linux-stable.git/include/linux/hid.h, branch linux-2.6.34.y Linux kernel stable tree HID: provide a helper for validating hid reports 2014-02-10T21:10:46+00:00 Kees Cook keescook@chromium.org 2013-09-11T19:56:50+00:00 8e8f904083cd716a0244e89020b26a7346202a3b commit 331415ff16a12147d57d5c953f3a961b7ede348b upstream. Many drivers need to validate the characteristics of their HID report during initialization to avoid misusing the reports. This adds a common helper to perform validation of the report exisitng, the field existing, and the expected number of values within the field. Signed-off-by: Kees Cook <keescook@chromium.org> Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com> Signed-off-by: Jiri Kosina <jkosina@suse.cz> [PG: in 2.6.34 it is err_hid(), original baseline had hid_err().] Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> 
commit 331415ff16a12147d57d5c953f3a961b7ede348b upstream.

Many drivers need to validate the characteristics of their HID report
during initialization to avoid misusing the reports. This adds a common
helper to perform validation of the report exisitng, the field existing,
and the expected number of values within the field.

Signed-off-by: Kees Cook <keescook@chromium.org>
Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
[PG: in 2.6.34 it is err_hid(), original baseline had hid_err().]
Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
HID: validate HID report id size 2014-02-10T21:10:45+00:00 Kees Cook keescook@chromium.org 2013-08-28T20:29:55+00:00 a04155e1d8343be1dee5e52979cae7a5afef1d88 commit 43622021d2e2b82ea03d883926605bdd0525e1d1 upstream. The "Report ID" field of a HID report is used to build indexes of reports. The kernel's index of these is limited to 256 entries, so any malicious device that sets a Report ID greater than 255 will trigger memory corruption on the host: [ 1347.156239] BUG: unable to handle kernel paging request at ffff88094958a878 [ 1347.156261] IP: [<ffffffff813e4da0>] hid_register_report+0x2a/0x8b CVE-2013-2888 Signed-off-by: Kees Cook <keescook@chromium.org> Signed-off-by: Jiri Kosina <jkosina@suse.cz> [PG: hid_err() --> dbg_hid() in 2.6.34 baseline] Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> 
commit 43622021d2e2b82ea03d883926605bdd0525e1d1 upstream.

The "Report ID" field of a HID report is used to build indexes of
reports. The kernel's index of these is limited to 256 entries, so any
malicious device that sets a Report ID greater than 255 will trigger
memory corruption on the host:

[ 1347.156239] BUG: unable to handle kernel paging request at ffff88094958a878
[ 1347.156261] IP: [<ffffffff813e4da0>] hid_register_report+0x2a/0x8b

CVE-2013-2888

Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
[PG: hid_err() --> dbg_hid() in 2.6.34 baseline]

Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
Merge branches 'upstream', 'raw_report_modifications' and 'apple_magic_mouse' into for-linus 2010-02-25T16:39:16+00:00 Jiri Kosina jkosina@suse.cz 2010-02-25T16:39:16+00:00 14ef2b0c026558d37662e5e095d59c64597d5769 Conflicts: drivers/hid/Kconfig 
Conflicts:
	drivers/hid/Kconfig
HID: Export hid_register_report 2010-02-10T13:57:30+00:00 Michael Poole mdpoole@troilus.org 2010-01-25T03:32:29+00:00 90a006abf8015c8cab893555244d8fc673b24839 The Apple Magic Mouse (and probably other devices) publish reports that are not called out in their HID report descriptors -- they only send them when enabled through other writes to the device. This allows a driver to handle these unlisted reports. Signed-off-by: Michael Poole <mdpoole@troilus.org> Signed-off-by: Jiri Kosina <jkosina@suse.cz> 
The Apple Magic Mouse (and probably other devices) publish reports that are not
called out in their HID report descriptors -- they only send them when enabled
through other writes to the device.  This allows a driver to handle these
unlisted reports.

Signed-off-by: Michael Poole <mdpoole@troilus.org>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
HID: make raw reports possible for both feature and output reports 2010-02-03T14:41:52+00:00 Jiri Kosina jkosina@suse.cz 2010-01-29T14:03:36+00:00 d4bfa033ed84e0ae446eff445d107ffd5ee78df3 In commit 2da31939a42 ("Bluetooth: Implement raw output support for HIDP layer"), support for Bluetooth hid_output_raw_report was added, but it pushes the data to the intr socket instead of the ctrl one. This has been fixed by 6bf8268f9a91f1 ("Bluetooth: Use the control channel for raw HID reports") Still, it is necessary to distinguish whether the report in question should be either FEATURE or OUTPUT. For this, we have to extend the generic HID API, so that hid_output_raw_report() callback provides means to specify this value so that it can be passed down to lower level hardware drivers (currently Bluetooth and USB). Based on original patch by Bastien Nocera <hadess@hadess.net> Acked-by: Marcel Holtmann <marcel@holtmann.org> Signed-off-by: Jiri Kosina <jkosina@suse.cz> 
In commit 2da31939a42 ("Bluetooth: Implement raw output support for HIDP
layer"), support for Bluetooth hid_output_raw_report was added, but it
pushes the data to the intr socket instead of the ctrl one. This has been
fixed by 6bf8268f9a91f1 ("Bluetooth: Use the control channel for raw HID reports")

Still, it is necessary to distinguish whether the report in question should be
either FEATURE or OUTPUT. For this, we have to extend the generic HID API,
so that hid_output_raw_report() callback provides means to specify this
value so that it can be passed down to lower level hardware drivers (currently
Bluetooth and USB).

