[RESEND] HID: steam: Prevent NULL pointer dereference in steam_{recv,send}_report

[RESEND] HID: steam: Prevent NULL pointer dereference in steam_{recv,send}_report

[Lee Jones]

It is possible for a malicious device to forgo submitting a Feature
Report.  The HID Steam driver presently makes no prevision for this
and de-references the 'struct hid_report' pointer obtained from the
HID devices without first checking its validity.  Let's change that.

Cc: Jiri Kosina <jikos@kernel.org>
Cc: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Cc: linux-input@vger.kernel.org
Fixes: c164d6abf3841 ("HID: add driver for Valve Steam Controller")
Signed-off-by: Lee Jones <lee@kernel.org>
---
 drivers/hid/hid-steam.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/drivers/hid/hid-steam.c b/drivers/hid/hid-steam.c
index a3b151b29bd71..fc616db4231bb 100644
--- a/drivers/hid/hid-steam.c
+++ b/drivers/hid/hid-steam.c
@@ -134,6 +134,11 @@ static int steam_recv_report(struct steam_device *steam,
 	int ret;
 
 	r = steam->hdev->report_enum[HID_FEATURE_REPORT].report_id_hash[0];
+	if (!r) {
+		hid_err(steam->hdev, "No HID_FEATURE_REPORT submitted -  nothing to read\n");
+		return -EINVAL;
+	}
+
 	if (hid_report_len(r) < 64)
 		return -EINVAL;
 
@@ -165,6 +170,11 @@ static int steam_send_report(struct steam_device *steam,
 	int ret;
 
 	r = steam->hdev->report_enum[HID_FEATURE_REPORT].report_id_hash[0];
+	if (!r) {
+		hid_err(steam->hdev, "No HID_FEATURE_REPORT submitted -  nothing to read\n");
+		return -EINVAL;
+	}
+
 	if (hid_report_len(r) < 64)
 		return -EINVAL;
 
-- 
2.37.1.455.g008518b4e5-goog

Re: [RESEND] HID: steam: Prevent NULL pointer dereference in steam_{recv,send}_report

[Lee Jones]

On Wed, 03 Aug 2022, Lee Jones wrote:

> It is possible for a malicious device to forgo submitting a Feature
> Report.  The HID Steam driver presently makes no prevision for this
> and de-references the 'struct hid_report' pointer obtained from the
> HID devices without first checking its validity.  Let's change that.

This patch has been floating around since the beginning of July.

It fixes a real issue which was found by creating a virtual
(software based) malicious device and registering it as a HID device.

There is nothing preventing a real attacker from creating a H/W
version of the device in order to instigate an out-of-bounds read,
potentially leading to a data leak.

Would someone be kind enough to review please?

> Cc: Jiri Kosina <jikos@kernel.org>
> Cc: Benjamin Tissoires <benjamin.tissoires@redhat.com>
> Cc: linux-input@vger.kernel.org
> Fixes: c164d6abf3841 ("HID: add driver for Valve Steam Controller")
> Signed-off-by: Lee Jones <lee@kernel.org>
> ---
>  drivers/hid/hid-steam.c | 10 ++++++++++
>  1 file changed, 10 insertions(+)
> 
> diff --git a/drivers/hid/hid-steam.c b/drivers/hid/hid-steam.c
> index a3b151b29bd71..fc616db4231bb 100644
> --- a/drivers/hid/hid-steam.c
> +++ b/drivers/hid/hid-steam.c
> @@ -134,6 +134,11 @@ static int steam_recv_report(struct steam_device *steam,
>  	int ret;
>  
>  	r = steam->hdev->report_enum[HID_FEATURE_REPORT].report_id_hash[0];
> +	if (!r) {
> +		hid_err(steam->hdev, "No HID_FEATURE_REPORT submitted -  nothing to read\n");
> +		return -EINVAL;
> +	}
> +
>  	if (hid_report_len(r) < 64)
>  		return -EINVAL;
>  
> @@ -165,6 +170,11 @@ static int steam_send_report(struct steam_device *steam,
>  	int ret;
>  
>  	r = steam->hdev->report_enum[HID_FEATURE_REPORT].report_id_hash[0];
> +	if (!r) {
> +		hid_err(steam->hdev, "No HID_FEATURE_REPORT submitted -  nothing to read\n");
> +		return -EINVAL;
> +	}
> +
>  	if (hid_report_len(r) < 64)
>  		return -EINVAL;
>  

