From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Alan Stern <stern@rowland.harvard.edu>,
Jiri Kosina <jkosina@suse.cz>,
syzbot+5a6c4ec678a0c6ee84ba@syzkaller.appspotmail.com
Subject: [PATCH 5.2 16/45] HID: hidraw: Fix invalid read in hidraw_ioctl
Date: Sun, 29 Sep 2019 15:55:44 +0200 [thread overview]
Message-ID: <20190929135028.883859509@linuxfoundation.org> (raw)
In-Reply-To: <20190929135024.387033930@linuxfoundation.org>
From: Alan Stern <stern@rowland.harvard.edu>
commit 416dacb819f59180e4d86a5550052033ebb6d72c upstream.
The syzbot fuzzer has reported a pair of problems in the
hidraw_ioctl() function: slab-out-of-bounds read and use-after-free
read. An example of the first:
BUG: KASAN: slab-out-of-bounds in strlen+0x79/0x90 lib/string.c:525
Read of size 1 at addr ffff8881c8035f38 by task syz-executor.4/2833
CPU: 1 PID: 2833 Comm: syz-executor.4 Not tainted 5.3.0-rc2+ #1
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0xca/0x13e lib/dump_stack.c:113
print_address_description+0x6a/0x32c mm/kasan/report.c:351
__kasan_report.cold+0x1a/0x33 mm/kasan/report.c:482
kasan_report+0xe/0x12 mm/kasan/common.c:612
strlen+0x79/0x90 lib/string.c:525
strlen include/linux/string.h:281 [inline]
hidraw_ioctl+0x245/0xae0 drivers/hid/hidraw.c:446
vfs_ioctl fs/ioctl.c:46 [inline]
file_ioctl fs/ioctl.c:509 [inline]
do_vfs_ioctl+0xd2d/0x1330 fs/ioctl.c:696
ksys_ioctl+0x9b/0xc0 fs/ioctl.c:713
__do_sys_ioctl fs/ioctl.c:720 [inline]
__se_sys_ioctl fs/ioctl.c:718 [inline]
__x64_sys_ioctl+0x6f/0xb0 fs/ioctl.c:718
do_syscall_64+0xb7/0x580 arch/x86/entry/common.c:296
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x459829
Code: fd b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7
48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff
ff 0f 83 cb b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007f7a68f6dc78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000459829
RDX: 0000000000000000 RSI: 0000000080404805 RDI: 0000000000000004
RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f7a68f6e6d4
R13: 00000000004c21de R14: 00000000004d5620 R15: 00000000ffffffff
The two problems have the same cause: hidraw_ioctl() fails to test
whether the device has been removed. This patch adds the missing test.
Reported-and-tested-by: syzbot+5a6c4ec678a0c6ee84ba@syzkaller.appspotmail.com
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
CC: <stable@vger.kernel.org>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/hid/hidraw.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/hid/hidraw.c
+++ b/drivers/hid/hidraw.c
@@ -370,7 +370,7 @@ static long hidraw_ioctl(struct file *fi
mutex_lock(&minors_lock);
dev = hidraw_table[minor];
- if (!dev) {
+ if (!dev || !dev->exist) {
ret = -ENODEV;
goto out;
}
next prev parent reply other threads:[~2019-09-29 14:05 UTC|newest]
Thread overview: 55+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-09-29 13:55 [PATCH 5.2 00/45] 5.2.18-stable review Greg Kroah-Hartman
2019-09-29 13:55 ` [PATCH 5.2 01/45] Revert "Bluetooth: validate BLE connection interval updates" Greg Kroah-Hartman
2019-09-29 13:55 ` [PATCH 5.2 02/45] smb3: fix unmount hang in open_shroot Greg Kroah-Hartman
2019-10-01 20:41 ` Pavel Shilovskiy
2019-10-01 22:49 ` Sasha Levin
2019-10-01 22:58 ` Pavel Shilovskiy
2019-09-29 13:55 ` [PATCH 5.2 03/45] phy: qcom-qmp: Raise qcom_qmp_phy_enable() polling delay Greg Kroah-Hartman
2019-09-29 13:55 ` [PATCH 5.2 04/45] phy: qcom-qmp: Correct ready status, again Greg Kroah-Hartman
2019-09-29 13:55 ` [PATCH 5.2 05/45] net/ibmvnic: free reset work of removed device from queue Greg Kroah-Hartman
2019-09-29 13:55 ` [PATCH 5.2 06/45] drm/amd/display: Allow cursor async updates for framebuffer swaps Greg Kroah-Hartman
2019-09-29 13:55 ` [PATCH 5.2 07/45] drm/amd/display: Skip determining update type for async updates Greg Kroah-Hartman
2019-09-29 13:55 ` [PATCH 5.2 08/45] drm/amd/display: Dont replace the dc_state for fast updates Greg Kroah-Hartman
2019-09-29 13:55 ` [PATCH 5.2 09/45] powerpc/xive: Fix bogus error code returned by OPAL Greg Kroah-Hartman
2019-09-29 13:55 ` [PATCH 5.2 10/45] drm/amd/display: readd -msse2 to prevent Clang from emitting libcalls to undefined SW FP routines Greg Kroah-Hartman
2019-09-29 13:55 ` [PATCH 5.2 11/45] Revert "net: hns: fix LED configuration for marvell phy" Greg Kroah-Hartman
