github-mirror/linux
1
0
Fork 0
mirror of https://github.com/torvalds/linux.git synced 2026-06-02 19:43:40 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity Graph
8ec321e96e
linux/drivers/hid
History
Alan Stern 8ec321e96e HID: Fix slab-out-of-bounds read in hid_field_extract 
The syzbot fuzzer found a slab-out-of-bounds bug in the HID report
handler.  The bug was caused by a report descriptor which included a
field with size 12 bits and count 4899, for a total size of 7349
bytes.

The usbhid driver uses at most a single-page 4-KB buffer for reports.
In the test there wasn't any problem about overflowing the buffer,
since only one byte was received from the device.  Rather, the bug
occurred when the HID core tried to extract the data from the report
fields, which caused it to try reading data beyond the end of the
allocated buffer.

This patch fixes the problem by rejecting any report whose total
length exceeds the HID_MAX_BUFFER_SIZE limit (minus one byte to allow
for a possible report index).  In theory a device could have a report
longer than that, but if there was such a thing we wouldn't handle it
correctly anyway.

Reported-and-tested-by: syzbot+09ef48aa58261464b621@syzkaller.appspotmail.com
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
CC: <stable@vger.kernel.org>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
2019-12-11 15:17:39 +01:00
..
i2c-hid Merge branch 'for-5.5/i2c' into for-linus 2019-11-29 20:36:45 +01:00
intel-ish-hid HID: intel-ish-hid: Spelling s/diconnect/disconnect/ 2019-11-02 21:08:36 +01:00
usbhid compat_ioctl: move drivers to compat_ptr_ioctl 2019-10-23 17:23:43 +02:00
hid-a4tech.c HID: input: fix a4tech horizontal wheel custom usage 2019-08-05 14:37:15 +02:00
hid-accutouch.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
hid-alps.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
hid-apple.c HID: apple: Fix stuck function keys when using FN 2019-09-04 09:22:55 +02:00
hid-appleir.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 282 2019-06-05 17:36:37 +02:00
hid-asus.c platform-drivers-x86 for v5.3-1 2019-07-14 16:51:47 -07:00
hid-aureal.c treewide: Add SPDX license identifier for more missed files 2019-05-21 10:50:45 +02:00
hid-axff.c HID: Fix assumption that devices have inputs 2019-10-03 15:36:40 -04:00
hid-belkin.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
hid-betopff.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
hid-bigbenff.c HID: hid-bigbenff: driver for BigBen Interactive PS3OFMINIPAD gamepad 2018-09-24 11:49:32 +02:00
hid-cherry.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
hid-chicony.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
hid-cmedia.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 282 2019-06-05 17:36:37 +02:00
hid-core.c HID: Fix slab-out-of-bounds read in hid_field_extract 2019-12-11 15:17:39 +01:00
hid-corsair.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
hid-cougar.c HID: do not call hid_set_drvdata(hdev, NULL) in drivers 2019-08-22 17:11:58 +02:00
hid-cp2112.c HID: cp2112: prevent sleeping function called from invalid context 2019-08-19 14:13:00 +02:00
hid-creative-sb0540.c HID: sb0540: add support for Creative SB0540 IR receivers 2019-09-03 16:52:04 +02:00
hid-cypress.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
hid-debug.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 156 2019-05-30 11:26:35 -07:00
hid-dr.c HID: Fix assumption that devices have inputs 2019-10-03 15:36:40 -04:00
hid-elan.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
hid-elecom.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
hid-elo.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 307 2019-06-05 17:37:04 +02:00
hid-emsff.c HID: Fix assumption that devices have inputs 2019-10-03 15:36:40 -04:00
hid-ezkey.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
hid-gaff.c HID: Fix assumption that devices have inputs 2019-10-03 15:36:40 -04:00
hid-gembird.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
hid-generic.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
hid-gfrm.c HID: do not call hid_set_drvdata(hdev, NULL) in drivers 2019-08-22 17:11:58 +02:00
hid-google-hammer.c Merge branch 'for-5.5/whiskers' into for-linus 2019-11-29 20:39:21 +01:00
hid-gt683r.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 157 2019-05-30 11:26:37 -07:00
hid-gyration.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
hid-holtek-kbd.c HID: holtek: test for sanity of intfdata 2019-08-05 14:18:42 +02:00
hid-holtek-mouse.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
