CVE Request: Linux kernel HID: hiddev buffer overflows

[Scotty <sbauer () plzdonthack me>]

Good evening,

There is a small buffer overflow in the hiddev driver code which seems to have come due
to a re-factor of the driver in 2008-ish.

If a user-land process calls the hiddev ioctl with the HIDIOCGUSAGES or HIDIOCSUSAGES command,
and passes a report id of HID_REPORT_ID_UNKNOWN it bypasses a series of bounds checks. Later in
the code the attacker can loop on some controlled value and overwrite past the bounds of the
uref_multi array or the value array.


        switch (cmd) {
...
...
...
                case HIDIOCGUSAGES:
/* HEAP OVERFLOW, Attacker controls num_values */
                        for (i = 0; i < uref_multi->num_values; i++)
                                uref_multi->values[i] =
                                    field->value[uref->usage_index + i];
                        if (copy_to_user(user_arg, uref_multi,
                                         sizeof(*uref_multi)))
                                goto fault;
                        goto goodreturn;
                case HIDIOCSUSAGES:
/* HEAP OVERFLOW, attacker controls num_values */
                        for (i = 0; i < uref_multi->num_values; i++)
                                field->value[uref->usage_index + i] =
                                    uref_multi->values[i];
                        goto goodreturn;
                }

The issue has been fixed upstream here:
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=93a2001bdfd5376c3dc2158653034c20392d15c5

Attached is a PoC illustrating the issue. 

Thank you.

Attachment: usb_hiddev.c
Description:

Attachment: signature.asc
Description: OpenPGP digital signature