From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Alan Stern <stern@rowland.harvard.edu>,
Benjamin Tissoires <benjamin.tissoires@redhat.com>,
syzbot+403741a091bf41d4ae79@syzkaller.appspotmail.com
Subject: [PATCH 4.4 34/46] HID: Fix assumption that devices have inputs
Date: Mon, 4 Nov 2019 22:45:05 +0100 [thread overview]
Message-ID: <20191104211908.637393807@linuxfoundation.org> (raw)
In-Reply-To: <20191104211830.912265604@linuxfoundation.org>
From: Alan Stern <stern@rowland.harvard.edu>
commit d9d4b1e46d9543a82c23f6df03f4ad697dab361b upstream.
The syzbot fuzzer found a slab-out-of-bounds write bug in the hid-gaff
driver. The problem is caused by the driver's assumption that the
device must have an input report. While this will be true for all
normal HID input devices, a suitably malicious device can violate the
assumption.
The same assumption is present in over a dozen other HID drivers.
This patch fixes them by checking that the list of hid_inputs for the
hid_device is nonempty before allowing it to be used.
Reported-and-tested-by: syzbot+403741a091bf41d4ae79@syzkaller.appspotmail.com
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
CC: <stable@vger.kernel.org>
Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/hid/hid-axff.c | 11 +++++++++--
drivers/hid/hid-dr.c | 12 +++++++++---
drivers/hid/hid-emsff.c | 12 +++++++++---
drivers/hid/hid-gaff.c | 12 +++++++++---
drivers/hid/hid-holtekff.c | 12 +++++++++---
drivers/hid/hid-lg2ff.c | 12 +++++++++---
drivers/hid/hid-lg3ff.c | 11 +++++++++--
drivers/hid/hid-lg4ff.c | 11 +++++++++--
drivers/hid/hid-lgff.c | 11 +++++++++--
drivers/hid/hid-sony.c | 12 +++++++++---
drivers/hid/hid-tmff.c | 12 +++++++++---
drivers/hid/hid-zpff.c | 12 +++++++++---
12 files changed, 108 insertions(+), 32 deletions(-)
--- a/drivers/hid/hid-axff.c
+++ b/drivers/hid/hid-axff.c
@@ -75,13 +75,20 @@ static int axff_init(struct hid_device *
{
struct axff_device *axff;
struct hid_report *report;
- struct hid_input *hidinput = list_first_entry(&hid->inputs, struct hid_input, list);
+ struct hid_input *hidinput;
struct list_head *report_list =&hid->report_enum[HID_OUTPUT_REPORT].report_list;
- struct input_dev *dev = hidinput->input;
+ struct input_dev *dev;
int field_count = 0;
int i, j;
int error;
+ if (list_empty(&hid->inputs)) {
+ hid_err(hid, "no inputs found\n");
+ return -ENODEV;
+ }
+ hidinput = list_first_entry(&hid->inputs, struct hid_input, list);
+ dev = hidinput->input;
+
if (list_empty(report_list)) {
hid_err(hid, "no output reports found\n");
return -ENODEV;
--- a/drivers/hid/hid-dr.c
+++ b/drivers/hid/hid-dr.c
@@ -87,13 +87,19 @@ static int drff_init(struct hid_device *
{
struct drff_device *drff;
struct hid_report *report;
- struct hid_input *hidinput = list_first_entry(&hid->inputs,
- struct hid_input, list);
+ struct hid_input *hidinput;
struct list_head *report_list =
&hid->report_enum[HID_OUTPUT_REPORT].report_list;
- struct input_dev *dev = hidinput->input;
+ struct input_dev *dev;
int error;
+ if (list_empty(&hid->inputs)) {
+ hid_err(hid, "no inputs found\n");
+ return -ENODEV;
+ }
+ hidinput = list_first_entry(&hid->inputs, struct hid_input, list);
+ dev = hidinput->input;
+
if (list_empty(report_list)) {
hid_err(hid, "no output reports found\n");
return -ENODEV;
