<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux-stable.git/drivers/hid/hid-input.c, branch linux-3.11.y</title>
<subtitle>Linux kernel stable tree</subtitle>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/'/>
<entry>
<title>HID: validate feature and input report details</title>
<updated>2013-10-01T16:40:58+00:00</updated>
<author>
<name>Benjamin Tissoires</name>
<email>benjamin.tissoires@redhat.com</email>
</author>
<published>2013-09-11T19:56:57+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=12b5c3cc9ca345ae880ae811fae565ed208e96a5'/>
<id>12b5c3cc9ca345ae880ae811fae565ed208e96a5</id>
<content type='text'>
commit cc6b54aa54bf40b762cab45a9fc8aa81653146eb upstream.

When dealing with usage_index, be sure to properly use unsigned instead of
int to avoid overflows.

When working on report fields, always validate that their report_counts are
in bounds.
Without this, a HID device could report a malicious feature report that
could trick the driver into a heap overflow:

[  634.885003] usb 1-1: New USB device found, idVendor=0596, idProduct=0500
...
[  676.469629] BUG kmalloc-192 (Tainted: G        W   ): Redzone overwritten

CVE-2013-2897

Signed-off-by: Benjamin Tissoires &lt;benjamin.tissoires@redhat.com&gt;
Acked-by: Kees Cook &lt;keescook@chromium.org&gt;
Signed-off-by: Jiri Kosina &lt;jkosina@suse.cz&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit cc6b54aa54bf40b762cab45a9fc8aa81653146eb upstream.

When dealing with usage_index, be sure to properly use unsigned instead of
int to avoid overflows.

When working on report fields, always validate that their report_counts are
in bounds.
Without this, a HID device could report a malicious feature report that
could trick the driver into a heap overflow:

[  634.885003] usb 1-1: New USB device found, idVendor=0596, idProduct=0500
...
[  676.469629] BUG kmalloc-192 (Tainted: G        W   ): Redzone overwritten

CVE-2013-2897

Signed-off-by: Benjamin Tissoires &lt;benjamin.tissoires@redhat.com&gt;
Acked-by: Kees Cook &lt;keescook@chromium.org&gt;
Signed-off-by: Jiri Kosina &lt;jkosina@suse.cz&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>HID: battery: don't do DMA from stack</title>
<updated>2013-09-27T00:21:46+00:00</updated>
<author>
<name>Jiri Kosina</name>
<email>jkosina@suse.cz</email>
</author>
<published>2013-09-02T11:43:00+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=f0c298af1d7ac27bef191a8593c14244341efb01'/>
<id>f0c298af1d7ac27bef191a8593c14244341efb01</id>
<content type='text'>
commit 6c2794a2984f4c17a58117a68703cc7640f01c5a upstream.

Instead of using data from stack for DMA in hidinput_get_battery_property(),
allocate the buffer dynamically.

Reported-by: Richard Ryniker &lt;ryniker@alum.mit.edu&gt;
Reported-by: Alan Stern &lt;stern@rowland.harvard.edu&gt;
Signed-off-by: Jiri Kosina &lt;jkosina@suse.cz&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 6c2794a2984f4c17a58117a68703cc7640f01c5a upstream.

Instead of using data from stack for DMA in hidinput_get_battery_property(),
allocate the buffer dynamically.

Reported-by: Richard Ryniker &lt;ryniker@alum.mit.edu&gt;
Reported-by: Alan Stern &lt;stern@rowland.harvard.edu&gt;
Signed-off-by: Jiri Kosina &lt;jkosina@suse.cz&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>Merge branches 'for-3.11/multitouch', 'for-3.11/sony' and 'for-3.11/upstream' into for-linus</title>
<updated>2013-07-04T13:02:26+00:00</updated>
<author>
<name>Jiri Kosina</name>
<email>jkosina@suse.cz</email>
</author>
<published>2013-07-04T13:02:26+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=08ec2dcc3527a20c619aca2fb36f800908256bac'/>
<id>08ec2dcc3527a20c619aca2fb36f800908256bac</id>
<content type='text'>
Conflicts:
	drivers/hid/hid-core.c
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Conflicts:
	drivers/hid/hid-core.c
</pre>
</div>
</content>
</entry>
<entry>
<title>HID: explain out-of-range check better</title>
<updated>2013-06-19T21:54:10+00:00</updated>
<author>
<name>Jiri Kosina</name>
<email>jkosina@suse.cz</email>
</author>
<published>2013-06-19T21:52:11+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=a688393bd3fb27690a77f7ae8607b4969039bac5'/>
<id>a688393bd3fb27690a77f7ae8607b4969039bac5</id>
<content type='text'>
Extend the comment explaining the condition for discarding
out-of-range values to clarify the cases in which devices don't
provide any logical min/max.

