github-mirror/linux
1
0
Fork 0
mirror of https://github.com/torvalds/linux.git synced 2026-06-09 23:23:53 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity Graph
ad779b05b4
linux/drivers/hid
History
Jiri Kosina b2b6cadad6 HID: fix data access in implement() 
commit 27ce405039 upstream.

implement() is setting bytes in LE data stream. In case the data is not
aligned to 64bits, it reads past the allocated buffer. It doesn't really
change any value there (it's properly bitmasked), but in case that this
read past the boundary hits a page boundary, pagefault happens when
accessing 64bits of 'x' in implement(), and kernel oopses.

This happens much more often when numbered reports are in use, as the
initial 8bit skip in the buffer makes the whole process work on values
which are not aligned to 64bits.

This problem dates back to attempts in 2005 and 2006 to make implement()
and extract() as generic as possible, and even back then the problem
was realized by Adam Kroperlin, but falsely assumed to be impossible
to cause any harm:

  http://www.mail-archive.com/linux-usb-devel@lists.sourceforge.net/msg47690.html

I have made several attempts at fixing it "on the spot" directly in
implement(), but the results were horrible; the special casing for processing
last 64bit chunk and switching to different math makes it unreadable mess.

I therefore took a path to allocate a few bytes more which will never make
it into final report, but are there as a cushion for all the 64bit math
operations happening in implement() and extract().

All callers of hid_output_report() are converted at the same time to allocate
the buffer by newly introduced hid_alloc_report_buf() helper.

Bruno noticed that the whole raw_size test can be dropped as well, as
hid_alloc_report_buf() makes sure that the buffer is always of a proper
size.

Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Acked-by: Gustavo Padovan <gustavo.padovan@collabora.co.uk>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2013-10-13 16:08:28 -07:00
..
i2c-hid HID: i2c-hid: fix length for set/get report in i2c hid 2013-04-04 09:59:32 +02:00
usbhid HID: fix data access in implement() 2013-10-13 16:08:28 -07:00
hid-a4tech.c HID: Use module_hid_driver macro 2013-01-03 10:27:31 +01:00
hid-apple.c HID: apple: Add support for the 2013 Macbook Air 2013-07-21 18:21:29 -07:00
hid-appleir.c HID: appleir: add support for Apple ir devices 2013-04-18 19:06:20 -07:00
hid-aureal.c HID: Use module_hid_driver macro 2013-01-03 10:27:31 +01:00
hid-axff.c HID: use hid_hw_request() instead of direct call to usbhid 2013-02-25 13:26:41 +01:00
hid-belkin.c HID: Use module_hid_driver macro 2013-01-03 10:27:31 +01:00
hid-cherry.c HID: Use module_hid_driver macro 2013-01-03 10:27:31 +01:00
hid-chicony.c HID: Use module_hid_driver macro 2013-01-03 10:27:31 +01:00
hid-core.c HID: fix data access in implement() 2013-10-13 16:08:28 -07:00
hid-cypress.c HID: Use module_hid_driver macro 2013-01-03 10:27:31 +01:00
hid-debug.c HID: debug: fix RCU preemption issue 2013-05-06 13:07:33 +02:00
hid-dr.c HID: use hid_hw_request() instead of direct call to usbhid 2013-02-25 13:26:41 +01:00
hid-elecom.c HID: Use module_hid_driver macro 2013-01-03 10:27:31 +01:00
hid-emsff.c HID: use hid_hw_request() instead of direct call to usbhid 2013-02-25 13:26:41 +01:00
hid-ezkey.c HID: Use module_hid_driver macro 2013-01-03 10:27:31 +01:00
hid-gaff.c HID: use hid_hw_request() instead of direct call to usbhid 2013-02-25 13:26:41 +01:00
hid-generic.c HID: Use module_hid_driver macro 2013-01-03 10:27:31 +01:00
hid-gyration.c HID: Use module_hid_driver macro 2013-01-03 10:27:31 +01:00
hid-holtek-kbd.c HID: Use module_hid_driver macro 2013-01-03 10:27:31 +01:00
hid-holtekff.c HID: use hid_hw_request() instead of direct call to usbhid 2013-02-25 13:26:41 +01:00
hid-hyperv.c Drivers: hid: hid-hyperv: Use consolidated GUID definitions 2013-01-25 11:17:31 -08:00
hid-icade.c HID: icade: u16 which never < 0 2013-04-24 16:32:27 +02:00
hid-ids.h HID: usbhid: quirk for N-Trig DuoSense Touch Screen 2013-09-26 17:18:17 -07:00
hid-input.c HID: validate feature and input report details 2013-10-01 09:17:46 -07:00
hid-kensington.c HID: Use module_hid_driver macro 2013-01-03 10:27:31 +01:00
hid-keytouch.c HID: Use module_hid_driver macro 2013-01-03 10:27:31 +01:00
hid-kye.c HID: use hid_hw_request() instead of direct call to usbhid 2013-02-25 13:26:41 +01:00
hid-lcpower.c HID: Use module_hid_driver macro 2013-01-03 10:27:31 +01:00
hid-lenovo-tpkbd.c HID: lenovo-tpkbd: validate output report details 2013-10-01 09:17:46 -07:00
hid-lg.c Merge branches 'for-3.9/logitech', 'for-3.9/multitouch', 'for-3.9/ntrig', 'for-3.9/thingm' and 'for-3.9/upstream' into for-linus 2013-02-21 10:45:01 +01:00
hid-lg.h HID: hid-lg4ff: Adjust X axis input value accordingly to selected range. 2012-09-25 15:41:02 +02:00
hid-lg2ff.c HID: LG: validate HID output report details 2013-10-01 09:17:46 -07:00
hid-lg3ff.c HID: LG: validate HID output report details 2013-10-01 09:17:46 -07:00
hid-lg4ff.c HID: LG: validate HID output report details 2013-10-01 09:17:46 -07:00
hid-lgff.c HID: LG: validate HID output report details 2013-10-01 09:17:46 -07:00
hid-logitech-dj.c HID: fix data access in implement() 2013-10-13 16:08:28 -07:00
hid-logitech-dj.h Revert "HID: Fix logitech-dj: missing Unifying device issue" 2013-03-01 14:14:59 +01:00
hid-magicmouse.c Merge branches 'for-3.10/appleir', 'for-3.10/hid-debug', 'for-3.10/hid-driver-transport-cleanups', 'for-3.10/i2c-hid' and 'for-3.10/logitech' into for-linus 2013-04-30 10:12:44 +02:00
hid-microsoft.c HID: Add PID for Japanese version of NE4K keyboard 2013-04-29 10:16:55 +02:00
hid-monterey.c HID: Use module_hid_driver macro 2013-01-03 10:27:31 +01:00
hid-multitouch.c HID: multitouch: validate indexes details 2013-10-01 09:17:46 -07:00
hid-ntrig.c HID: ntrig: validate feature report details 2013-09-26 17:18:16 -07:00
hid-ortek.c HID: Use module_hid_driver macro 2013-01-03 10:27:31 +01:00
hid-petalynx.c HID: Use module_hid_driver macro 2013-01-03 10:27:31 +01:00
hid-picolcd_backlight.c HID: use hid_hw_request() instead of direct call to usbhid 2013-02-25 13:26:41 +01:00
hid-picolcd_cir.c HID: picolcd: Prevent NULL pointer dereference on _remove() 2013-09-26 17:18:16 -07:00
hid-picolcd_core.c HID: picolcd_core: validate output report details 2013-09-26 17:18:16 -07:00
hid-picolcd_debugfs.c HID: fix data access in implement() 2013-10-13 16:08:28 -07:00
hid-picolcd_fb.c HID: picolcd: Prevent NULL pointer dereference on _remove() 2013-09-26 17:18:16 -07:00
hid-picolcd_lcd.c HID: use hid_hw_request() instead of direct call to usbhid 2013-02-25 13:26:41 +01:00