--- a/drivers/hid/hid-emsff.c
+++ b/drivers/hid/hid-emsff.c
@@ -59,13 +59,19 @@ static int emsff_init(struct hid_device
{
struct emsff_device *emsff;
struct hid_report *report;
- struct hid_input *hidinput = list_first_entry(&hid->inputs,
- struct hid_input, list);
+ struct hid_input *hidinput;
struct list_head *report_list =
&hid->report_enum[HID_OUTPUT_REPORT].report_list;
- struct input_dev *dev = hidinput->input;
+ struct input_dev *dev;
int error;
+ if (list_empty(&hid->inputs)) {
+ hid_err(hid, "no inputs found\n");
+ return -ENODEV;
+ }
+ hidinput = list_first_entry(&hid->inputs, struct hid_input, list);
+ dev = hidinput->input;
+
if (list_empty(report_list)) {
hid_err(hid, "no output reports found\n");
return -ENODEV;
--- a/drivers/hid/hid-gaff.c
+++ b/drivers/hid/hid-gaff.c
@@ -77,14 +77,20 @@ static int gaff_init(struct hid_device *
{
struct gaff_device *gaff;
struct hid_report *report;
- struct hid_input *hidinput = list_entry(hid->inputs.next,
- struct hid_input, list);
+ struct hid_input *hidinput;
struct list_head *report_list =
&hid->report_enum[HID_OUTPUT_REPORT].report_list;
struct list_head *report_ptr = report_list;
- struct input_dev *dev = hidinput->input;
+ struct input_dev *dev;
int error;
+ if (list_empty(&hid->inputs)) {
+ hid_err(hid, "no inputs found\n");
+ return -ENODEV;
+ }
+ hidinput = list_entry(hid->inputs.next, struct hid_input, list);
+ dev = hidinput->input;
+
if (list_empty(report_list)) {
hid_err(hid, "no output reports found\n");
return -ENODEV;
--- a/drivers/hid/hid-holtekff.c
+++ b/drivers/hid/hid-holtekff.c
@@ -140,13 +140,19 @@ static int holtekff_init(struct hid_devi
{
struct holtekff_device *holtekff;
struct hid_report *report;
- struct hid_input *hidinput = list_entry(hid->inputs.next,
- struct hid_input, list);
+ struct hid_input *hidinput;
struct list_head *report_list =
&hid->report_enum[HID_OUTPUT_REPORT].report_list;
- struct input_dev *dev = hidinput->input;
+ struct input_dev *dev;
int error;
+ if (list_empty(&hid->inputs)) {
+ hid_err(hid, "no inputs found\n");
+ return -ENODEV;
+ }
+ hidinput = list_entry(hid->inputs.next, struct hid_input, list);
+ dev = hidinput->input;
+
if (list_empty(report_list)) {
hid_err(hid, "no output report found\n");
return -ENODEV;
--- a/drivers/hid/hid-lg2ff.c
+++ b/drivers/hid/hid-lg2ff.c
@@ -62,11 +62,17 @@ int lg2ff_init(struct hid_device *hid)
{
struct lg2ff_device *lg2ff;
struct hid_report *report;
- struct hid_input *hidinput = list_entry(hid->inputs.next,
- struct hid_input, list);
- struct input_dev *dev = hidinput->input;
+ struct hid_input *hidinput;
+ struct input_dev *dev;
int error;
+ if (list_empty(&hid->inputs)) {
+ hid_err(hid, "no inputs found\n");
+ return -ENODEV;
+ }
+ hidinput = list_entry(hid->inputs.next, struct hid_input, list);
+ dev = hidinput->input;
+
/* Check that the report looks ok */
report = hid_validate_values(hid, HID_OUTPUT_REPORT, 0, 0, 7);
if (!report)
--- a/drivers/hid/hid-lg3ff.c
+++ b/drivers/hid/hid-lg3ff.c
@@ -129,12 +129,19 @@ static const signed short ff3_joystick_a
int lg3ff_init(struct hid_device *hid)
{
- struct hid_input *hidinput = list_entry(hid->inputs.next, struct hid_input, list);
- struct input_dev *dev = hidinput->input;
+ struct hid_input *hidinput;
+ struct input_dev *dev;
const signed short *ff_bits = ff3_joystick_ac;
