From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev,
syzbot+8b1641d2f14732407e23@syzkaller.appspotmail.com,
ZhangPeng <zhangpeng362@huawei.com>,
Jiri Kosina <jkosina@suse.cz>
Subject: [PATCH 4.14 18/38] HID: core: fix shift-out-of-bounds in hid_report_raw_event
Date: Mon, 12 Dec 2022 14:19:19 +0100 [thread overview]
Message-ID: <20221212130913.035913261@linuxfoundation.org> (raw)
In-Reply-To: <20221212130912.069170932@linuxfoundation.org>
From: ZhangPeng <zhangpeng362@huawei.com>
commit ec61b41918587be530398b0d1c9a0d16619397e5 upstream.
Syzbot reported shift-out-of-bounds in hid_report_raw_event.
microsoft 0003:045E:07DA.0001: hid_field_extract() called with n (128) >
32! (swapper/0)
======================================================================
UBSAN: shift-out-of-bounds in drivers/hid/hid-core.c:1323:20
shift exponent 127 is too large for 32-bit type 'int'
CPU: 0 PID: 0 Comm: swapper/0 Not tainted
6.1.0-rc4-syzkaller-00159-g4bbf3422df78 #0
Hardware name: Google Compute Engine/Google Compute Engine, BIOS
Google 10/26/2022
Call Trace:
<IRQ>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1e3/0x2cb lib/dump_stack.c:106
ubsan_epilogue lib/ubsan.c:151 [inline]
__ubsan_handle_shift_out_of_bounds+0x3a6/0x420 lib/ubsan.c:322
snto32 drivers/hid/hid-core.c:1323 [inline]
hid_input_fetch_field drivers/hid/hid-core.c:1572 [inline]
hid_process_report drivers/hid/hid-core.c:1665 [inline]
hid_report_raw_event+0xd56/0x18b0 drivers/hid/hid-core.c:1998
hid_input_report+0x408/0x4f0 drivers/hid/hid-core.c:2066
hid_irq_in+0x459/0x690 drivers/hid/usbhid/hid-core.c:284
__usb_hcd_giveback_urb+0x369/0x530 drivers/usb/core/hcd.c:1671
dummy_timer+0x86b/0x3110 drivers/usb/gadget/udc/dummy_hcd.c:1988
call_timer_fn+0xf5/0x210 kernel/time/timer.c:1474
expire_timers kernel/time/timer.c:1519 [inline]
__run_timers+0x76a/0x980 kernel/time/timer.c:1790
run_timer_softirq+0x63/0xf0 kernel/time/timer.c:1803
__do_softirq+0x277/0x75b kernel/softirq.c:571
__irq_exit_rcu+0xec/0x170 kernel/softirq.c:650
irq_exit_rcu+0x5/0x20 kernel/softirq.c:662
sysvec_apic_timer_interrupt+0x91/0xb0 arch/x86/kernel/apic/apic.c:1107
======================================================================
If the size of the integer (unsigned n) is bigger than 32 in snto32(),
shift exponent will be too large for 32-bit type 'int', resulting in a
shift-out-of-bounds bug.
Fix this by adding a check on the size of the integer (unsigned n) in
snto32(). To add support for n greater than 32 bits, set n to 32, if n
is greater than 32.
Reported-by: syzbot+8b1641d2f14732407e23@syzkaller.appspotmail.com
Fixes: dde5845a529f ("[PATCH] Generic HID layer - code split")
Signed-off-by: ZhangPeng <zhangpeng362@huawei.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/hid/hid-core.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/hid/hid-core.c
+++ b/drivers/hid/hid-core.c
@@ -1132,6 +1132,9 @@ static s32 snto32(__u32 value, unsigned
if (!value || !n)
return 0;
+ if (n > 32)
+ n = 32;
+
switch (n) {
case 8: return ((__s8)value);
case 16: return ((__s16)value);
next prev parent reply other threads:[~2022-12-12 13:52 UTC|newest]
Thread overview: 44+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-12-12 13:19 [PATCH 4.14 00/38] 4.14.302-rc1 review Greg Kroah-Hartman
2022-12-12 13:19 ` [PATCH 4.14 01/38] arm: dts: rockchip: fix node name for hym8563 rtc Greg Kroah-Hartman
2022-12-12 13:19 ` [PATCH 4.14 02/38] ARM: dts: rockchip: fix ir-receiver node names Greg Kroah-Hartman
2022-12-12 13:19 ` [PATCH 4.14 03/38] ARM: 9251/1: perf: Fix stacktraces for tracepoint events in THUMB2 kernels Greg Kroah-Hartman
2022-12-12 13:19 ` [PATCH 4.14 04/38] ARM: 9266/1: mm: fix no-MMU ZERO_PAGE() implementation Greg Kroah-Hartman
2022-12-12 13:19 ` [PATCH 4.14 05/38] ARM: dts: rockchip: disable arm_global_timer on rk3066 and rk3188 Greg Kroah-Hartman
2022-12-12 13:19 ` [PATCH 4.14 06/38] ALSA: seq: Fix function prototype mismatch in snd_seq_expand_var_event Greg Kroah-Hartman
2022-12-12 13:19 ` Greg Kroah-Hartman
