* [PATCH] Input: gtco - fix potential out-of-bound access @ 2017-10-24 5:28 Dmitry Torokhov 2017-10-24 11:04 ` Andrey Konovalov 0 siblings, 1 reply; 5+ messages in thread From: Dmitry Torokhov @ 2017-10-24 5:28 UTC (permalink / raw) To: linux-input; +Cc: Andrey Konovalov, linux-kernel parse_hid_report_descriptor() has a while (i < length) loop, which only guarantees that there's at least 1 byte in the buffer, but the loop body can read multiple bytes which causes out-of-bounds access. Reported-by: Andrey Konovalov <andreyknvl@google.com> Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com> --- drivers/input/tablet/gtco.c | 24 +++++++++++++++++------- 1 file changed, 17 insertions(+), 7 deletions(-) diff --git a/drivers/input/tablet/gtco.c b/drivers/input/tablet/gtco.c index b796e891e2ee..0351203b8c24 100644 --- a/drivers/input/tablet/gtco.c +++ b/drivers/input/tablet/gtco.c @@ -230,13 +230,24 @@ static void parse_hid_report_descriptor(struct gtco *device, char * report, /* Walk this report and pull out the info we need */ while (i < length) { - prefix = report[i]; - - /* Skip over prefix */ - i++; + prefix = report[i++]; /* Determine data size and save the data in the proper variable */ - size = PREF_SIZE(prefix); + if (PREF_SIZE(prefix) < 1) { + dev_err(ddev, + "Invalid size %d in element at offset %d\n", + PREF_SIZE(prefix), i); + break; + } + + size = 1U << (PREF_SIZE(prefix) - 1); + if (i + size >= length) { + dev_err(ddev, + "Not enough data (need %d, have %d)\n", + i + size, length); + break; + } + switch (size) { case 1: data = report[i]; @@ -244,8 +255,7 @@ static void parse_hid_report_descriptor(struct gtco *device, char * report, case 2: data16 = get_unaligned_le16(&report[i]); break; - case 3: - size = 4; + case 4: data32 = get_unaligned_le32(&report[i]); break; } -- 2.15.0.rc0.271.g36b669edcc-goog -- Dmitry ^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH] Input: gtco - fix potential out-of-bound access 2017-10-24 5:28 [PATCH] Input: gtco - fix potential out-of-bound access Dmitry Torokhov @ 2017-10-24 11:04 ` Andrey Konovalov 2017-10-24 16:39 ` Dmitry Torokhov 0 siblings, 1 reply; 5+ messages in thread From: Andrey Konovalov @ 2017-10-24 11:04 UTC (permalink / raw) To: Dmitry Torokhov; +Cc: linux-input, LKML On Tue, Oct 24, 2017 at 7:28 AM, Dmitry Torokhov <dmitry.torokhov@gmail.com> wrote: > parse_hid_report_descriptor() has a while (i < length) loop, which > only guarantees that there's at least 1 byte in the buffer, but the > loop body can read multiple bytes which causes out-of-bounds access. > > Reported-by: Andrey Konovalov <andreyknvl@google.com> > Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com> > --- > drivers/input/tablet/gtco.c | 24 +++++++++++++++++------- > 1 file changed, 17 insertions(+), 7 deletions(-) > > diff --git a/drivers/input/tablet/gtco.c b/drivers/input/tablet/gtco.c > index b796e891e2ee..0351203b8c24 100644 > --- a/drivers/input/tablet/gtco.c > +++ b/drivers/input/tablet/gtco.c > @@ -230,13 +230,24 @@ static void parse_hid_report_descriptor(struct gtco *device, char * report, > > /* Walk this report and pull out the info we need */ > while (i < length) { > - prefix = report[i]; > - > - /* Skip over prefix */ > - i++; > + prefix = report[i++]; > > /* Determine data size and save the data in the proper variable */ > - size = PREF_SIZE(prefix); > + if (PREF_SIZE(prefix) < 1) { AFAIU PREF_SIZE(prefix) == 0 is a perfectly valid item data size. > + dev_err(ddev, > + "Invalid size %d in element at offset %d\n", > + PREF_SIZE(prefix), i); > + break; > + } > + > + size = 1U << (PREF_SIZE(prefix) - 1); This formula doesn't work with PREF_SIZE(prefix) == 0. > + if (i + size >= length) { > + dev_err(ddev, > + "Not enough data (need %d, have %d)\n", > + i + size, length); > + break; > + } > + > switch (size) { > case 1: > data = report[i]; > @@ -244,8 +255,7 @@ static void parse_hid_report_descriptor(struct gtco *device, char * report, > case 2: > data16 = get_unaligned_le16(&report[i]); > break; > - case 3: > - size = 4; > + case 4: > data32 = get_unaligned_le32(&report[i]); > break; > } > -- > 2.15.0.rc0.271.g36b669edcc-goog > > > -- > Dmitry ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH] Input: gtco - fix potential out-of-bound access 2017-10-24 11:04 ` Andrey Konovalov @ 2017-10-24 16:39 ` Dmitry Torokhov 2017-10-25 10:33 ` Andrey Konovalov 0 siblings, 1 reply; 5+ messages in thread From: Dmitry Torokhov @ 2017-10-24 16:39 UTC (permalink / raw) To: Andrey Konovalov; +Cc: linux-input, LKML On Tue, Oct 24, 2017 at 01:04:03PM +0200, Andrey Konovalov wrote: > On Tue, Oct 24, 2017 at 7:28 AM, Dmitry Torokhov > <dmitry.torokhov@gmail.com> wrote: > > parse_hid_report_descriptor() has a while (i < length) loop, which > > only guarantees that there's at least 1 byte in the buffer, but the > > loop body can read multiple bytes which causes out-of-bounds access. > > > > Reported-by: Andrey Konovalov <andreyknvl@google.com> > > Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com> > > --- > > drivers/input/tablet/gtco.c | 24 +++++++++++++++++------- > > 1 file changed, 17 insertions(+), 7 deletions(-) > > > > diff --git a/drivers/input/tablet/gtco.c b/drivers/input/tablet/gtco.c > > index b796e891e2ee..0351203b8c24 100644 > > --- a/drivers/input/tablet/gtco.c > > +++ b/drivers/input/tablet/gtco.c > > @@ -230,13 +230,24 @@ static void parse_hid_report_descriptor(struct gtco *device, char * report, > > > > /* Walk this report and pull out the info we need */ > > while (i < length) { > > - prefix = report[i]; > > - > > - /* Skip over prefix */ > > - i++; > > + prefix = report[i++]; > > > > /* Determine data size and save the data in the proper variable */ > > - size = PREF_SIZE(prefix); > > + if (PREF_SIZE(prefix) < 1) { > > AFAIU PREF_SIZE(prefix) == 0 is a perfectly valid item data size. Fair enough. How about the below instead then? -- Dmitry Input: gtco - fix potential out-of-bound access From: Dmitry Torokhov <dmitry.torokhov@gmail.com> parse_hid_report_descriptor() has a while (i < length) loop, which only guarantees that there's at least 1 byte in the buffer, but the loop body can read multiple bytes which causes out-of-bounds access. Reported-by: Andrey Konovalov <andreyknvl@google.com> Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com> --- drivers/input/tablet/gtco.c | 17 ++++++++++------- 1 file changed, 10 insertions(+), 7 deletions(-) diff --git a/drivers/input/tablet/gtco.c b/drivers/input/tablet/gtco.c index b796e891e2ee..7d8e9fb831c4 100644 --- a/drivers/input/tablet/gtco.c +++ b/drivers/input/tablet/gtco.c @@ -230,13 +230,17 @@ static void parse_hid_report_descriptor(struct gtco *device, char * report, /* Walk this report and pull out the info we need */ while (i < length) { - prefix = report[i]; - - /* Skip over prefix */ - i++; + prefix = report[i++]; /* Determine data size and save the data in the proper variable */ - size = PREF_SIZE(prefix); + size = (1U << PREF_SIZE(prefix)) >> 1; + if (size && i + size >= length) { + dev_err(ddev, + "Not enough data (need %d, have %d)\n", + i + size, length); + break; + } + switch (size) { case 1: data = report[i]; @@ -244,8 +248,7 @@ static void parse_hid_report_descriptor(struct gtco *device, char * report, case 2: data16 = get_unaligned_le16(&report[i]); break; - case 3: - size = 4; + case 4: data32 = get_unaligned_le32(&report[i]); break; } ^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH] Input: gtco - fix potential out-of-bound access 2017-10-24 16:39 ` Dmitry Torokhov @ 2017-10-25 10:33 ` Andrey Konovalov 2017-10-25 16:10 ` Dmitry