int error;
int i;
+ if (list_empty(&hid->inputs)) {
+ hid_err(hid, "no inputs found\n");
+ return -ENODEV;
+ }
+ hidinput = list_entry(hid->inputs.next, struct hid_input, list);
+ dev = hidinput->input;
+
/* Check that the report looks ok */
if (!hid_validate_values(hid, HID_OUTPUT_REPORT, 0, 0, 35))
return -ENODEV;
--- a/drivers/hid/hid-lg4ff.c
+++ b/drivers/hid/hid-lg4ff.c
@@ -1158,8 +1158,8 @@ static int lg4ff_handle_multimode_wheel(
int lg4ff_init(struct hid_device *hid)
{
- struct hid_input *hidinput = list_entry(hid->inputs.next, struct hid_input, list);
- struct input_dev *dev = hidinput->input;
+ struct hid_input *hidinput;
+ struct input_dev *dev;
struct list_head *report_list = &hid->report_enum[HID_OUTPUT_REPORT].report_list;
struct hid_report *report = list_entry(report_list->next, struct hid_report, list);
const struct usb_device_descriptor *udesc = &(hid_to_usb_dev(hid)->descriptor);
@@ -1171,6 +1171,13 @@ int lg4ff_init(struct hid_device *hid)
int mmode_ret, mmode_idx = -1;
u16 real_product_id;
+ if (list_empty(&hid->inputs)) {
+ hid_err(hid, "no inputs found\n");
+ return -ENODEV;
+ }
+ hidinput = list_entry(hid->inputs.next, struct hid_input, list);
+ dev = hidinput->input;
+
/* Check that the report looks ok */
if (!hid_validate_values(hid, HID_OUTPUT_REPORT, 0, 0, 7))
return -1;
--- a/drivers/hid/hid-lgff.c
+++ b/drivers/hid/hid-lgff.c
@@ -127,12 +127,19 @@ static void hid_lgff_set_autocenter(stru
int lgff_init(struct hid_device* hid)
{
- struct hid_input *hidinput = list_entry(hid->inputs.next, struct hid_input, list);
- struct input_dev *dev = hidinput->input;
+ struct hid_input *hidinput;
+ struct input_dev *dev;
const signed short *ff_bits = ff_joystick;
int error;
int i;
+ if (list_empty(&hid->inputs)) {
+ hid_err(hid, "no inputs found\n");
+ return -ENODEV;
+ }
+ hidinput = list_entry(hid->inputs.next, struct hid_input, list);
+ dev = hidinput->input;
+
/* Check that the report looks ok */
if (!hid_validate_values(hid, HID_OUTPUT_REPORT, 0, 0, 7))
return -ENODEV;
--- a/drivers/hid/hid-sony.c
+++ b/drivers/hid/hid-sony.c
@@ -1960,9 +1960,15 @@ static int sony_play_effect(struct input
static int sony_init_ff(struct sony_sc *sc)
{
- struct hid_input *hidinput = list_entry(sc->hdev->inputs.next,
- struct hid_input, list);
- struct input_dev *input_dev = hidinput->input;
+ struct hid_input *hidinput;
+ struct input_dev *input_dev;
+
+ if (list_empty(&sc->hdev->inputs)) {
+ hid_err(sc->hdev, "no inputs found\n");
+ return -ENODEV;
+ }
+ hidinput = list_entry(sc->hdev->inputs.next, struct hid_input, list);
+ input_dev = hidinput->input;
input_set_capability(input_dev, EV_FF, FF_RUMBLE);
return input_ff_create_memless(input_dev, NULL, sony_play_effect);
--- a/drivers/hid/hid-tmff.c
+++ b/drivers/hid/hid-tmff.c
@@ -136,12 +136,18 @@ static int tmff_init(struct hid_device *
struct tmff_device *tmff;
struct hid_report *report;
struct list_head *report_list;
- struct hid_input *hidinput = list_entry(hid->inputs.next,
- struct hid_input, list);
- struct input_dev *input_dev = hidinput->input;
+ struct hid_input *hidinput;
+ struct input_dev *input_dev;
int error;
int i;
+ if (list_empty(&hid->inputs)) {
+ hid_err(hid, "no inputs found\n");
+ return -ENODEV;
+ }
+ hidinput = list_entry(hid->inputs.next, struct hid_input, list);
