Bugzilla – Bug 896387
VUL-1: CVE-2014-3183: kernel: HID: Linux kernel hid-logitech-dj.c logi_dj_ll_raw_request heap overflow
Last modified: 2014-11-12 17:15:33 UTC
via oss-sec and google security https://code.google.com/p/google-security-research/issues/detail?id=90 Another potential issue (similar but distinct from https://code.google.com/p/google-security-research/issues/detail?id=89) exists drivers/hid/hid-logitech-dj.c that can result in a heap overflow. The bounds check on "count" in logi_dj_ll_raw_request appears to only apply a minimum bound on "count", not a maximum. The allocated output buffer is 15 (DJREPORT_SHORT_LENGTH) bytes in length, but hid_hw_raw_request will issue requests up to 4096 (HID_MAX_BUFFER_SIZE), which could result in heap overflow. This issue has not been triggered/confirmed, but a suggested patch has been attached. This assumes that the current behavior of rounding "count" up to a bigger value is erroneous (since it could leak a small amount of data contiguous to "buf") - this assumption should be confirmed with the device driver maintainer. The patch has been committed by Jiri Kosina: http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=51217e69697fba92a06e07e16f55c9a52d8e8945 Thanks for the fast response from security@kernel.org and Jiri.
The driver has been introduced by 534a7b8e10ec55d9f521e68c20dbb3634c25b98a in 3.2 and never backported to older SLES branches. TD branches are not affected as well.
(fix needed for SLE12 then however ;)
bugbot adjusting priority
51217e69697f ("HID: logitech: fix bounds checking on LED report size") 11SP3: doesn't have the driver SLE12: not affected Patch - 0e40d35637d6 ("HID: logitech-dj: remove hidinput_input_event") introducing the bug was added in 3.15 oS12.3: ditto oS13.1: ditto oS13.2: has the patch