2019-09-29 13:55 ` [PATCH 5.2 12/45] HID: prodikeys: Fix general protection fault during probe Greg Kroah-Hartman
2019-09-29 13:55 ` [PATCH 5.2 13/45] HID: sony: Fix memory corruption issue on cleanup Greg Kroah-Hartman
2019-09-29 13:55 ` [PATCH 5.2 14/45] HID: logitech: Fix general protection fault caused by Logitech driver Greg Kroah-Hartman
2019-09-29 13:55 ` [PATCH 5.2 15/45] HID: logitech-dj: Fix crash when initial logi_dj_recv_query_paired_devices fails Greg Kroah-Hartman
2019-09-29 13:55 ` Greg Kroah-Hartman [this message]
2019-09-29 13:55 ` [PATCH 5.2 17/45] HID: Add quirk for HP X500 PIXART OEM mouse Greg Kroah-Hartman
2019-09-29 13:55 ` [PATCH 5.2 18/45] mtd: cfi_cmdset_0002: Use chip_good() to retry in do_write_oneword() Greg Kroah-Hartman
2019-09-29 13:55 ` Greg Kroah-Hartman
2019-09-29 13:55 ` [PATCH 5.2 19/45] crypto: talitos - fix missing break in switch statement Greg Kroah-Hartman
2019-09-29 13:55 ` [PATCH 5.2 20/45] clk: imx: imx8mm: fix audio pll setting Greg Kroah-Hartman
2019-09-29 13:55 ` [PATCH 5.2 21/45] Revert "HID: logitech-hidpp: add USB PID for a few more supported mice" Greg Kroah-Hartman
2019-09-29 13:55 ` [PATCH 5.2 22/45] Revert "mm/z3fold.c: fix race between migration and destruction" Greg Kroah-Hartman
2019-09-29 13:55 ` [PATCH 5.2 23/45] ALSA: usb-audio: Add Hiby device family to quirks for native DSD support Greg Kroah-Hartman
2019-09-29 13:55 ` [PATCH 5.2 24/45] ALSA: usb-audio: Add DSD support for EVGA NU Audio Greg Kroah-Hartman
2019-09-29 13:55 ` [PATCH 5.2 25/45] ALSA: dice: fix wrong packet parameter for Alesis iO26 Greg Kroah-Hartman
2019-09-29 13:55 ` [PATCH 5.2 26/45] ALSA: hda - Add laptop imic fixup for ASUS M9V laptop Greg Kroah-Hartman
2019-09-29 13:55 ` [PATCH 5.2 27/45] ALSA: hda - Apply AMD controller workaround for Raven platform Greg Kroah-Hartman
2019-09-29 13:55 ` [PATCH 5.2 28/45] platform/x86: i2c-multi-instantiate: Derive the device name from parent Greg Kroah-Hartman
2019-09-29 13:55 ` [PATCH 5.2 29/45] objtool: Clobber user CFLAGS variable Greg Kroah-Hartman
2019-09-29 13:55 ` [PATCH 5.2 30/45] Revert "f2fs: avoid out-of-range memory access" Greg Kroah-Hartman
2019-09-29 13:55 ` [PATCH 5.2 31/45] dm zoned: fix invalid memory access Greg Kroah-Hartman
2019-09-29 13:56 ` [PATCH 5.2 32/45] net/ibmvnic: Fix missing { in __ibmvnic_reset Greg Kroah-Hartman
2019-09-29 13:56 ` [PATCH 5.2 33/45] f2fs: fix to do sanity check on segment bitmap of LFS curseg Greg Kroah-Hartman
2019-09-29 13:56 ` [PATCH 5.2 34/45] drm: Flush output polling on shutdown Greg Kroah-Hartman
2019-09-29 13:56 ` [PATCH 5.2 35/45] drm/dp: Add DP_DPCD_QUIRK_NO_SINK_COUNT Greg Kroah-Hartman
2019-09-29 13:56 ` [PATCH 5.2 36/45] net: dont warn in inet diag when IPV6 is disabled Greg Kroah-Hartman
2019-09-29 13:56 ` [PATCH 5.2 37/45] Bluetooth: btrtl: HCI reset on close for Realtek BT chip Greg Kroah-Hartman
2019-09-29 13:56 ` [PATCH 5.2 38/45] ACPI: video: Add new hw_changes_brightness quirk, set it on PB Easynote MZ35 Greg Kroah-Hartman
2019-09-29 13:56 ` [PATCH 5.2 39/45] drm/nouveau/disp/nv50-: fix center/aspect-corrected scaling Greg Kroah-Hartman
2019-09-29 13:56 ` [PATCH 5.2 40/45] xfs: dont crash on null attr fork xfs_bmapi_read Greg Kroah-Hartman
2019-09-29 13:56 ` [PATCH 5.2 41/45] xfrm: policy: avoid warning splat when merging nodes Greg Kroah-Hartman
2019-09-29 13:56 ` [PATCH 5.2 42/45] netfilter: nft_socket: fix erroneous socket assignment Greg Kroah-Hartman
2019-09-29 13:56 ` [PATCH 5.2 43/45] Bluetooth: btrtl: Additional Realtek 8822CE Bluetooth devices Greg Kroah-Hartman
2019-09-29 13:56 ` [PATCH 5.2 44/45] net_sched: check cops->tcf_block in tc_bind_tclass() Greg Kroah-Hartman
2019-09-29 13:56 ` [PATCH 5.2 45/45] net/rds: An rds_sock is added too early to the hash table Greg Kroah-Hartman
2019-09-29 19:00 ` [PATCH 5.2 00/45] 5.2.18-stable review kernelci.org bot
2019-09-30 18:30 ` Guenter Roeck
2019-10-01 0:53 ` shuah
2019-10-01 1:10 ` Dan Rue
2019-10-01 14:58 ` Jon Hunter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190929135028.883859509@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=jkosina@suse.cz \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=stern@rowland.harvard.edu \
--cc=syzbot+5a6c4ec678a0c6ee84ba@syzkaller.appspotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.