+ input_dev = hidinput->input;
+
tmff = kzalloc(sizeof(struct tmff_device), GFP_KERNEL);
if (!tmff)
return -ENOMEM;
--- a/drivers/hid/hid-zpff.c
+++ b/drivers/hid/hid-zpff.c
@@ -66,11 +66,17 @@ static int zpff_init(struct hid_device *
{
struct zpff_device *zpff;
struct hid_report *report;
- struct hid_input *hidinput = list_entry(hid->inputs.next,
- struct hid_input, list);
- struct input_dev *dev = hidinput->input;
+ struct hid_input *hidinput;
+ struct input_dev *dev;
int i, error;
+ if (list_empty(&hid->inputs)) {
+ hid_err(hid, "no inputs found\n");
+ return -ENODEV;
+ }
+ hidinput = list_entry(hid->inputs.next, struct hid_input, list);
+ dev = hidinput->input;
+
for (i = 0; i < 4; i++) {
report = hid_validate_values(hid, HID_OUTPUT_REPORT, 0, i, 1);
if (!report)
next prev parent reply other threads:[~2019-11-04 22:28 UTC|newest]
Thread overview: 53+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-11-04 21:44 [PATCH 4.4 00/46] 4.4.199-stable review Greg Kroah-Hartman
2019-11-04 21:44 ` [PATCH 4.4 01/46] dm snapshot: use mutex instead of rw_semaphore Greg Kroah-Hartman
2019-11-04 21:44 ` [PATCH 4.4 02/46] dm snapshot: introduce account_start_copy() and account_end_copy() Greg Kroah-Hartman
2019-11-04 21:44 ` [PATCH 4.4 03/46] dm snapshot: rework COW throttling to fix deadlock Greg Kroah-Hartman
2019-11-04 21:44 ` [PATCH 4.4 04/46] dm: Use kzalloc for all structs with embedded biosets/mempools Greg Kroah-Hartman
2019-11-04 21:44 ` [PATCH 4.4 05/46] sc16is7xx: Fix for "Unexpected interrupt: 8" Greg Kroah-Hartman
2019-11-04 21:44 ` [PATCH 4.4 06/46] x86/cpu: Add Atom Tremont (Jacobsville) Greg Kroah-Hartman
2019-11-04 21:44 ` [PATCH 4.4 07/46] scripts/setlocalversion: Improve -dirty check with git-status --no-optional-locks Greg Kroah-Hartman
2019-11-04 21:44 ` [PATCH 4.4 08/46] usb: handle warm-reset port requests on hub resume Greg Kroah-Hartman
2019-11-04 21:44 ` [PATCH 4.4 09/46] exec: load_script: Do not exec truncated interpreter path Greg Kroah-Hartman
2019-11-04 21:44 ` [PATCH 4.4 10/46] iio: fix center temperature of bmc150-accel-core Greg Kroah-Hartman
2019-11-04 21:44 ` [PATCH 4.4 11/46] perf map: Fix overlapped map handling Greg Kroah-Hartman
2019-11-04 21:44 ` [PATCH 4.4 12/46] RDMA/iwcm: Fix a lock inversion issue Greg Kroah-Hartman
2019-11-04 21:44 ` [PATCH 4.4 13/46] fs: cifs: mute -Wunused-const-variable message Greg Kroah-Hartman
2019-11-04 21:44 ` [PATCH 4.4 14/46] serial: mctrl_gpio: Check for NULL pointer Greg Kroah-Hartman
2019-11-04 21:44 ` [PATCH 4.4 15/46] efi/cper: Fix endianness of PCIe class code Greg Kroah-Hartman
2019-11-04 21:44 ` [PATCH 4.4 16/46] efi/x86: Do not clean dummy variable in kexec path Greg Kroah-Hartman
2019-11-04 21:44 ` [PATCH 4.4 17/46] fs: ocfs2: fix possible null-pointer dereferences in ocfs2_xa_prepare_entry() Greg Kroah-Hartman
2019-11-04 21:44 ` [PATCH 4.4 18/46] fs: ocfs2: fix a possible null-pointer dereference in ocfs2_info_scan_inode_alloc() Greg Kroah-Hartman
2019-11-04 21:44 ` [PATCH 4.4 19/46] MIPS: fw: sni: Fix out of bounds init of o32 stack Greg Kroah-Hartman
2019-11-04 21:44 ` [PATCH 4.4 20/46] NFSv4: Fix leak of clp->cl_acceptor string Greg Kroah-Hartman
2019-11-04 21:44 ` [PATCH 4.4 21/46] tracing: Initialize iter->seq after zeroing in tracing_read_pipe() Greg Kroah-Hartman
