Hi Greg, On Aug 26 2014 or thereabouts, gregkh@xxxxxxxxxxxxxxxxxxx wrote: > > This is a note to let you know that I've just added the patch titled > > HID: logitech: perform bounds checking on device_id early enough > > to the 3.10-stable tree which can be found at: > http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary > > The filename of the patch is: > hid-logitech-perform-bounds-checking-on-device_id-early-enough.patch > and it can be found in the queue-3.10 subdirectory. > > If you, or anyone else, feels it should not be added to the stable tree, > please let <stable@xxxxxxxxxxxxxxx> know about it. I do have one restriction for this one (same goes for the 3.14/3.16 patches queues). This patch fixes what it fixes, but it creates false errors reported to dmesg while plugging in a device. I do not like adding such erroneous errors to a stable tree, so I would prefer not to take it in its current form without the proper fix :( I know the plan is to go quick with this, so maybe we should consider cherry-picking the fix I submitted last week shortly after this one went into Linus' tree: https://patchwork.kernel.org/patch/4766971/ Jiri, any opinion? Cheers, Benjamin > > > From ad3e14d7c5268c2e24477c6ef54bbdf88add5d36 Mon Sep 17 00:00:00 2001 > From: Jiri Kosina <jkosina@xxxxxxx> > Date: Thu, 21 Aug 2014 09:57:17 -0500 > Subject: HID: logitech: perform bounds checking on device_id early enough > > From: Jiri Kosina <jkosina@xxxxxxx> > > commit ad3e14d7c5268c2e24477c6ef54bbdf88add5d36 upstream. > > device_index is a char type and the size of paired_dj_deivces is 7 > elements, therefore proper bounds checking has to be applied to > device_index before it is used. > > We are currently performing the bounds checking in > logi_dj_recv_add_djhid_device(), which is too late, as malicious device > could send REPORT_TYPE_NOTIF_DEVICE_UNPAIRED early enough and trigger the > problem in one of the report forwarding functions called from > logi_dj_raw_event(). > > Fix this by performing the check at the earliest possible ocasion in > logi_dj_raw_event(). > > Reported-by: Ben Hawkes <hawkes@xxxxxxxxxx> > Reviewed-by: Benjamin Tissoires <benjamin.tissoires@xxxxxxxxxx> > Signed-off-by: Jiri Kosina <jkosina@xxxxxxx> > Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> > -- To unsubscribe from this list: send the line "unsubscribe stable" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html