hid-picolcd_leds.c HID: use hid_hw_request() instead of direct call to usbhid 2013-02-25 13:26:41 +01:00
hid-picolcd.h Merge branches 'for-3.10/multitouch', 'for-3.10/roccat' and 'for-3.10/upstream' into for-linus 2013-04-30 10:19:07 +02:00
hid-pl.c HID: pantherlord: validate output report details 2013-09-26 17:18:15 -07:00
hid-primax.c HID: Use module_hid_driver macro 2013-01-03 10:27:31 +01:00
hid-prodikeys.c HID: use hid_hw_request() instead of direct call to usbhid 2013-02-25 13:26:41 +01:00
hid-ps3remote.c HID: Use module_hid_driver macro 2013-01-03 10:27:31 +01:00
hid-roccat-arvo.c HID: roccat: rename roccat_common functions to roccat_common2 2012-06-28 10:34:01 +02:00
hid-roccat-arvo.h HID: roccat: correction and cleanup of HID feature reports 2011-06-13 12:52:57 +02:00
hid-roccat-common.c HID: roccat: rename roccat_common functions to roccat_common2 2012-06-28 10:34:01 +02:00
hid-roccat-common.h HID: roccat: rename roccat_common functions to roccat_common2 2012-06-28 10:34:01 +02:00
hid-roccat-isku.c HID: roccat: add support for IskuFX 2013-03-14 11:50:49 +01:00
hid-roccat-isku.h HID: roccat: add support for IskuFX 2013-03-14 11:50:49 +01:00
hid-roccat-kone.c HID: roccat: added media key support for Kone 2013-04-08 10:33:13 +02:00
hid-roccat-kone.h HID: roccat: added media key support for Kone 2013-04-08 10:33:13 +02:00
hid-roccat-koneplus.c HID: roccat: deprecate some Koneplus attributes 2012-11-12 15:30:28 +01:00
hid-roccat-koneplus.h HID: roccat: fix wrong attr size for koneplus tcu 2012-11-18 22:58:28 +01:00
hid-roccat-konepure.c HID: roccat: add support for Roccat Kone Pure gaming mouse 2013-03-14 11:50:49 +01:00
hid-roccat-konepure.h HID: roccat: add support for Roccat Kone Pure gaming mouse 2013-03-14 11:50:49 +01:00
hid-roccat-kovaplus.c HID: roccat: deprecate some Kovaplus attributes 2012-11-12 15:30:29 +01:00
hid-roccat-kovaplus.h HID: roccat: deprecate some Kovaplus attributes 2012-11-12 15:30:29 +01:00
hid-roccat-lua.c HID: Use module_hid_driver macro 2013-01-03 10:27:31 +01:00
hid-roccat-lua.h HID: roccat: add support for Roccat Lua 2012-10-17 10:44:47 +02:00
hid-roccat-pyra.c HID: roccat: deprecated some Pyra attributes 2012-11-12 15:30:28 +01:00
hid-roccat-pyra.h HID: roccat: deprecated some Pyra attributes 2012-11-12 15:30:28 +01:00
hid-roccat-savu.c HID: roccat: enable Savu device reset 2012-11-05 13:17:39 +01:00
hid-roccat-savu.h HID: roccat: added sensor sysfs attribute for Savu 2012-07-20 09:50:42 +02:00
hid-roccat.c HID: roccat: fix comments on chardevice 2013-03-14 11:50:49 +01:00
hid-saitek.c HID: Use module_hid_driver macro 2013-01-03 10:27:31 +01:00
hid-samsung.c HID: Use module_hid_driver macro 2013-01-03 10:27:31 +01:00
hid-sensor-hub.c HID: sensor-hub: validate feature report details 2013-09-26 17:18:16 -07:00
hid-sjoy.c HID: use hid_hw_request() instead of direct call to usbhid 2013-02-25 13:26:41 +01:00
hid-sony.c Merge branches 'for-3.9/sony' and 'for-3.9/steelseries' into for-linus 2013-02-21 10:45:52 +01:00
hid-speedlink.c HID: Fix Speedlink VAD Cezanne support for some devices 2013-09-26 17:18:16 -07:00
hid-steelseries.c HID: steelseries: validate output report details 2013-10-01 09:17:46 -07:00
hid-sunplus.c HID: Use module_hid_driver macro 2013-01-03 10:27:31 +01:00
hid-thingm.c HID: Kconfig: Remove explicit transport layer dependencies 2013-02-25 13:26:40 +01:00
hid-tivo.c HID: Use module_hid_driver macro 2013-01-03 10:27:31 +01:00
hid-tmff.c HID: use hid_hw_request() instead of direct call to usbhid 2013-02-25 13:26:41 +01:00
hid-topseed.c HID: Use module_hid_driver macro 2013-01-03 10:27:31 +01:00
hid-twinhan.c HID: Use module_hid_driver macro 2013-01-03 10:27:31 +01:00
hid-uclogic.c HID: Use module_hid_driver macro 2013-01-03 10:27:31 +01:00
hid-wacom.c HID: Use module_hid_driver macro 2013-01-03 10:27:31 +01:00
hid-waltop.c HID: Use module_hid_driver macro 2013-01-03 10:27:31 +01:00
hid-wiimote-core.c HID: wiimote: parse reduced status reports 2013-04-04 09:38:43 +02:00
hid-wiimote-debug.c HID: Fix uninitialized variable "size" in hid-wiimote-debug 2013-01-18 10:59:24 +01:00
hid-wiimote-ext.c HID: wiimote: fix nunchuck button parser 2013-02-18 10:41:52 +01:00
hid-wiimote.h HID: wiimote: Allow direct DRM debug access 2011-11-22 23:11:10 +01:00
hid-zpff.c HID: zeroplus: validate output report details 2013-10-01 09:17:46 -07:00
hid-zydacron.c HID: Use module_hid_driver macro 2013-01-03 10:27:31 +01:00
hidraw.c HID: hidraw: correctly deallocate memory on device disconnect 2013-09-26 17:18:17 -07:00
Kconfig Merge branches 'for-3.10/multitouch', 'for-3.10/roccat' and 'for-3.10/upstream' into for-linus 2013-04-30 10:19:07 +02:00
Makefile Merge branches 'for-3.10/multitouch', 'for-3.10/roccat' and 'for-3.10/upstream' into for-linus 2013-04-30 10:19:07 +02:00
uhid.c HID: uhid: make creating devices work on 64/32 systems 2013-02-18 11:28:16 +01:00