Signed-off-by: Jiri Kosina &lt;jkosina@suse.cz&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Extend the comment explaining the condition for discarding
out-of-range values to clarify the cases in which devices don't
provide any logical min/max.

Signed-off-by: Jiri Kosina &lt;jkosina@suse.cz&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>HID: fix false positive out of range values</title>
<updated>2013-06-19T21:53:52+00:00</updated>
<author>
<name>Benjamin Tissoires</name>
<email>benjamin.tissoires@redhat.com</email>
</author>
<published>2013-06-19T15:49:05+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=6f1891d01956cad406d2af8ed2e9cef6108bfc5e'/>
<id>6f1891d01956cad406d2af8ed2e9cef6108bfc5e</id>
<content type='text'>
Commit 6da7066906e977d42104a859c490f5f9a300488c introduced in 3.3
"HID: ignore absolute values which don't fit between logical min and max"
prevents some Posiflex touch screen to work because they do not provide
logical min and max for their buttons.
Thus, logical min and max are at 0, discarding the buttons events, and
preventing the device to report appropriate X Y.

Adding a check on "min &lt; max" solves the problem.

Reported-by: Jan Kandziora &lt;jjj@gmx.de&gt;
Tested-by: Jan Kandziora &lt;jjj@gmx.de&gt;
Signed-off-by: Benjamin Tissoires &lt;benjamin.tissoires@redhat.com&gt;
Signed-off-by: Jiri Kosina &lt;jkosina@suse.cz&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Commit 6da7066906e977d42104a859c490f5f9a300488c introduced in 3.3
"HID: ignore absolute values which don't fit between logical min and max"
prevents some Posiflex touch screen to work because they do not provide
logical min and max for their buttons.
Thus, logical min and max are at 0, discarding the buttons events, and
preventing the device to report appropriate X Y.

Adding a check on "min &lt; max" solves the problem.

Reported-by: Jan Kandziora &lt;jjj@gmx.de&gt;
Tested-by: Jan Kandziora &lt;jjj@gmx.de&gt;
Signed-off-by: Benjamin Tissoires &lt;benjamin.tissoires@redhat.com&gt;
Signed-off-by: Jiri Kosina &lt;jkosina@suse.cz&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>HID: input: return ENODATA if reading battery attrs fails</title>
<updated>2013-05-29T13:19:47+00:00</updated>
<author>
<name>David Herrmann</name>
<email>dh.herrmann@gmail.com</email>
</author>
<published>2013-05-13T15:01:30+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=d0a934b764c67b4bf626f5b7cf725a6e3066afd2'/>
<id>d0a934b764c67b4bf626f5b7cf725a6e3066afd2</id>
<content type='text'>
power_supply core has the bad habit of calling our battery callbacks
from within power_supply_register(). Furthermore, if the callbacks
fail with an unhandled error code, it will skip any uevent that it
might currently process.
So if HID-core registers battery devices, an "add" uevent is generated
and the battery callbacks are called. These will gracefully fail due
to timeouts as they might still hold locks on event processing. One
could argue that this should be fixed in power_supply core, but the
least we can do is to signal ENODATA so power_supply core will just
skip the property and continue with the uevent.

This fixes a bug where "add" and "remove" uevents are skipped for
battery devices. upower is unable to track these devices and currently
needs to ignore them.

This patch also overwrites any other error code. I cannot see any reason
why we should forward protocol- or I/O-errors to the power_supply core.
We handle these errors in hid_ll_driver later, anyway, so just skip
them. power_supply core cannot do anything useful with them, anyway,
and we avoid skipping important uevents and confusing user-space.

Thanks a lot to Daniel Nicoletti for pushing and investigating
on this.

Cc: Jiri Kosina &lt;jkosina@suse.cz&gt;
Cc: Anton Vorontsov &lt;cbou@mail.ru&gt;
Cc: David Woodhouse &lt;dwmw2@infradead.org&gt;
Reported-by: Daniel Nicoletti &lt;dantti12@gmail.com&gt;
Signed-off-by: David Herrmann &lt;dh.herrmann@gmail.com&gt;
Signed-off-by: Jiri Kosina &lt;jkosina@suse.cz&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
power_supply core has the bad habit of calling our battery callbacks
from within power_supply_register(). Furthermore, if the callbacks
fail with an unhandled error code, it will skip any uevent that it
might currently process.
So if HID-core registers battery devices, an "add" uevent is generated
and the battery callbacks are called. These will gracefully fail due
to timeouts as they might still hold locks on event processing. One
could argue that this should be fixed in power_supply core, but the
least we can do is to signal ENODATA so power_supply core will just
skip the property and continue with the uevent.

This fixes a bug where "add" and "remove" uevents are skipped for
battery devices. upower is unable to track these devices and currently
needs to ignore them.