hid-holtekff.c HID: Fix assumption that devices have inputs 2019-10-03 15:36:40 -04:00
hid-hyperv.c HID: hyperv: Add the support of hibernation 2019-11-21 20:10:45 -05:00
hid-icade.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
hid-ids.h HID: multitouch: Add LG MELF0410 I2C touchscreen support 2019-12-09 13:55:05 +01:00
hid-input.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 156 2019-05-30 11:26:35 -07:00
hid-ite.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
hid-jabra.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
hid-kensington.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
hid-keytouch.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
hid-kye.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
hid-lcpower.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
hid-led.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 372 2019-06-05 17:37:10 +02:00
hid-lenovo.c HID: do not call hid_set_drvdata(hdev, NULL) in drivers 2019-08-22 17:11:58 +02:00
hid-lg-g15.c HID: lg-g15: Add support for the G510's M1-M3 and MR LEDs 2019-10-03 20:48:28 +02:00
hid-lg.c HID: logitech: Fix general protection fault caused by Logitech driver 2019-08-22 09:53:08 +02:00
hid-lg.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
hid-lg2ff.c HID: Fix assumption that devices have inputs 2019-10-03 15:36:40 -04:00
hid-lg3ff.c HID: Fix assumption that devices have inputs 2019-10-03 15:36:40 -04:00
hid-lg4ff.c HID: Fix assumption that devices have inputs 2019-10-03 15:36:40 -04:00
hid-lg4ff.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
hid-lgff.c HID: Fix assumption that devices have inputs 2019-10-03 15:36:40 -04:00
hid-logitech-dj.c Merge branch 'for-5.4/logitech' into for-linus 2019-09-22 22:39:01 +02:00
hid-logitech-hidpp.c Merge branch 'for-5.5/logitech' into for-linus 2019-11-29 20:37:55 +01:00
hid-macally.c HID: macally: Add support for Macally ikey keyboard 2019-04-03 17:14:13 +02:00
hid-magicmouse.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
hid-maltron.c Support for Maltron L90 keyboard media keys 2019-01-14 20:11:01 +01:00
hid-mf.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 157 2019-05-30 11:26:37 -07:00
hid-microsoft.c HID: Fix assumption that devices have inputs 2019-10-03 15:36:40 -04:00
hid-monterey.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
hid-multitouch.c HID: multitouch: Add LG MELF0410 I2C touchscreen support 2019-12-09 13:55:05 +01:00
hid-nti.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
hid-ntrig.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
hid-ortek.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
hid-penmount.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
hid-petalynx.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
hid-picolcd_backlight.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 265 2019-06-05 17:30:28 +02:00
hid-picolcd_cir.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 265 2019-06-05 17:30:28 +02:00
hid-picolcd_core.c HID: do not call hid_set_drvdata(hdev, NULL) in drivers 2019-08-22 17:11:58 +02:00
hid-picolcd_debugfs.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 265 2019-06-05 17:30:28 +02:00
hid-picolcd_fb.c video: fbdev: don't print error message on framebuffer_alloc() failure 2019-06-28 12:30:08 +02:00
hid-picolcd_lcd.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 265 2019-06-05 17:30:28 +02:00
hid-picolcd_leds.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 265 2019-06-05 17:30:28 +02:00
hid-picolcd.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 265 2019-06-05 17:30:28 +02:00
hid-pl.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 156 2019-05-30 11:26:35 -07:00
hid-plantronics.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
hid-primax.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 282 2019-06-05 17:36:37 +02:00
hid-prodikeys.c HID: prodikeys: make array keys static const, makes object smaller 2019-10-01 16:21:04 +02:00
hid-quirks.c Merge branch 'for-5.5/core' into for-linus 2019-11-29 20:34:28 +01:00
hid-redragon.c HID: redragon: fix num lock and caps lock LEDs 2018-06-25 15:23:40 +02:00
hid-retrode.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
hid-rmi.c HID: rmi: Check that the RMI_STARTED bit is set before unregistering the RMI transport device 2019-11-18 10:23:45 +01:00
hid-roccat-arvo.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
hid-roccat-arvo.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
hid-roccat-common.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
