From: kernel test robot <lkp@intel.com>
To: Terry Junge <linuxhid@cosmicgizmosystems.com>,
Jiri Kosina <jikos@kernel.org>,
Benjamin Tissoires <bentiss@kernel.org>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: oe-kbuild-all@lists.linux.dev,
Terry Junge <linuxhid@cosmicgizmosystems.com>,
Nikita Zhandarovich <n.zhandarovich@fintech.ru>,
Alan Stern <stern@rowland.harvard.edu>,
Kees Cook <kees@kernel.org>,
"Gustavo A. R. Silva" <gustavoars@kernel.org>,
linux-input@vger.kernel.org, linux-usb@vger.kernel.org,
linux-hyperv@vger.kernel.org, linux-kernel@vger.kernel.org,
linux-hardening@vger.kernel.org, syzkaller-bugs@googlegroups.com,
lvc-project@linuxtesting.org,
syzbot+c52569baf0c843f35495@syzkaller.appspotmail.com,
stable@vger.kernel.org
Subject: Re: [PATCH v1] HID: usbhid: Eliminate recurrent out-of-bounds bug in usbhid_parse()
Date: Sun, 9 Mar 2025 05:49:02 +0800 [thread overview]
Message-ID: <202503090701.715nV1DW-lkp@intel.com> (raw)
In-Reply-To: <20250307045449.745634-1-linuxhid@cosmicgizmosystems.com>
Hi Terry,
kernel test robot noticed the following build warnings:
[auto build test WARNING on 58c9bf3363e596d744f56616d407278ef5f97f5a]
url: https://github.com/intel-lab-lkp/linux/commits/Terry-Junge/HID-usbhid-Eliminate-recurrent-out-of-bounds-bug-in-usbhid_parse/20250307-130514
base: 58c9bf3363e596d744f56616d407278ef5f97f5a
patch link: https://lore.kernel.org/r/20250307045449.745634-1-linuxhid%40cosmicgizmosystems.com
patch subject: [PATCH v1] HID: usbhid: Eliminate recurrent out-of-bounds bug in usbhid_parse()
config: s390-randconfig-r133-20250308 (https://download.01.org/0day-ci/archive/20250309/202503090701.715nV1DW-lkp@intel.com/config)
compiler: clang version 15.0.7 (https://github.com/llvm/llvm-project 8dfdcc7b7bf66834a761bd8de445840ef68e4d1a)
reproduce: (https://download.01.org/0day-ci/archive/20250309/202503090701.715nV1DW-lkp@intel.com/reproduce)
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp@intel.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202503090701.715nV1DW-lkp@intel.com/
All warnings (new ones prefixed by >>):
>> drivers/hid/usbhid/hid-core.c:1055:4: warning: format specifies type 'unsigned char' but the argument has type 'int' [-Wformat]
hdesc->bNumDescriptors - 1);
^~~~~~~~~~~~~~~~~~~~~~~~~~
include/linux/hid.h:1239:31: note: expanded from macro 'hid_warn'
dev_warn(&(hid)->dev, fmt, ##__VA_ARGS__)
~~~ ^~~~~~~~~~~
include/linux/dev_printk.h:156:70: note: expanded from macro 'dev_warn'
dev_printk_index_wrap(_dev_warn, KERN_WARNING, dev, dev_fmt(fmt), ##__VA_ARGS__)
~~~ ^~~~~~~~~~~
include/linux/dev_printk.h:110:23: note: expanded from macro 'dev_printk_index_wrap'
_p_func(dev, fmt, ##__VA_ARGS__); \
~~~ ^~~~~~~~~~~
1 warning generated.
