896385 – (CVE-2014-3182) VUL-1: CVE-2014-3182: kernel: HID: Linux kernel hid-logitech-dj.c device_index arbitrary kfree

Bug 896385 (CVE-2014-3182) - VUL-1: CVE-2014-3182: kernel: HID: Linux kernel hid-logitech-dj.c device_index arbitrary kfree

Summary: VUL-1: CVE-2014-3182: kernel: HID: Linux kernel hid-logitech-dj.c device_inde...

Status:	RESOLVED FIXED

Alias:	CVE-2014-3182

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other openSUSE 12.3

Priority:	P4 - Low Severity: Normal
Target Milestone:	---
Assignee:	E-mail List
QA Contact:	Security Team bot

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2014-09-12 07:19 UTC by Marcus Meissner
Modified:	2015-02-19 03:03 UTC (History)
CC List:	3 users (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Marcus Meissner 2014-09-12 07:19:41 UTC

via oss-sec and google security

https://code.google.com/p/google-security-research/issues/detail?id=89

A bug exists in drivers/hid/hid-logitech-dj.c that can result in a kfree of an arbitrary pointer. The logi_dj_recv_destroy_djhid_device function fails to bounds check the device_index that is supplied in the device-controlled “struct dj_report”. This leads to an out-of-bounds array access, since djrcv_dev->paired_dj_devices has 7 elements and the device_index is a character type (i.e. indexes up to 255). 

We consider this a security bug in the context of an attacker who gains short-term physical access to a running device with the goal of turning this into long-term remote access. We have confirmed that this issue is triggerable in practice by modifying QEMU’s “dev-hid.c” to exhibit a malformed REPORT_TYPE_NOTIF_DEVICE_UNPAIRED report type. 

I’ve attached a non-tested patch that attempts to address the issue, and also variants in logi_dj_recv_forward_null_report and logi_dj_recv_forward_report. The idea is to move the device_id bounds check to the earliest possible point in logi_dj_raw_event.

The patch has been fixed up and committed by Jiri Kosina: 

http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=ad3e14d7c5268c2e24477c6ef54bbdf88add5d36

Thanks for the fast response from security@kernel.org and Jiri.

Comment 1 Michal Hocko 2014-09-12 08:50:48 UTC

The driver has been introduced by 534a7b8e10ec55d9f521e68c20dbb3634c25b98a in 3.2 and never backported to older SLES branches.

TD branches are not affected as well.

Comment 2 Jiri Kosina 2014-09-12 09:04:16 UTC

5abfe85c1d4694d5d4bbd13ecc166262b937adf0 is needed on top.

Comment 3 Marcus Meissner 2014-09-12 09:05:54 UTC

(fix needed for SLE12 then however ;)

Comment 4 Swamp Workflow Management 2014-09-12 22:00:28 UTC

bugbot adjusting priority

Comment 5 Borislav Petkov 2014-11-11 19:59:06 UTC

11SP3: doesn't have the driver
SLE12:
 - ad3e14d7c526 ("HID: logitech: perform bounds checking on device_id early enough") already there
 - 5abfe85c1d46 ("HID: logitech-dj: prevent false errors to be shown") already there
oS12.3: backported
oS13.1: backported
oS13.2: has them

Comment 6 Swamp Workflow Management 2014-12-19 18:07:38 UTC

openSUSE-SU-2014:1669-1: An update that solves 22 vulnerabilities and has 5 fixes is now available.

Category: security (important)
Bug References: 768714,818561,835839,853040,865882,882639,883518,883724,883948,887082,889173,890624,892490,896382,896385,896390,896391,896392,896689,899785,904013,904700,905100,905764,907818,909077,910251
CVE References: CVE-2013-2889,CVE-2013-2891,CVE-2014-3181,CVE-2014-3182,CVE-2014-3184,CVE-2014-3185,CVE-2014-3186,CVE-2014-4171,CVE-2014-4508,CVE-2014-4608,CVE-2014-4943,CVE-2014-5077,CVE-2014-5471,CVE-2014-5472,CVE-2014-6410,CVE-2014-7826,CVE-2014-7841,CVE-2014-8133,CVE-2014-8709,CVE-2014-8884,CVE-2014-9090,CVE-2014-9322
Sources used:
openSUSE 12.3 (src):    kernel-docs-3.7.10-1.45.2, kernel-source-3.7.10-1.45.1, kernel-syms-3.7.10-1.45.1

Comment 7 Swamp Workflow Management 2014-12-21 12:09:34 UTC

openSUSE-SU-2014:1677-1: An update that solves 31 vulnerabilities and has 12 fixes is now available.

Category: security (important)
Bug References: 818966,835839,853040,856659,864375,865882,873790,875051,881008,882639,882804,883518,883724,883948,883949,884324,887046,887082,889173,890114,891689,892490,893429,896382,896385,896390,896391,896392,896689,897736,899785,900392,902346,902349,902351,904013,904700,905100,905744,907818,908163,909077,910251
CVE References: CVE-2013-2891,CVE-2013-2898,CVE-2014-0181,CVE-2014-0206,CVE-2014-1739,CVE-2014-3181,CVE-2014-3182,CVE-2014-3184,CVE-2014-3185,CVE-2014-3186,CVE-2014-3673,CVE-2014-3687,CVE-2014-3688,CVE-2014-4171,CVE-2014-4508,CVE-2014-4608,CVE-2014-4611,CVE-2014-4943,CVE-2014-5077,CVE-2014-5206,CVE-2014-5207,CVE-2014-5471,CVE-2014-5472,CVE-2014-6410,CVE-2014-7826,CVE-2014-7841,CVE-2014-7975,CVE-2014-8133,CVE-2014-8709,CVE-2014-9090,CVE-2014-9322
Sources used:
openSUSE 13.1 (src):    cloop-2.639-11.16.1, crash-7.0.2-2.16.1, hdjmod-1.28-16.16.1, ipset-6.21.1-2.20.1, iscsitarget-1.4.20.3-13.16.1, kernel-docs-3.11.10-25.2, kernel-source-3.11.10-25.1, kernel-syms-3.11.10-25.1, ndiswrapper-1.58-16.1, pcfclock-0.44-258.16.1, vhba-kmp-20130607-2.17.1, virtualbox-4.2.18-2.21.1, xen-4.3.2_02-30.1, xtables-addons-2.3-2.16.1