* [PATCH 1/4] HID: hid-uclogic-params: Invalid parameter check in uclogic_params_init
2022-01-05 17:29 [PATCH 0/4] HID: hid-uclogic-params: Fix NULL pointer dereferences José Expósito
@ 2022-01-05 17:29 ` José Expósito
2022-01-05 17:29 ` [PATCH 2/4] HID: hid-uclogic-params: Invalid parameter check in uclogic_params_get_str_desc José Expósito
` (3 subsequent siblings)
4 siblings, 0 replies; 6+ messages in thread
From: José Expósito @ 2022-01-05 17:29 UTC (permalink / raw)
To: jikos
Cc: benjamin.tissoires, linux-input, linux-kernel, spbnick,
José Expósito
The function performs a check on its input parameters, however, the
hdev parameter is used before the check.
Initialize the stack variables after checking the input parameters to
avoid a possible NULL pointer dereference.
Fixes: 9614219e9310e ("HID: uclogic: Extract tablet parameter discovery into a module")
Addresses-Coverity-ID: 1443831 ("Null pointer dereference")
Signed-off-by: José Expósito <jose.exposito89@gmail.com>
---
drivers/hid/hid-uclogic-params.c | 13 +++++++++----
1 file changed, 9 insertions(+), 4 deletions(-)
diff --git a/drivers/hid/hid-uclogic-params.c b/drivers/hid/hid-uclogic-params.c
index adff1bd68d9f..3c10b858cf74 100644
--- a/drivers/hid/hid-uclogic-params.c
+++ b/drivers/hid/hid-uclogic-params.c
@@ -834,10 +834,10 @@ int uclogic_params_init(struct uclogic_params *params,
struct hid_device *hdev)
{
int rc;
- struct usb_device *udev = hid_to_usb_dev(hdev);
- __u8 bNumInterfaces = udev->config->desc.bNumInterfaces;
- struct usb_interface *iface = to_usb_interface(hdev->dev.parent);
- __u8 bInterfaceNumber = iface->cur_altsetting->desc.bInterfaceNumber;
+ struct usb_device *udev;
+ __u8 bNumInterfaces;
+ struct usb_interface *iface;
+ __u8 bInterfaceNumber;
bool found;
/* The resulting parameters (noop) */
struct uclogic_params p = {0, };
@@ -848,6 +848,11 @@ int uclogic_params_init(struct uclogic_params *params,
goto cleanup;
}
+ udev = hid_to_usb_dev(hdev);
+ bNumInterfaces = udev->config->desc.bNumInterfaces;
+ iface = to_usb_interface(hdev->dev.parent);
+ bInterfaceNumber = iface->cur_altsetting->desc.bInterfaceNumber;
+
/*
* Set replacement report descriptor if the original matches the
* specified size. Otherwise keep interface unchanged.
--
2.25.1
^ permalink raw reply related [flat|nested] 6+ messages in thread* [PATCH 2/4] HID: hid-uclogic-params: Invalid parameter check in uclogic_params_get_str_desc
2022-01-05 17:29 [PATCH 0/4] HID: hid-uclogic-params: Fix NULL pointer dereferences José Expósito
2022-01-05 17:29 ` [PATCH 1/4] HID: hid-uclogic-params: Invalid parameter check in uclogic_params_init José Expósito
@ 2022-01-05 17:29 ` José Expósito
2022-01-05 17:29 ` [PATCH 3/4] HID: hid-uclogic-params: Invalid parameter check in uclogic_params_huion_init José Expósito
` (2 subsequent siblings)
4 siblings, 0 replies; 6+ messages in thread
From: José Expósito @ 2022-01-05 17:29 UTC (permalink / raw)
To: jikos
Cc: benjamin.tissoires, linux-input, linux-kernel, spbnick,
José Expósito
The function performs a check on the hdev input parameters, however, it
is used before the check.
Initialize the udev variable after the sanity check to avoid a
possible NULL pointer dereference.