Torokhov 0 siblings, 1 reply; 5+ messages in thread From: Andrey Konovalov @ 2017-10-25 10:33 UTC (permalink / raw) To: Dmitry Torokhov; +Cc: linux-input, LKML On Tue, Oct 24, 2017 at 6:39 PM, Dmitry Torokhov <dmitry.torokhov@gmail.com> wrote: > On Tue, Oct 24, 2017 at 01:04:03PM +0200, Andrey Konovalov wrote: >> On Tue, Oct 24, 2017 at 7:28 AM, Dmitry Torokhov >> <dmitry.torokhov@gmail.com> wrote: >> > parse_hid_report_descriptor() has a while (i < length) loop, which >> > only guarantees that there's at least 1 byte in the buffer, but the >> > loop body can read multiple bytes which causes out-of-bounds access. >> > >> > Reported-by: Andrey Konovalov <andreyknvl@google.com> >> > Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com> >> > --- >> > drivers/input/tablet/gtco.c | 24 +++++++++++++++++------- >> > 1 file changed, 17 insertions(+), 7 deletions(-) >> > >> > diff --git a/drivers/input/tablet/gtco.c b/drivers/input/tablet/gtco.c >> > index b796e891e2ee..0351203b8c24 100644 >> > --- a/drivers/input/tablet/gtco.c >> > +++ b/drivers/input/tablet/gtco.c >> > @@ -230,13 +230,24 @@ static void parse_hid_report_descriptor(struct gtco *device, char * report, >> > >> > /* Walk this report and pull out the info we need */ >> > while (i < length) { >> > - prefix = report[i]; >> > - >> > - /* Skip over prefix */ >> > - i++; >> > + prefix = report[i++]; >> > >> > /* Determine data size and save the data in the proper variable */ >> > - size = PREF_SIZE(prefix); >> > + if (PREF_SIZE(prefix) < 1) { >> >> AFAIU PREF_SIZE(prefix) == 0 is a perfectly valid item data size. > > Fair enough. How about the below instead then? > > -- > Dmitry > > > Input: gtco - fix potential out-of-bound access > > From: Dmitry Torokhov <dmitry.torokhov@gmail.com> > > parse_hid_report_descriptor() has a while (i < length) loop, which > only guarantees that there's at least 1 byte in the buffer, but the > loop body can read multiple bytes which causes out-of-bounds access. > > Reported-by: Andrey Konovalov <andreyknvl@google.com> > Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com> > --- > drivers/input/tablet/gtco.c | 17 ++++++++++------- > 1 file changed, 10 insertions(+), 7 deletions(-) > > diff --git a/drivers/input/tablet/gtco.c b/drivers/input/tablet/gtco.c > index b796e891e2ee..7d8e9fb831c4 100644 > --- a/drivers/input/tablet/gtco.c > +++ b/drivers/input/tablet/gtco.c > @@ -230,13 +230,17 @@ static void parse_hid_report_descriptor(struct gtco *device, char * report, > > /* Walk this report and pull out the info we need */ > while (i < length) { > - prefix = report[i]; > - > - /* Skip over prefix */ > - i++; > + prefix = report[i++]; > > /* Determine data size and save the data in the proper variable */ > - size = PREF_SIZE(prefix); > + size = (1U << PREF_SIZE(prefix)) >> 1; > + if (size && i + size >= length) { I think this should be >, not >=, as when i + size == length, item data fits into the remaining space precisely. Also I don't see much point in checking that size is not 0, but I don't mind it. > + dev_err(ddev, > + "Not enough data (need %d, have %d)\n", > + i + size, length); > + break; > + } > + > switch (size) { > case 1: > data = report[i]; > @@ -244,8 +248,7 @@ static void parse_hid_report_descriptor(struct gtco *device, char * report, > case 2: > data16 = get_unaligned_le16(&report[i]); > break; > - case 3: > - size = 4; > + case 4: > data32 = get_unaligned_le32(&report[i]); > break; > } > > ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH] Input: gtco - fix potential out-of-bound access 2017-10-25 10:33 ` Andrey Konovalov @ 2017-10-25 16:10 ` Dmitry Torokhov 0 siblings, 0 replies; 5+ messages in thread From: Dmitry Torokhov @ 2017-10-25 16:10 UTC (permalink / raw) To: Andrey Konovalov; +Cc: linux-input, LKML On Wed, Oct 