On Wed, 28 Aug 2013, Jiri Kosina wrote: > From: Kees Cook <keescook@xxxxxxxxxxxx> > > The "Report ID" field of a HID report is used to build indexes of > reports. The kernel's index of these is limited to 256 entries, so any > malicious device that sets a Report ID greater than 255 will trigger > memory corruption on the host: > > [ 1347.156239] BUG: unable to handle kernel paging request at ffff88094958a878 > [ 1347.156261] IP: [<ffffffff813e4da0>] hid_register_report+0x2a/0x8b > > CVE-2013-2888 > > Signed-off-by: Kees Cook <keescook@xxxxxxxxxxxx> > Cc: stable@xxxxxxxxxx Applied this one to hid.git#for-3.11/CVE-2013-2888 Thanks, -- Jiri Kosina SUSE Labs -- To unsubscribe from this list: send the line "unsubscribe linux-input" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
