[PATCH] HID: core: fix validation of report id 0

linux-input.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCH] HID: core: fix validation of report id 0
@ 2014-04-17 20:22 Kees Cook
  2014-05-19 19:01 ` Kees Cook
  0 siblings, 1 reply; 4+ messages in thread
From: Kees Cook @ 2014-04-17 20:22 UTC (permalink / raw)
  To: linux-kernel; +Cc: Jiri Kosina, Benjamin Tissoires, Simon Wood, linux-input

Some drivers use the first HID report in the list instead of using an
index. In these cases, validation uses ID 0, which was supposed to mean
"first known report". This fixes the problem, which was causing at least
the lgff family of devices to stop working since hid_validate_values
was being called with ID 0, but the devices used single numbered IDs
for their reports:

0x05, 0x01,         /*  Usage Page (Desktop),                   */
0x09, 0x05,         /*  Usage (Gamepad),                        */
0xA1, 0x01,         /*  Collection (Application),               */
0xA1, 0x02,         /*      Collection (Logical),               */
0x85, 0x01,         /*          Report ID (1),                  */
...

Reported-by: Simon Wood <simon@mungewell.org>
Signed-off-by: Kees Cook <keescook@chromium.org>
Cc: stable@vger.kernel.org
---
 drivers/hid/hid-core.c |   12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c
index 9e8064205bc7..07ce28175168 100644
--- a/drivers/hid/hid-core.c
+++ b/drivers/hid/hid-core.c
@@ -839,7 +839,17 @@ struct hid_report *hid_validate_values(struct hid_device *hid,
 	 * ->numbered being checked, which may not always be the case when
 	 * drivers go to access report values.
 	 */
-	report = hid->report_enum[type].report_id_hash[id];
+	if (id == 0) {
+		/*
+		 * Validating on id 0 means we should examine the first
+		 * report in the list.
+		 */
+		report = list_entry(
+				hid->report_enum[type].report_list.next,
+				struct hid_report, list);
+	} else {
+		report = hid->report_enum[type].report_id_hash[id];
+	}
 	if (!report) {
 		hid_err(hid, "missing %s %u\n", hid_report_names[type], id);
 		return NULL;
-- 
1.7.9.5


-- 
Kees Cook
Chrome OS Security

^ permalink raw reply related	[flat|nested] 4+ messages in thread

* Re: [PATCH] HID: core: fix validation of report id 0
  2014-04-17 20:22 [PATCH] HID: core: fix validation of report id 0 Kees Cook
@ 2014-05-19 19:01 ` Kees Cook
  2014-05-19 19:39   ` Benjamin Tissoires
  2014-05-20 14:40   ` Jiri Kosina
  0 siblings, 2 replies; 4+ messages in thread
From: Kees Cook @ 2014-05-19 19:01 UTC (permalink / raw)
  To: LKML; +Cc: Jiri Kosina, Benjamin Tissoires, Simon Wood, linux-input,
	Roland Bosa

Pinging on this patch... I don't see it in -next yet. I've had more
reports of trouble with logitech devices, and this seems to solve the
problem.

-Kees

On Thu, Apr 17, 2014 at 1:22 PM, Kees Cook <keescook@chromium.org> wrote:
> Some drivers use the first HID report in the list instead of using an
> index. In these cases, validation uses ID 0, which was supposed to mean
> "first known report". This fixes the problem, which was causing at least
> the lgff family of devices to stop working since hid_validate_values
> was being called with ID 0, but the devices used single numbered IDs
> for their reports:
>
> 0x05, 0x01,         /*  Usage Page (Desktop),                   */
> 0x09, 0x05,         /*  Usage (Gamepad),                        */
> 0xA1, 0x01,         /*  Collection (Application),               */
> 0xA1, 0x02,         /*      Collection (Logical),               */
> 0x85, 0x01,         /*          Report ID (1),                  */
> ...
>
> Reported-by: Simon Wood <simon@mungewell.org>
> Signed-off-by: Kees Cook <keescook@chromium.org>
> Cc: stable@vger.kernel.org
> ---
>  drivers/hid/hid-core.c |   12 +++++++++++-
>  1 file changed, 11 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c
> index 9e8064205bc7..07ce28175168 100644
> --- a/drivers/hid/hid-core.c
> +++ b/drivers/hid/hid-core.c
> @@ -839,7 +839,17 @@ struct hid_report *hid_validate_values(struct hid_device *hid,
>          * ->numbered being checked, which may not always be the case when
>          * drivers go to access report values.
>          */
> -       report = hid->report_enum[type].report_id_hash[id];
> +       if (id == 0) {
> +               /*
> +                * Validating on id 0 means we should examine the first
> +                * report in the list.
> +                */
> +               report = list_entry(
> +                               hid->report_enum[type].report_list.next,
> +                               struct hid_report, list);
> +       } else {
> +               report = hid->report_enum[type].report_id_hash[id];
> +       }
>         if (!report) {
>                 hid_err(hid, "missing %s %u\n", hid_report_names[type], id);
>                 return NULL;
> --
> 1.7.9.5
>
>
> --
> Kees Cook
> Chrome OS Security



-- 
Kees Cook
Chrome OS Security

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH] HID: core: fix validation of report id 0
  2014-05-19 19:01 ` Kees Cook
@ 2014-05-19 19:39   ` Benjamin Tissoires
  2014-05-20 14:40   ` Jiri Kosina
  1 sibling, 0 replies; 4+ messages in thread
From: Benjamin Tissoires @ 2014-05-19 19:39 UTC (permalink / raw)
  To: Kees Cook
  Cc: LKML, Jiri Kosina, Benjamin Tissoires, Simon Wood, linux-input,
	Roland Bosa

On Mon, May 19, 2014 at 3:01 PM, Kees Cook <keescook@chromium.org> wrote:
> Pinging on this patch... I don't see it in -next yet. I've had more
> reports of trouble with logitech devices, and this seems to solve the
> problem.
>
> -Kees
>
> On Thu, Apr 17, 2014 at 1:22 PM, Kees Cook <keescook@chromium.org> wrote:
>> Some drivers use the first HID report in the list instead of using an
>> index. In these cases, validation uses ID 0, which was supposed to mean
>> "first known report". This fixes the problem, which was causing at least
>> the lgff family of devices to stop working since hid_validate_values
>> was being called with ID 0, but the devices used single numbered IDs
>> for their reports:
>>
>> 0x05, 0x01,         /*  Usage Page (Desktop),                   */
>> 0x09, 0x05,         /*  Usage (Gamepad),                        */
>> 0xA1, 0x01,         /*  Collection (Application),               */
>> 0xA1, 0x02,         /*      Collection (Logical),               */
>> 0x85, 0x01,         /*          Report ID (1),                  */
>> ...
>>
>> Reported-by: Simon Wood <simon@mungewell.org>
>> Signed-off-by: Kees Cook <keescook@chromium.org>
>> Cc: stable@vger.kernel.org
>> ---

Oops, sorry, I should have commented on it earlier:

Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>

Cheers,
Benjamin

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH] HID: core: fix validation of report id 0
  2014-05-19 19:01 ` Kees Cook
  2014-05-19 19:39   ` Benjamin Tissoires
@ 2014-05-20 14:40   ` Jiri Kosina
  1 sibling, 0 replies; 4+ messages in thread
From: Jiri Kosina @ 2014-05-20 14:40 UTC (permalink / raw)
  To: Kees Cook; +Cc: LKML, Benjamin Tissoires, Simon Wood, linux-input, Roland Bosa

On Mon, 19 May 2014, Kees Cook wrote:

> Pinging on this patch... I don't see it in -next yet. I've had more
> reports of trouble with logitech devices, and this seems to solve the
> problem.

Apologizes for this taking so long time. I have now queued your patch. 
Thanks,

-- 
Jiri Kosina
SUSE Labs

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2014-05-20 14:40 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2014-04-17 20:22 [PATCH] HID: core: fix validation of report id 0 Kees Cook
2014-05-19 19:01 ` Kees Cook
2014-05-19 19:39   ` Benjamin Tissoires
2014-05-20 14:40   ` Jiri Kosina

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).