2019-11-04 21:44 ` [PATCH 4.4 22/46] USB: legousbtower: fix a signedness bug in tower_probe() Greg Kroah-Hartman
2019-11-04 21:44 ` [PATCH 4.4 23/46] thunderbolt: Use 32-bit writes when writing ring producer/consumer Greg Kroah-Hartman
2019-11-04 21:44 ` [PATCH 4.4 24/46] ath6kl: fix a NULL-ptr-deref bug in ath6kl_usb_alloc_urb_from_pipe() Greg Kroah-Hartman
2019-11-04 21:44 ` [PATCH 4.4 25/46] fuse: flush dirty data/metadata before non-truncate setattr Greg Kroah-Hartman
2019-11-04 21:44 ` [PATCH 4.4 26/46] fuse: truncate pending writes on O_TRUNC Greg Kroah-Hartman
2019-11-04 21:44 ` [PATCH 4.4 27/46] ALSA: bebob: Fix prototype of helper function to return negative value Greg Kroah-Hartman
2019-11-04 21:44 ` [PATCH 4.4 28/46] UAS: Revert commit 3ae62a42090f ("UAS: fix alignment of scatter/gather segments") Greg Kroah-Hartman
2019-11-05 14:26 ` Oliver Neukum
2019-11-04 21:45 ` [PATCH 4.4 29/46] USB: gadget: Reject endpoints with 0 maxpacket value Greg Kroah-Hartman
2019-11-04 21:45 ` [PATCH 4.4 30/46] USB: ldusb: fix ring-buffer locking Greg Kroah-Hartman
2019-11-04 21:45 ` [PATCH 4.4 31/46] USB: ldusb: fix control-message timeout Greg Kroah-Hartman
2019-11-04 21:45 ` [PATCH 4.4 32/46] USB: serial: whiteheat: fix potential slab corruption Greg Kroah-Hartman
2019-11-04 21:45 ` [PATCH 4.4 33/46] USB: serial: whiteheat: fix line-speed endianness Greg Kroah-Hartman
2019-11-04 21:45 ` Greg Kroah-Hartman [this message]
2019-11-04 21:45 ` [PATCH 4.4 35/46] HID: fix error message in hid_open_report() Greg Kroah-Hartman
2019-11-04 21:45 ` [PATCH 4.4 36/46] nl80211: fix validation of mesh path nexthop Greg Kroah-Hartman
2019-11-04 21:45 ` [PATCH 4.4 37/46] s390/cmm: fix information leak in cmm_timeout_handler() Greg Kroah-Hartman
2019-11-04 21:45 ` [PATCH 4.4 38/46] rtlwifi: Fix potential overflow on P2P code Greg Kroah-Hartman
2019-11-04 21:45 ` [PATCH 4.4 39/46] llc: fix sk_buff leak in llc_sap_state_process() Greg Kroah-Hartman
2019-11-04 21:45 ` [PATCH 4.4 40/46] llc: fix sk_buff leak in llc_conn_service() Greg Kroah-Hartman
2019-11-04 21:45 ` [PATCH 4.4 41/46] bonding: fix potential NULL deref in bond_update_slave_arr Greg Kroah-Hartman
2019-11-04 21:45 ` [PATCH 4.4 42/46] net: usb: sr9800: fix uninitialized local variable Greg Kroah-Hartman
2019-11-04 21:45 ` [PATCH 4.4 43/46] sch_netem: fix rcu splat in netem_enqueue() Greg Kroah-Hartman
2019-11-04 21:45 ` [PATCH 4.4 44/46] sctp: fix the issue that flags are ignored when using kernel_connect Greg Kroah-Hartman
2019-11-04 21:45 ` [PATCH 4.4 45/46] sctp: not bind the socket in sctp_connect Greg Kroah-Hartman
2019-11-04 21:45 ` [PATCH 4.4 46/46] xfs: Correctly invert xfs_buftarg LRU isolation logic Greg Kroah-Hartman
2019-11-05 1:36 ` [PATCH 4.4 00/46] 4.4.199-stable review kernelci.org bot
2019-11-05 6:44 ` Naresh Kamboju
2019-11-05 14:23 ` Guenter Roeck
2019-11-05 23:36 ` Jon Hunter
2019-11-05 23:36 ` Jon Hunter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20191104211908.637393807@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=benjamin.tissoires@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=stern@rowland.harvard.edu \
--cc=syzbot+403741a091bf41d4ae79@syzkaller.appspotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.