vim +1055 drivers/hid/usbhid/hid-core.c
979
980 static int usbhid_parse(struct hid_device *hid)
981 {
982 struct usb_interface *intf = to_usb_interface(hid->dev.parent);
983 struct usb_host_interface *interface = intf->cur_altsetting;
984 struct usb_device *dev = interface_to_usbdev (intf);
985 struct hid_descriptor *hdesc;
986 struct hid_class_descriptor *hcdesc;
987 u32 quirks = 0;
988 unsigned int rsize = 0;
989 char *rdesc;
990 int ret;
991
992 quirks = hid_lookup_quirk(hid);
993
994 if (quirks & HID_QUIRK_IGNORE)
995 return -ENODEV;
996
997 /* Many keyboards and mice don't like to be polled for reports,
998 * so we will always set the HID_QUIRK_NOGET flag for them. */
999 if (interface->desc.bInterfaceSubClass == USB_INTERFACE_SUBCLASS_BOOT) {
1000 if (interface->desc.bInterfaceProtocol == USB_INTERFACE_PROTOCOL_KEYBOARD ||
1001 interface->desc.bInterfaceProtocol == USB_INTERFACE_PROTOCOL_MOUSE)
1002 quirks |= HID_QUIRK_NOGET;
1003 }
1004
1005 if (usb_get_extra_descriptor(interface, HID_DT_HID, &hdesc) &&
1006 (!interface->desc.bNumEndpoints ||
1007 usb_get_extra_descriptor(&interface->endpoint[0], HID_DT_HID, &hdesc))) {
1008 dbg_hid("class descriptor not present\n");
1009 return -ENODEV;
1010 }
1011
1012 if (!hdesc->bNumDescriptors ||
1013 hdesc->bLength != sizeof(*hdesc) +
1014 (hdesc->bNumDescriptors - 1) * sizeof(*hcdesc)) {
1015 dbg_hid("hid descriptor invalid, bLen=%hhu bNum=%hhu\n",
1016 hdesc->bLength, hdesc->bNumDescriptors);
1017 return -EINVAL;
1018 }
1019
1020 hid->version = le16_to_cpu(hdesc->bcdHID);
1021 hid->country = hdesc->bCountryCode;
1022
1023 if (hdesc->rpt_desc.bDescriptorType == HID_DT_REPORT)
1024 rsize = le16_to_cpu(hdesc->rpt_desc.wDescriptorLength);
1025
1026 if (!rsize || rsize > HID_MAX_DESCRIPTOR_SIZE) {
1027 dbg_hid("weird size of report descriptor (%u)\n", rsize);
1028 return -EINVAL;
1029 }
1030
1031 rdesc = kmalloc(rsize, GFP_KERNEL);
1032 if (!rdesc)
1033 return -ENOMEM;
1034
1035 hid_set_idle(dev, interface->desc.bInterfaceNumber, 0, 0);
1036
1037 ret = hid_get_class_descriptor(dev, interface->desc.bInterfaceNumber,
1038 HID_DT_REPORT, rdesc, rsize);
1039 if (ret < 0) {
1040 dbg_hid("reading report descriptor failed\n");
1041 kfree(rdesc);
1042 goto err;
1043 }
1044
1045 ret = hid_parse_report(hid, rdesc, rsize);
1046 kfree(rdesc);
1047 if (ret) {
1048 dbg_hid("parsing report descriptor failed\n");
1049 goto err;
1050 }
1051
1052 if (hdesc->bNumDescriptors > 1)
1053 hid_warn(intf,
1054 "%hhu unsupported optional hid class descriptors\n",
> 1055 hdesc->bNumDescriptors - 1);
1056
1057 hid->quirks |= quirks;
1058
1059 return 0;
1060 err:
1061 return ret;
1062 }
1063
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki
next prev parent reply other threads:[~2025-03-08 21:49 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-03-07 4:54 [PATCH v1] HID: usbhid: Eliminate recurrent out-of-bounds bug in usbhid_parse() Terry Junge
2025-03-08 21:49 ` kernel test robot [this message]
2025-03-12 22:23 ` [PATCH v2] " Terry Junge
2025-03-13 20:25 ` Michael Kelley
2025-04-24 9:31 ` Jiri Kosina
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202503090701.715nV1DW-lkp@intel.com \
--to=lkp@intel.com \
--cc=bentiss@kernel.org \
--cc=gregkh@linuxfoundation.org \
--cc=gustavoars@kernel.org \
--cc=jikos@kernel.org \
--cc=kees@kernel.org \
--cc=linux-hardening@vger.kernel.org \
--cc=linux-hyperv@vger.kernel.org \
--cc=linux-input@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-usb@vger.kernel.org \
--cc=linuxhid@cosmicgizmosystems.com \
--cc=lvc-project@linuxtesting.org \
--cc=n.zhandarovich@fintech.ru \
--cc=oe-kbuild-all@lists.linux.dev \
--cc=stable@vger.kernel.org \
--cc=stern@rowland.harvard.edu \
--cc=syzbot+c52569baf0c843f35495@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).