hid-roccat-common.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
hid-roccat-isku.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
hid-roccat-isku.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
hid-roccat-kone.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
hid-roccat-kone.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
hid-roccat-koneplus.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
hid-roccat-koneplus.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
hid-roccat-konepure.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
hid-roccat-kovaplus.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
hid-roccat-kovaplus.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
hid-roccat-lua.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
hid-roccat-lua.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
hid-roccat-pyra.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
hid-roccat-pyra.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
hid-roccat-ryos.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
hid-roccat-savu.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
hid-roccat-savu.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
hid-roccat.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
hid-saitek.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
hid-samsung.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
hid-sensor-custom.c *: convert stream-like files -> stream_open, even if they use noop_llseek 2019-07-14 16:09:19 +03:00
hid-sensor-hub.c HID: do not call hid_set_drvdata(hdev, NULL) in drivers 2019-08-22 17:11:58 +02:00
hid-sjoy.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 156 2019-05-30 11:26:35 -07:00
hid-sony.c HID: Fix assumption that devices have inputs 2019-10-03 15:36:40 -04:00
hid-speedlink.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
hid-steam.c HID: steam: fix deadlock with input devices. 2019-03-18 14:44:20 +01:00
hid-steelseries.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
hid-sunplus.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
hid-tivo.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
hid-tmff.c HID: Fix assumption that devices have inputs 2019-10-03 15:36:40 -04:00
hid-topseed.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
hid-twinhan.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 178 2019-05-30 11:29:19 -07:00
hid-u2fzero.c HID: u2fzero: fail probe if not using USB transport 2019-04-17 16:39:43 +02:00
hid-uclogic-core.c Merge branch 'for-5.3/uclogic' into for-linus 2019-07-10 01:40:23 +02:00
hid-uclogic-params.c Merge branch 'for-5.3/uclogic' into for-linus 2019-07-10 01:40:23 +02:00
hid-uclogic-params.h HID: uclogic: Support Gray-coded rotary encoders 2019-02-21 12:00:54 +01:00
hid-uclogic-rdesc.c HID: uclogic: Add support for Ugee G5 2019-02-21 12:00:54 +01:00
hid-uclogic-rdesc.h HID: uclogic: Add support for Ugee G5 2019-02-21 12:00:54 +01:00
hid-udraw-ps3.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 282 2019-06-05 17:36:37 +02:00
hid-viewsonic.c HID: viewsonic: Support PD1011 signature pad 2019-02-21 12:00:53 +01:00
hid-waltop.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
hid-wiimote-core.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
hid-wiimote-debug.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
hid-wiimote-modules.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
hid-wiimote.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
hid-xinmo.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
hid-zpff.c HID: Fix assumption that devices have inputs 2019-10-03 15:36:40 -04:00
hid-zydacron.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
hidraw.c HID: hidraw: Fix returning EPOLLOUT from hidraw_poll 2019-12-09 13:52:29 +01:00
Kconfig HID: logitech: Add depends on LEDS_CLASS to Logitech Kconfig entry 2019-10-04 10:48:31 -04:00
Makefile HID: Add driver for Logitech gaming keyboards (G15, G15 v2) 2019-10-03 20:48:27 +02:00
uhid.c HID: uhid: Fix returning EPOLLOUT from uhid_char_poll 2019-12-09 13:53:37 +01:00
wacom_sys.c HID: wacom: do not call hid_set_drvdata(hdev, NULL) 2019-08-22 17:08:09 +02:00
wacom_wac.c HID: wacom: generic: Treat serial number and related fields as unsigned 2019-11-06 21:37:29 +01:00
wacom_wac.h Merge branches 'for-5.2/fixes', 'for-5.3/doc', 'for-5.3/ish', 'for-5.3/logitech' and 'for-5.3/wacom' into for-linus 2019-07-10 01:39:57 +02:00
wacom.h HID: wacom: generic: Treat serial number and related fields as unsigned 2019-11-06 21:37:29 +01:00