-- 
Lee Jones [李琼斯]

Re: [RESEND] HID: steam: Prevent NULL pointer dereference in steam_{recv,send}_report

[Silvan Jegen]

Hi

Lee Jones <lee@kernel.org> wrote:
> On Wed, 03 Aug 2022, Lee Jones wrote:
> 
> > It is possible for a malicious device to forgo submitting a Feature
> > Report.  The HID Steam driver presently makes no prevision for this
> > and de-references the 'struct hid_report' pointer obtained from the
> > HID devices without first checking its validity.  Let's change that.
> 
> This patch has been floating around since the beginning of July.
> 
> It fixes a real issue which was found by creating a virtual
> (software based) malicious device and registering it as a HID device.
> 
> There is nothing preventing a real attacker from creating a H/W
> version of the device in order to instigate an out-of-bounds read,
> potentially leading to a data leak.
> 
> Would someone be kind enough to review please?

AFACT this patch has been applied by Jiri on the 25th of August already.

Is a review still needed in this case?


Cheers,

Silvan

> 
> > Cc: Jiri Kosina <jikos@kernel.org>
> > Cc: Benjamin Tissoires <benjamin.tissoires@redhat.com>
> > Cc: linux-input@vger.kernel.org
> > Fixes: c164d6abf3841 ("HID: add driver for Valve Steam Controller")
> > Signed-off-by: Lee Jones <lee@kernel.org>
> > ---
> >  drivers/hid/hid-steam.c | 10 ++++++++++
> >  1 file changed, 10 insertions(+)
> > 
> > diff --git a/drivers/hid/hid-steam.c b/drivers/hid/hid-steam.c
> > index a3b151b29bd71..fc616db4231bb 100644
> > --- a/drivers/hid/hid-steam.c
> > +++ b/drivers/hid/hid-steam.c
> > @@ -134,6 +134,11 @@ static int steam_recv_report(struct steam_device *steam,
> >  	int ret;
> >  
> >  	r = steam->hdev->report_enum[HID_FEATURE_REPORT].report_id_hash[0];
> > +	if (!r) {
> > +		hid_err(steam->hdev, "No HID_FEATURE_REPORT submitted -  nothing to read\n");
> > +		return -EINVAL;
> > +	}
> > +
> >  	if (hid_report_len(r) < 64)
> >  		return -EINVAL;
> >  
> > @@ -165,6 +170,11 @@ static int steam_send_report(struct steam_device *steam,
> >  	int ret;
> >  
> >  	r = steam->hdev->report_enum[HID_FEATURE_REPORT].report_id_hash[0];
> > +	if (!r) {
> > +		hid_err(steam->hdev, "No HID_FEATURE_REPORT submitted -  nothing to read\n");
> > +		return -EINVAL;
> > +	}
> > +
> >  	if (hid_report_len(r) < 64)
> >  		return -EINVAL;
> >  

Re: [RESEND] HID: steam: Prevent NULL pointer dereference in steam_{recv,send}_report

[Lee Jones]

On Mon, 12 Sep 2022, Silvan Jegen wrote:

> Hi
> 
> Lee Jones <lee@kernel.org> wrote:
> > On Wed, 03 Aug 2022, Lee Jones wrote:
> > 
> > > It is possible for a malicious device to forgo submitting a Feature
> > > Report.  The HID Steam driver presently makes no prevision for this
> > > and de-references the 'struct hid_report' pointer obtained from the
> > > HID devices without first checking its validity.  Let's change that.
> > 
> > This patch has been floating around since the beginning of July.
> > 
> > It fixes a real issue which was found by creating a virtual
> > (software based) malicious device and registering it as a HID device.
> > 
> > There is nothing preventing a real attacker from creating a H/W
> > version of the device in order to instigate an out-of-bounds read,
> > potentially leading to a data leak.
> > 
> > Would someone be kind enough to review please?
> 
> AFACT this patch has been applied by Jiri on the 25th of August already.

Ah, I missed his reply to the original patch.

> Is a review still needed in this case?

Certainly not.  Thank you for your reply.

-- 
Lee Jones [李琼斯]