25, 2017 at 12:33:38PM +0200, Andrey Konovalov wrote: > On Tue, Oct 24, 2017 at 6:39 PM, Dmitry Torokhov > <dmitry.torokhov@gmail.com> wrote: > > On Tue, Oct 24, 2017 at 01:04:03PM +0200, Andrey Konovalov wrote: > >> On Tue, Oct 24, 2017 at 7:28 AM, Dmitry Torokhov > >> <dmitry.torokhov@gmail.com> wrote: > >> > parse_hid_report_descriptor() has a while (i < length) loop, which > >> > only guarantees that there's at least 1 byte in the buffer, but the > >> > loop body can read multiple bytes which causes out-of-bounds access. > >> > > >> > Reported-by: Andrey Konovalov <andreyknvl@google.com> > >> > Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com> > >> > --- > >> > drivers/input/tablet/gtco.c | 24 +++++++++++++++++------- > >> > 1 file changed, 17 insertions(+), 7 deletions(-) > >> > > >> > diff --git a/drivers/input/tablet/gtco.c b/drivers/input/tablet/gtco.c > >> > index b796e891e2ee..0351203b8c24 100644 > >> > --- a/drivers/input/tablet/gtco.c > >> > +++ b/drivers/input/tablet/gtco.c > >> > @@ -230,13 +230,24 @@ static void parse_hid_report_descriptor(struct gtco *device, char * report, > >> > > >> > /* Walk this report and pull out the info we need */ > >> > while (i < length) { > >> > - prefix = report[i]; > >> > - > >> > - /* Skip over prefix */ > >> > - i++; > >> > + prefix = report[i++]; > >> > > >> > /* Determine data size and save the data in the proper variable */ > >> > - size = PREF_SIZE(prefix); > >> > + if (PREF_SIZE(prefix) < 1) { > >> > >> AFAIU PREF_SIZE(prefix) == 0 is a perfectly valid item data size. > > > > Fair enough. How about the below instead then? > > > > -- > > Dmitry > > > > > > Input: gtco - fix potential out-of-bound access > > > > From: Dmitry Torokhov <dmitry.torokhov@gmail.com> > > > > parse_hid_report_descriptor() has a while (i < length) loop, which > > only guarantees that there's at least 1 byte in the buffer, but the > > loop body can read multiple bytes which causes out-of-bounds access. > > > > Reported-by: Andrey Konovalov <andreyknvl@google.com> > > Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com> > > --- > > drivers/input/tablet/gtco.c | 17 ++++++++++------- > > 1 file changed, 10 insertions(+), 7 deletions(-) > > > > diff --git a/drivers/input/tablet/gtco.c b/drivers/input/tablet/gtco.c > > index b796e891e2ee..7d8e9fb831c4 100644 > > --- a/drivers/input/tablet/gtco.c > > +++ b/drivers/input/tablet/gtco.c > > @@ -230,13 +230,17 @@ static void parse_hid_report_descriptor(struct gtco *device, char * report, > > > > /* Walk this report and pull out the info we need */ > > while (i < length) { > > - prefix = report[i]; > > - > > - /* Skip over prefix */ > > - i++; > > + prefix = report[i++]; > > > > /* Determine data size and save the data in the proper variable */ > > - size = PREF_SIZE(prefix); > > + size = (1U << PREF_SIZE(prefix)) >> 1; > > + if (size && i + size >= length) { > > I think this should be >, not >=, as when i + size == length, item > data fits into the remaining space precisely. Also I don't see much > point in checking that size is not 0, but I don't mind it. Yes, you are right, I ma not sure why I thought that condition should be greater or equal, not simply greater. I'll adjust this and drop the size != 0 check as it is definitely not needed with the updated condition. I'll put you down as reviewed-by. Thanks! -- Dmitry ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2017-10-25 16:10 UTC | newest] Thread overview: 5+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2017-10-24 5:28 [PATCH] Input: gtco - fix potential out-of-bound access Dmitry Torokhov 2017-10-24 11:04 ` Andrey Konovalov 2017-10-24 16:39 ` Dmitry Torokhov 2017-10-25 10:33 ` Andrey Konovalov 2017-10-25 16:10 ` Dmitry Torokhov
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox