Another potential issue (similar but distinct from https://code.google.com/p/google-security-research/issues/detail?id=89) exists drivers/hid/hid-logitech-dj.c that can result in a heap overflow. The bounds check on "count" in logi_dj_ll_raw_request appears to only apply a minimum bound on "count", not a maximum. The allocated output buffer is 15 (DJREPORT_SHORT_LENGTH) bytes in length, but hid_hw_raw_request will issue requests up to 4096 (HID_MAX_BUFFER_SIZE), which could result in heap overflow.

This issue has not been triggered/confirmed, but a suggested patch has been attached. This assumes that the current behavior of rounding "count" up to a bigger value is erroneous (since it could leak a small amount of data contiguous to "buf") - this assumption should be confirmed with the device driver maintainer.

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.
 

logitech-dj-device-index-fix-2.patch 519 bytes Download