This patch also overwrites any other error code. I cannot see any reason
why we should forward protocol- or I/O-errors to the power_supply core.
We handle these errors in hid_ll_driver later, anyway, so just skip
them. power_supply core cannot do anything useful with them, anyway,
and we avoid skipping important uevents and confusing user-space.

Thanks a lot to Daniel Nicoletti for pushing and investigating
on this.

Cc: Jiri Kosina &lt;jkosina@suse.cz&gt;
Cc: Anton Vorontsov &lt;cbou@mail.ru&gt;
Cc: David Woodhouse &lt;dwmw2@infradead.org&gt;
Reported-by: Daniel Nicoletti &lt;dantti12@gmail.com&gt;
Signed-off-by: David Herrmann &lt;dh.herrmann@gmail.com&gt;
Signed-off-by: Jiri Kosina &lt;jkosina@suse.cz&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>HID: input: don't register unmapped input devices</title>
<updated>2013-03-27T13:02:45+00:00</updated>
<author>
<name>Benjamin Tissoires</name>
<email>benjamin.tissoires@redhat.com</email>
</author>
<published>2013-03-22T17:38:28+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=4f22decf9b6329acfe59091c5cba6b378b9b31db'/>
<id>4f22decf9b6329acfe59091c5cba6b378b9b31db</id>
<content type='text'>
There is no need to register an input device containing no events.
This allows drivers using the quirk MULTI_INPUT to register one input
per report effectively used.

For backward compatibility, we need to add a quirk to request
this behavior.

Signed-off-by: Benjamin Tissoires &lt;benjamin.tissoires@redhat.com&gt;
Signed-off-by: Jiri Kosina &lt;jkosina@suse.cz&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
There is no need to register an input device containing no events.
This allows drivers using the quirk MULTI_INPUT to register one input
per report effectively used.

For backward compatibility, we need to add a quirk to request
this behavior.

Signed-off-by: Benjamin Tissoires &lt;benjamin.tissoires@redhat.com&gt;
Signed-off-by: Jiri Kosina &lt;jkosina@suse.cz&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>Merge branches 'for-3.7/upstream-fixes', 'for-3.8/hidraw', 'for-3.8/i2c-hid', 'for-3.8/multitouch', 'for-3.8/roccat', 'for-3.8/sensors' and 'for-3.8/upstream' into for-linus</title>
<updated>2012-12-12T20:41:55+00:00</updated>
<author>
<name>Jiri Kosina</name>
<email>jkosina@suse.cz</email>
</author>
<published>2012-12-12T20:41:55+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=818b930bc15077fc00ff16bb22c5df1857f05afa'/>
<id>818b930bc15077fc00ff16bb22c5df1857f05afa</id>
<content type='text'>
Conflicts:
	drivers/hid/hid-core.c
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Conflicts:
	drivers/hid/hid-core.c
</pre>
</div>
</content>
</entry>
<entry>
<title>HID: hid-input: factorize hid_input allocation</title>
<updated>2012-11-29T13:59:40+00:00</updated>
<author>
<name>Benjamin Tissoires</name>
<email>benjamin.tissoires@gmail.com</email>
</author>
<published>2012-11-23T15:31:24+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=ae751fa82dd8e5a79932d6b55742e7e298afd733'/>
<id>ae751fa82dd8e5a79932d6b55742e7e298afd733</id>
<content type='text'>
This just refactors the allocation of hid_input.
No semantic changes.

Signed-off-by: Benjamin Tissoires &lt;benjamin.tissoires@gmail.com&gt;
Reviewed-by: Henrik Rydberg &lt;rydberg@euromail.se&gt;
Signed-off-by: Jiri Kosina &lt;jkosina@suse.cz&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
This just refactors the allocation of hid_input.
No semantic changes.

Signed-off-by: Benjamin Tissoires &lt;benjamin.tissoires@gmail.com&gt;
Reviewed-by: Henrik Rydberg &lt;rydberg@euromail.se&gt;
Signed-off-by: Jiri Kosina &lt;jkosina@suse.cz&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>HID: add battery quirk for Apple 2009_ISO keyboard</title>
<updated>2012-11-26T13:25:24+00:00</updated>
<author>
<name>Ortwin Glück</name>
<email>odi@odi.ch</email>
</author>
<published>2012-11-25T14:08:34+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=4cc8541782140e9ccbece5c8ac367fbf659b16d9'/>
<id>4cc8541782140e9ccbece5c8ac367fbf659b16d9</id>
<content type='text'>
Support battery capacity on another Apple wireless keyboard.

Signed-off-by: Ortwin Glück &lt;odi@odi.ch&gt;
Signed-off-by: Jiri Kosina &lt;jkosina@suse.cz&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Support battery capacity on another Apple wireless keyboard.

Signed-off-by: Ortwin Glück &lt;odi@odi.ch&gt;
Signed-off-by: Jiri Kosina &lt;jkosina@suse.cz&gt;
</pre>
</div>
</content>
</entry>
</feed>
