• Breno Leitao's avatar
    HID: hiddev: fix potential Spectre v1 · f1127439
    Breno Leitao authored
    uref->usage_index can be indirectly controlled by userspace, hence leading
    to a potential exploitation of the Spectre variant 1 vulnerability.
    
    This field is used as an array index by the hiddev_ioctl_usage() function,
    when 'cmd' is either HIDIOCGCOLLECTIONINDEX, HIDIOCGUSAGES or
    HIDIOCSUSAGES.
    
    For cmd == HIDIOCGCOLLECTIONINDEX case, uref->usage_index is compared to
    field->maxusage and then used as an index to dereference field->usage
    array. The same thing happens to the cmd == HIDIOC{G,S}USAGES cases, where
    uref->usage_index is checked against an array maximum value and then it is
    used as an index in an array.
    
    This is a summary of the HIDIOCGCOLLECTIONINDEX case, which matches the
    traditional Spectre V1 first load:
    
    	copy_from_user(uref, user_arg, sizeof(*uref))
    	if (uref->usage_index >= field->maxusage)
    		goto inval;
    	i = field->usage[uref->usage_index].collection_index;
    	return i;
    
    This patch fixes this by sanitizing field uref->usage_index before using it
    to index field->usage (HIDIOCGCOLLECTIONINDEX) or field->value in
    HIDIOC{G,S}USAGES arrays, thus, avoiding speculation in the first load.
    
    Cc: <stable@vger.kernel.org>
    Signed-off-by: 's avatarBreno Leitao <leitao@debian.org>
    --
    
    v2: Contemplate cmd == HIDIOC{G,S}USAGES case
    Signed-off-by: 's avatarJiri Kosina <jkosina@suse.cz>
    f1127439
Name
Last commit
Last update
..
Kconfig Loading commit data...
Makefile Loading commit data...
hid-core.c Loading commit data...
hid-pidff.c Loading commit data...
hiddev.c Loading commit data...
usbhid.h Loading commit data...
usbkbd.c Loading commit data...
usbmouse.c Loading commit data...