Based on original patch by Bastien Nocera <hadess@hadess.net>
Acked-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
HID: let hid-input accept digitizers 2010-01-17T22:10:01+00:00 Stephane Chatty chatty@lii-enac.fr 2010-01-13T20:52:34+00:00 8b0e58a70a7a41443c779de074288035b014cb94 Extended IS_INPUT_APPLICATION to accept digitzers that are actual input devices (touchscreens, light pens, touch pads, white boards) Signed-off-by: Stephane Chatty <chatty@enac.fr> Signed-off-by: Jiri Kosina <jkosina@suse.cz> 
Extended IS_INPUT_APPLICATION to accept digitzers that are actual input
devices (touchscreens, light pens, touch pads, white boards)

Signed-off-by: Stephane Chatty <chatty@enac.fr>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
HID: fixup quirk for NCR devices 2009-11-05T13:08:03+00:00 Jiri Kosina jkosina@suse.cz 2009-11-05T13:08:03+00:00 5b915d9e6dc3d22fedde91dfef1cb1a8fa9a1870 NCR devices are terminally broken by design -- they claim themselves to contain proper input applications in their HID report descriptor, but behave very badly if treated in standard way. According to NCR developers, the devices get confused when queried for reports in a standard way, rendering them unusable. NCR is shipping application called "RPSL" that can be used to drive these devices through hiddev, under the assumption that in-kernel driver doesn't perform initial report query. If it does, neither in-kernel nor hiddev-based driver can operate with these devices any more. Introduce a quirk that skips the report query for all NCR devices. The previous NOGET quirk was wrong and had been introduced because I misunderstood the nature of brokenness of these devices. Signed-off-by: Jiri Kosina <jkosina@suse.cz> 
NCR devices are terminally broken by design -- they claim themselves to contain
proper input applications in their HID report descriptor, but behave very badly
if treated in standard way.

According to NCR developers, the devices get confused when queried for reports
in a standard way, rendering them unusable.

NCR is shipping application called "RPSL" that can be used to drive these
devices through hiddev, under the assumption that in-kernel driver doesn't
perform initial report query.
If it does, neither in-kernel nor hiddev-based driver can operate with these
devices any more.

Introduce a quirk that skips the report query for all NCR devices. The previous
NOGET quirk was wrong and had been introduced because I misunderstood the nature
of brokenness of these devices.

Signed-off-by: Jiri Kosina <jkosina@suse.cz>
HID: consolidate connect and disconnect into core code 2009-09-17T13:15:11+00:00 Jiri Kosina jkosina@suse.cz 2009-09-15T14:27:45+00:00 c4c259bcc27c4242b012106afdba183622b1735f HID core registers input, hidraw and hiddev devices, but leaves unregistering it up to the individual driver, which is not really nice. Let's move all the logic to the core. Reported-by: Marcel Holtmann <marcel@holtmann.org> Reported-by: Brian Rogers <brian@xyzw.org> Acked-by: Marcel Holtmann <marcel@holtmann.org> Signed-off-by: Jiri Kosina <jkosina@suse.cz> 
HID core registers input, hidraw and hiddev devices, but leaves
unregistering it up to the individual driver, which is not really nice.
Let's move all the logic to the core.

Reported-by: Marcel Holtmann <marcel@holtmann.org>
Reported-by: Brian Rogers <brian@xyzw.org>
Acked-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Merge branches 'upstream', 'upstream-fixes' and 'debugfs' into for-linus 2009-09-13T18:09:41+00:00 Jiri Kosina jkosina@suse.cz 2009-09-13T18:09:41+00:00 8123e8f7c89a07cb22279b15bf47cdee0205d4a1 






HID: use debugfs for events/reports dumping
2009-06-12T13:20:57+00:00

Jiri Kosina
jkosina@suse.cz

2009-06-12T13:20:57+00:00

cd667ce24796700e1a0e6e7528efc61c96ff832e

This is a followup patch to the one implemeting rdesc representation in debugfs
rather than being dependent on compile-time CONFIG_HID_DEBUG setting.

The API of the appropriate formatting functions is slightly modified -- if
they are passed seq_file pointer, the one-shot output for 'rdesc' file mode
is used, and therefore the message is formatted into the corresponding seq_file
immediately.

Otherwise the called function allocated a new buffer, formats the text into the
buffer and returns the pointer to it, so that it can be queued into the ring-buffer
of the processess blocked waiting on input on 'events' file in debugfs.

'debug' parameter to the 'hid' module is now used solely for the prupose of inetrnal
driver state debugging (parser, transport, etc).

Signed-off-by: Jiri Kosina <jkosina@suse.cz>





This is a followup patch to the one implemeting rdesc representation in debugfs
rather than being dependent on compile-time CONFIG_HID_DEBUG setting.

The API of the appropriate formatting functions is slightly modified -- if
they are passed seq_file pointer, the one-shot output for 'rdesc' file mode
is used, and therefore the message is formatted into the corresponding seq_file
immediately.

Otherwise the called function allocated a new buffer, formats the text into the
buffer and returns the pointer to it, so that it can be queued into the ring-buffer
of the processess blocked waiting on input on 'events' file in debugfs.

'debug' parameter to the 'hid' module is now used solely for the prupose of inetrnal
driver state debugging (parser, transport, etc).

Signed-off-by: Jiri Kosina <jkosina@suse.cz>