2022-12-12 13:19 ` [PATCH 4.14 07/38] ASoC: soc-pcm: Add NULL check in BE reparenting Greg Kroah-Hartman
2022-12-12 13:19 ` [PATCH 4.14 08/38] regulator: twl6030: fix get status of twl6032 regulators Greg Kroah-Hartman
2022-12-12 13:19 ` [PATCH 4.14 09/38] net: usb: qmi_wwan: add u-blox 0x1342 composition Greg Kroah-Hartman
2022-12-12 13:19 ` [PATCH 4.14 10/38] xen/netback: Ensure protocol headers dont fall in the non-linear area Greg Kroah-Hartman
2022-12-12 13:19 ` [PATCH 4.14 11/38] xen/netback: do some code cleanup Greg Kroah-Hartman
2022-12-12 13:19 ` [PATCH 4.14 12/38] xen/netback: dont call kfree_skb() with interrupts disabled Greg Kroah-Hartman
2022-12-12 13:19 ` [PATCH 4.14 13/38] rcutorture: Automatically create initrd directory Greg Kroah-Hartman
2022-12-12 13:19 ` [PATCH 4.14 14/38] media: v4l2-dv-timings.c: fix too strict blanking sanity checks Greg Kroah-Hartman
2022-12-12 13:19 ` [PATCH 4.14 15/38] memcg: fix possible use-after-free in memcg_write_event_control() Greg Kroah-Hartman
2022-12-12 13:19 ` [PATCH 4.14 16/38] KVM: s390: vsie: Fix the initialization of the epoch extension (epdx) field Greg Kroah-Hartman
2022-12-12 13:19 ` [PATCH 4.14 17/38] HID: hid-lg4ff: Add check for empty lbuf Greg Kroah-Hartman
2022-12-12 13:19 ` Greg Kroah-Hartman [this message]
2022-12-12 13:19 ` [PATCH 4.14 19/38] ieee802154: cc2520: Fix error return code in cc2520_hw_init() Greg Kroah-Hartman
2022-12-12 13:19 ` [PATCH 4.14 20/38] ca8210: Fix crash by zero initializing data Greg Kroah-Hartman
2022-12-12 13:19 ` [PATCH 4.14 21/38] gpio: amd8111: Fix PCI device reference count leak Greg Kroah-Hartman
2022-12-12 13:19 ` [PATCH 4.14 22/38] e1000e: Fix TX dispatch condition Greg Kroah-Hartman
2022-12-12 13:19 ` [PATCH 4.14 23/38] igb: Allocate MSI-X vector when testing Greg Kroah-Hartman
2022-12-12 13:19 ` [PATCH 4.14 24/38] Bluetooth: 6LoWPAN: add missing hci_dev_put() in get_l2cap_conn() Greg Kroah-Hartman
2022-12-12 13:19 ` [PATCH 4.14 25/38] mac802154: fix missing INIT_LIST_HEAD in ieee802154_if_add() Greg Kroah-Hartman
2022-12-12 13:19 ` [PATCH 4.14 26/38] net: encx24j600: Add parentheses to fix precedence Greg Kroah-Hartman
2022-12-12 13:19 ` [PATCH 4.14 27/38] net: encx24j600: Fix invalid logic in reading of MISTAT register Greg Kroah-Hartman
2022-12-12 13:19 ` [PATCH 4.14 28/38] net: mvneta: Prevent out of bounds read in mvneta_config_rss() Greg Kroah-Hartman
2022-12-12 13:19 ` [PATCH 4.14 29/38] NFC: nci: Bounds check struct nfc_target arrays Greg Kroah-Hartman
2022-12-12 13:19 ` [PATCH 4.14 30/38] net: stmmac: fix "snps,axi-config" node property parsing Greg Kroah-Hartman
2022-12-12 13:19 ` [PATCH 4.14 31/38] net: hisilicon: Fix potential use-after-free in hisi_femac_rx() Greg Kroah-Hartman
2022-12-12 13:19 ` [PATCH 4.14 32/38] net: hisilicon: Fix potential use-after-free in hix5hd2_rx() Greg Kroah-Hartman
2022-12-12 13:19 ` [PATCH 4.14 33/38] tipc: Fix potential OOB in tipc_link_proto_rcv() Greg Kroah-Hartman
2022-12-12 13:19 ` [PATCH 4.14 34/38] ethernet: aeroflex: fix potential skb leak in greth_init_rings() Greg Kroah-Hartman
2022-12-12 13:19 ` [PATCH 4.14 35/38] xen/netback: fix build warning Greg Kroah-Hartman
2022-12-12 13:19 ` [PATCH 4.14 36/38] net: plip: dont call kfree_skb/dev_kfree_skb() under spin_lock_irq() Greg Kroah-Hartman
2022-12-12 13:19 ` [PATCH 4.14 37/38] ipv6: avoid use-after-free in ip6_fragment() Greg Kroah-Hartman
2022-12-12 13:19 ` [PATCH 4.14 38/38] net: mvneta: Fix an out of bounds check Greg Kroah-Hartman
2022-12-12 20:11 ` [PATCH 4.14 00/38] 4.14.302-rc1 review Jon Hunter
2022-12-12 20:21 ` Slade Watkins
2022-12-13 0:23 ` Guenter Roeck
2022-12-13 12:05 ` Naresh Kamboju
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20221212130913.035913261@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=jkosina@suse.cz \
--cc=patches@lists.linux.dev \
--cc=stable@vger.kernel.org \
--cc=syzbot+8b1641d2f14732407e23@syzkaller.appspotmail.com \
--cc=zhangpeng362@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.