Fixes: 9614219e9310e ("HID: uclogic: Extract tablet parameter discovery into a module")
Addresses-Coverity-ID: 1443827 ("Null pointer dereference")
Signed-off-by: José Expósito <jose.exposito89@gmail.com>
---
drivers/hid/hid-uclogic-params.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/hid/hid-uclogic-params.c b/drivers/hid/hid-uclogic-params.c
index 3c10b858cf74..3a83e2c39b4f 100644
--- a/drivers/hid/hid-uclogic-params.c
+++ b/drivers/hid/hid-uclogic-params.c
@@ -66,7 +66,7 @@ static int uclogic_params_get_str_desc(__u8 **pbuf, struct hid_device *hdev,
__u8 idx, size_t len)
{
int rc;
- struct usb_device *udev = hid_to_usb_dev(hdev);
+ struct usb_device *udev;
__u8 *buf = NULL;
/* Check arguments */
@@ -75,6 +75,8 @@ static int uclogic_params_get_str_desc(__u8 **pbuf, struct hid_device *hdev,
goto cleanup;
}
+ udev = hid_to_usb_dev(hdev);
+
buf = kmalloc(len, GFP_KERNEL);
if (buf == NULL) {
rc = -ENOMEM;
--
2.25.1
^ permalink raw reply related [flat|nested] 6+ messages in thread* [PATCH 3/4] HID: hid-uclogic-params: Invalid parameter check in uclogic_params_huion_init
2022-01-05 17:29 [PATCH 0/4] HID: hid-uclogic-params: Fix NULL pointer dereferences José Expósito
2022-01-05 17:29 ` [PATCH 1/4] HID: hid-uclogic-params: Invalid parameter check in uclogic_params_init José Expósito
2022-01-05 17:29 ` [PATCH 2/4] HID: hid-uclogic-params: Invalid parameter check in uclogic_params_get_str_desc José Expósito
@ 2022-01-05 17:29 ` José Expósito
2022-01-05 17:29 ` [PATCH 4/4] HID: hid-uclogic-params: Invalid parameter check in uclogic_params_frame_init_v1_buttonpad José Expósito
2022-01-06 13:14 ` [PATCH 0/4] HID: hid-uclogic-params: Fix NULL pointer dereferences Jiri Kosina
4 siblings, 0 replies; 6+ messages in thread
From: José Expósito @ 2022-01-05 17:29 UTC (permalink / raw)
To: jikos
Cc: benjamin.tissoires, linux-input, linux-kernel, spbnick,
José Expósito
The function performs a check on its input parameters, however, the
hdev parameter is used before the check.
Initialize the stack variables after checking the input parameters to
avoid a possible NULL pointer dereference.
Fixes: 9614219e9310e ("HID: uclogic: Extract tablet parameter discovery into a module")
Addresses-Coverity-ID: 1443804 ("Null pointer dereference")
Signed-off-by: José Expósito <jose.exposito89@gmail.com>
---
drivers/hid/hid-uclogic-params.c | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)
diff --git a/drivers/hid/hid-uclogic-params.c b/drivers/hid/hid-uclogic-params.c
index 3a83e2c39b4f..4136837e4d15 100644
--- a/drivers/hid/hid-uclogic-params.c
+++ b/drivers/hid/hid-uclogic-params.c
@@ -709,9 +709,9 @@ static int uclogic_params_huion_init(struct uclogic_params *params,
struct hid_device *hdev)
{
int rc;
- struct usb_device *udev = hid_to_usb_dev(hdev);
- struct usb_interface *iface = to_usb_interface(hdev->dev.parent);
- __u8 bInterfaceNumber = iface->cur_altsetting->desc.bInterfaceNumber;
+ struct usb_device *udev;
+ struct usb_interface *iface;
+ __u8 bInterfaceNumber;
bool found;
/* The resulting parameters (noop) */
struct uclogic_params p = {0, };
@@ -725,6 +725,10 @@ static int uclogic_params_huion_init(struct uclogic_params *params,
goto cleanup;
}
+ udev = hid_to_usb_dev(hdev);
+ iface = to_usb_interface(hdev->dev.parent);
+ bInterfaceNumber = iface->cur_altsetting->desc.bInterfaceNumber;
+
/* If it's not a pen interface */
if (bInterfaceNumber != 0) {
/* TODO: Consider marking the interface invalid */
--
2.25.1
^ permalink raw reply related [flat|nested] 6+ messages in thread* [PATCH 4/4] HID: hid-uclogic-params: Invalid parameter check in uclogic_params_frame_init_v1_buttonpad
2022-01-05 17:29 [PATCH 0/4] HID: hid-uclogic-params: Fix NULL pointer dereferences José Expósito
` (2 preceding siblings ...)
