for Apple Magic Keyboards
2018-08-28 13:52:50 +02:00
hid-appleir.c
treewide: setup_timer() -> timer_setup()
2017-11-21 15:57:07 -08:00
hid-asus.c
HID: asus: fix build warning wiht CONFIG_ASUS_WMI disabled
2018-11-06 13:57:42 +01:00
hid-aureal.c
HID: fix some indenting issues
2015-10-21 13:15:53 +02:00
hid-axff.c
hid-belkin.c
hid-betopff.c
HID: betop: add drivers/hid/hid-betopff.c
2014-12-22 15:00:25 +01:00
hid-bigbenff.c
HID: hid-bigbenff: driver for BigBen Interactive PS3OFMINIPAD gamepad
2018-09-24 11:49:32 +02:00
hid-cherry.c
HID: fix a couple of off-by-ones
2014-08-21 10:43:28 -05:00
hid-chicony.c
HID: move Asus keyboard support from hid-chicony to hid-asus
2017-06-08 13:47:52 +02:00
hid-cmedia.c
HID: Support for CMedia CM6533 HID audio jack controls
2016-03-02 10:31:36 +01:00
hid-core.c
Merge branch 'for-4.20/core' into for-linus
2018-10-23 13:17:27 +02:00
hid-corsair.c
HID: corsair: Add K70 Vengeance and K70 RAPIDFIRE to
2018-02-16 13:38:16 +01:00
hid-cougar.c
HID: cougar: Stop processing vendor events on hid-core
2018-09-05 10:25:37 +02:00
hid-cp2112.c
HID: cp2112: Fix I2C_BLOCK_DATA transactions
2017-11-21 21:39:45 +01:00
hid-cypress.c
HID: hid-cypress: validate length of report
2017-01-06 16:06:43 +01:00
hid-debug.c
Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/hid
2018-07-09 17:16:11 -07:00
hid-dr.c
Revert "HID: dragonrise: fix HID Descriptor for 0x0006 PID"
2016-10-10 10:52:01 +02:00
hid-elan.c
HID: elan: fix spelling mistake "registred" -> "registered"
2018-10-09 13:32:06 +02:00
hid-elecom.c
HID: elecom: add support for EX-G M-XT4DRBK trackball
2018-03-06 15:15:47 +01:00
hid-elo.c
HID: elo: clear BTN_LEFT mapping
2017-11-24 14:40:23 +01:00
hid-emsff.c
hid-ezkey.c
hid-gaff.c
hid-gembird.c
HID: gembird: add new driver to fix Gembird JPD-DualForce 2
2015-08-18 15:03:43 +02:00
hid-generic.c
HID: generic: create one input report per application type
2018-04-26 14:17:31 +02:00
hid-gfrm.c
HID: generic: create one input report per application type
2018-04-26 14:17:31 +02:00
hid-google-hammer.c
HID: google: drop superfluous const before SIMPLE_DEV_PM_OPS()
2018-10-09 10:43:39 +02:00
hid-gt683r.c
HID: use to_hid_device()
2015-12-28 13:41:44 +01:00
hid-gyration.c
hid-holtek-kbd.c
hid-holtek-mouse.c
HID: Add Holtek USB ID 04d9:a0c2 ETEKCITY Scroll
2014-09-08 09:48:56 +02:00
hid-holtekff.c
HID: holtekff: move MODULE_* parameters out of #ifdef block
2017-12-01 09:31:36 +01:00
hid-hyperv.c
use the new async probing feature for the hyperv drivers
2018-07-03 13:02:28 +02:00
hid-icade.c
hid-ids.h
HID: input: Ignore battery reported by Symbol DS4308
2018-11-12 10:08:46 +01:00
hid-input.c
HID: input: Ignore battery reported by Symbol DS4308
2018-11-12 10:08:46 +01:00
hid-ite.c
HID: ite: Add hid-ite driver
2017-05-11 10:27:48 +02:00
hid-jabra.c
HID: Add special driver for Jabra devices
2017-11-21 12:54:58 +01:00
hid-kensington.c
hid-keytouch.c
hid-kye.c
scripts/spelling.txt: add "comsume(r)" pattern and fix typo instances
2017-02-27 18:43:47 -08:00
hid-lcpower.c
hid-led.c
HID: hid-led: fix issue with transfer buffer not being dma capable
2016-10-10 10:47:03 +02:00
hid-lenovo.c
HID: lenovo: Add support for IBM/Lenovo Scrollpoint mice
2018-04-25 10:48:35 +02:00
hid-lg2ff.c
hid-lg3ff.c
hid-lg4ff.c
HID: hid-logitech: remove redundant assignment to pointer value
2017-10-19 13:52:38 +02:00
hid-lg4ff.h
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
hid-lg.c
HID: hid-lg: make array cbuf static const to shink object code size
2017-09-06 10:58:54 +02:00
hid-lg.h
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
hid-lgff.c
hid-logitech-dj.c
HID: logitech-dj: allow devices to request full pairing information
2017-04-06 14:36:36 +02:00
hid-logitech-hidpp.c
HID: logitech: fix a used uninitialized GCC warning
2018-09-24 11:30:52 +02:00
hid-magicmouse.c
HID: magicmouse: add support for Apple Magic Trackpad 2
2018-10-03 10:57:58 +02:00
hid-mf.c
HID: hid-mf: add force feedback support for Mayflash DolphinBar and GameCube
2017-01-11 22:12:44 +01:00
hid-microsoft.c
HID: microsoft: Add rumble support for Xbox One S controller
2018-09-05 10:19:43 +02:00
hid-monterey.c
HID: fix a couple of off-by-ones
2014-08-21 10:43:28 -05:00
hid-multitouch.c
HID: multitouch: simplify the application retrieval
2018-09-04 22:32:59 +02:00
hid-nti.c
HID: Add quirk driver for NTI USB-SUN adapter
2017-03-06 13:16:33 +01:00
hid-ntrig.c
HID: hid-ntrig: add error handling for sysfs_create_group
2018-06-25 15:16:11 +02:00
hid-ortek.c
HID: ortek: add one more buggy device
2017-07-24 17:38:21 +02:00
hid-penmount.c
HID: penmount: report only one button for PenMount 6000 USB touchscreen controller
2016-03-10 17:17:26 +01:00
hid-petalynx.c
HID: fix a couple of off-by-ones
2014-08-21 10:43:28 -05:00
hid-picolcd_backlight.c
HID: picoLCD: Deletion of unnecessary checks before three function calls
2015-06-29 14:51:12 +02:00
hid-picolcd_cir.c
media: rc: Remove init_ir_raw_event and DEFINE_IR_RAW_EVENT macros
2018-10-04 14:22:27 -04:00
hid-picolcd_core.c
HID: picolcd: be more verbose when reporting report size error
2014-08-27 23:27:10 +02:00
hid-picolcd_debugfs.c
HID: picoLCD: Spelling s/REPORT_WRTIE_MEMORY/REPORT_WRITE_MEMORY/
2017-03-24 15:45:04 +01:00
hid-picolcd_fb.c
treewide: kmalloc() -> kmalloc_array()
2018-06-12 16:19:22 -07:00
hid-picolcd_lcd.c
HID: picoLCD: Deletion of unnecessary checks before three function calls
2015-06-29 14:51:12 +02:00
hid-picolcd_leds.c
HID: use to_hid_device()
2015-12-28 13:41:44 +01:00
hid-picolcd.h
hid-pl.c
hid-plantronics.c
HID: hid-plantronics: Re-resend Update to map button for PTT products
2018-05-16 11:06:40 +02:00
hid-primax.c
hid-prodikeys.c
treewide: setup_timer() -> timer_setup()
2017-11-21 15:57:07 -08:00
hid-quirks.c
HID: Add quirk for Microsoft PIXART OEM mouse
2018-11-08 12:09:02 +01:00
hid-redragon.c
HID: redragon: fix num lock and caps lock LEDs
2018-06-25 15:23:40 +02:00
hid-retrode.c
HID: Add driver for Retrode2 joypad adapter
2017-06-22 14:44:11 +02:00
hid-rmi.c
HID: rmi: use HID_QUIRK_NO_INPUT_SYNC
2018-05-30 08:55:33 +02:00
hid-roccat-arvo.c
HID: use kobj_to_dev()
2015-12-28 13:41:51 +01:00
hid-roccat-arvo.h
hid-roccat-common.c
HID: use kobj_to_dev()
2015-12-28 13:41:51 +01:00
hid-roccat-common.h
hid-roccat-isku.c
HID: use kobj_to_dev()
2015-12-28 13:41:51 +01:00
hid-roccat-isku.h
hid-roccat-kone.c
HID: use kobj_to_dev()
2015-12-28 13:41:51 +01:00
hid-roccat-kone.h
hid-roccat-koneplus.c
HID: use kobj_to_dev()
2015-12-28 13:41:51 +01:00
hid-roccat-koneplus.h
hid-roccat-konepure.c
hid-roccat-kovaplus.c
HID: roccat: prevent an out of bounds read in kovaplus_profile_activated()
2018-01-23 15:46:58 +01:00
hid-roccat-kovaplus.h
hid-roccat-lua.c
HID: use kobj_to_dev()
2015-12-28 13:41:51 +01:00
hid-roccat-lua.h
hid-roccat-pyra.c
HID: use kobj_to_dev()
2015-12-28 13:41:51 +01:00
hid-roccat-pyra.h
hid-roccat-ryos.c
hid-roccat-savu.c
hid-roccat-savu.h
hid-roccat.c
vfs: do bulk POLL* -> EPOLL* replacement
2018-02-11 14:34:03 -08:00
hid-saitek.c
HID: hid-saitek: Add device ID for RAT 7 Contagion
2018-08-30 10:58:44 +02:00
hid-samsung.c
hid-sensor-custom.c
vfs: do bulk POLL* -> EPOLL* replacement
2018-02-11 14:34:03 -08:00
hid-sensor-hub.c
HID: sensor-hub: Restore fixup for Lenovo ThinkPad Helix 2 sensor hub report
2018-09-05 10:22:28 +02:00
hid-sjoy.c
HID: sjoy: support Super Joy Box 4
2015-05-07 10:47:53 +02:00
hid-sony.c
HID: hid-sony.c: Use devm_ api to simplify sc->output_report_dmabuf
2018-07-09 15:14:08 +02:00
hid-speedlink.c
hid-steam.c
HID: steam: use hid_device.driver_data instead of hid_set_drvdata()
2018-06-20 09:27:23 +02:00
hid-steelseries.c
HID: use to_hid_device()
2015-12-28 13:41:44 +01:00
hid-sunplus.c
HID: fix a couple of off-by-ones
2014-08-21 10:43:28 -05:00
hid-tivo.c
HID: tivo: enable all buttons on the TiVo Slide Pro remote
2015-03-15 10:04:27 -04:00
hid-tmff.c
HID: Add ID 044f:b605 ThrustMaster, Inc. force feedback Racing Wheel
2017-11-07 10:04:46 +01:00
hid-topseed.c
hid-twinhan.c
hid-uclogic.c
HID: core: remove the need for HID_QUIRK_NO_EMPTY_INPUT
2018-03-23 15:44:57 +01:00
hid-udraw-ps3.c
HID: udraw-ps3: accel_limits is local to the driver
2016-11-15 14:23:17 +01:00
hid-waltop.c
HID: Remove broken links to tablet descriptions
2016-09-19 14:32:21 +02:00
hid-wiimote-core.c
HID: wiimote: add support for Guitar-Hero devices
2018-06-25 15:26:06 +02:00
hid-wiimote-debug.c
hid-wiimote-modules.c
HID: wiimote: add support for Guitar-Hero devices
2018-06-25 15:26:06 +02:00
hid-wiimote.h
HID: wiimote: add support for Guitar-Hero devices
2018-06-25 15:26:06 +02:00
hid-xinmo.c
HID: xinmo: fix for out of range for THT 2P arcade controller.
2017-03-24 15:43:03 +01:00
hid-zpff.c
hid-zydacron.c
hidraw.c
treewide: kmalloc() -> kmalloc_array()
2018-06-12 16:19:22 -07:00
Kconfig
Merge tag 'platform-drivers-x86-v4.20-1' of git://git.infradead.org/linux-platform-drivers-x86
2018-11-01 08:42:21 -07:00
Makefile
HID: hid-bigbenff: driver for BigBen Interactive PS3OFMINIPAD gamepad
2018-09-24 11:49:32 +02:00
uhid.c
HID: uhid: forbid UHID_CREATE under KERNEL_DS or elevated privileges
2018-11-19 14:25:15 +01:00
wacom_sys.c
Merge branch 'for-4.19/wacom' into for-linus
2018-08-20 18:12:42 +02:00
wacom_wac.c
HID: wacom: Work around HID descriptor bug in DTK-2451 and DTH-2452
2018-10-11 14:32:01 +02:00
wacom_wac.h
HID: wacom: generic: add the "Report Valid" usage
2018-03-07 15:21:44 +01:00
wacom.h
HID: wacom: Add ability to provide explicit battery status info
2017-05-05 21:46:10 +02:00