2022-01-05 17:29 ` [PATCH 3/4] HID: hid-uclogic-params: Invalid parameter check in uclogic_params_huion_init José Expósito
@ 2022-01-05 17:29 ` José Expósito
2022-01-06 13:14 ` [PATCH 0/4] HID: hid-uclogic-params: Fix NULL pointer dereferences Jiri Kosina
4 siblings, 0 replies; 6+ messages in thread
From: José Expósito @ 2022-01-05 17:29 UTC (permalink / raw)
To: jikos
Cc: benjamin.tissoires, linux-input, linux-kernel, spbnick,
José Expósito
The function performs a check on the hdev input parameters, however, it
is used before the check.
Initialize the udev variable after the sanity check to avoid a
possible NULL pointer dereference.
Fixes: 9614219e9310e ("HID: uclogic: Extract tablet parameter discovery into a module")
Addresses-Coverity-ID: 1443763 ("Null pointer dereference")
Signed-off-by: José Expósito <jose.exposito89@gmail.com>
---
drivers/hid/hid-uclogic-params.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/hid/hid-uclogic-params.c b/drivers/hid/hid-uclogic-params.c
index 4136837e4d15..3e70f969fb84 100644
--- a/drivers/hid/hid-uclogic-params.c
+++ b/drivers/hid/hid-uclogic-params.c
@@ -452,7 +452,7 @@ static int uclogic_params_frame_init_v1_buttonpad(
{
int rc;
bool found = false;
- struct usb_device *usb_dev = hid_to_usb_dev(hdev);
+ struct usb_device *usb_dev;
char *str_buf = NULL;
const size_t str_len = 16;
@@ -462,6 +462,8 @@ static int uclogic_params_frame_init_v1_buttonpad(
goto cleanup;
}
+ usb_dev = hid_to_usb_dev(hdev);
+
/*
* Enable generic button mode
*/
--
2.25.1
^ permalink raw reply related [flat|nested] 6+ messages in thread* Re: [PATCH 0/4] HID: hid-uclogic-params: Fix NULL pointer dereferences
2022-01-05 17:29 [PATCH 0/4] HID: hid-uclogic-params: Fix NULL pointer dereferences José Expósito
` (3 preceding siblings ...)
2022-01-05 17:29 ` [PATCH 4/4] HID: hid-uclogic-params: Invalid parameter check in uclogic_params_frame_init_v1_buttonpad José Expósito
@ 2022-01-06 13:14 ` Jiri Kosina
4 siblings, 0 replies; 6+ messages in thread
From: Jiri Kosina @ 2022-01-06 13:14 UTC (permalink / raw)
To: José Expósito
Cc: benjamin.tissoires, linux-input, linux-kernel, spbnick
On Wed, 5 Jan 2022, José Expósito wrote:
> Hi everyone,
>
> This series fixes 4 possible NULL pointer dereference errors
> present in hid-uclogic-params.c found by Coverity.
>
> Even though the fixes are small and very similar I made them
> in 4 patches to include the Coverity ID on each of them and
> make Coverity happy.
>
> I didn't find any code calling the functions with invalid
> params, but since the check is there, it's better to make sure
> that it's doing its job.
Thanks, I've queued the series.
--
Jiri Kosina
SUSE Labs
^ permalink raw reply [flat|nested] 6+ messages in thread