[PATCH 4.14 18/38] HID: core: fix shift-out-of-bounds in hid_report_raw_event

public inbox for patches@lists.linux.dev
 help / color / mirror / Atom feed

From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	patches@lists.linux.dev,
	syzbot+8b1641d2f14732407e23@syzkaller.appspotmail.com,
	ZhangPeng <zhangpeng362@huawei.com>,
	Jiri Kosina <jkosina@suse.cz>
Subject: [PATCH 4.14 18/38] HID: core: fix shift-out-of-bounds in hid_report_raw_event
Date: Mon, 12 Dec 2022 14:19:19 +0100	[thread overview]
Message-ID: <20221212130913.035913261@linuxfoundation.org> (raw)
In-Reply-To: <20221212130912.069170932@linuxfoundation.org>

From: ZhangPeng <zhangpeng362@huawei.com>

commit ec61b41918587be530398b0d1c9a0d16619397e5 upstream.

Syzbot reported shift-out-of-bounds in hid_report_raw_event.

microsoft 0003:045E:07DA.0001: hid_field_extract() called with n (128) >
32! (swapper/0)
======================================================================
UBSAN: shift-out-of-bounds in drivers/hid/hid-core.c:1323:20
shift exponent 127 is too large for 32-bit type 'int'
CPU: 0 PID: 0 Comm: swapper/0 Not tainted
6.1.0-rc4-syzkaller-00159-g4bbf3422df78 #0
Hardware name: Google Compute Engine/Google Compute Engine, BIOS
Google 10/26/2022
Call Trace:
 <IRQ>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x1e3/0x2cb lib/dump_stack.c:106
 ubsan_epilogue lib/ubsan.c:151 [inline]
 __ubsan_handle_shift_out_of_bounds+0x3a6/0x420 lib/ubsan.c:322
 snto32 drivers/hid/hid-core.c:1323 [inline]
 hid_input_fetch_field drivers/hid/hid-core.c:1572 [inline]
 hid_process_report drivers/hid/hid-core.c:1665 [inline]
 hid_report_raw_event+0xd56/0x18b0 drivers/hid/hid-core.c:1998
 hid_input_report+0x408/0x4f0 drivers/hid/hid-core.c:2066
 hid_irq_in+0x459/0x690 drivers/hid/usbhid/hid-core.c:284
 __usb_hcd_giveback_urb+0x369/0x530 drivers/usb/core/hcd.c:1671
 dummy_timer+0x86b/0x3110 drivers/usb/gadget/udc/dummy_hcd.c:1988
 call_timer_fn+0xf5/0x210 kernel/time/timer.c:1474
 expire_timers kernel/time/timer.c:1519 [inline]
 __run_timers+0x76a/0x980 kernel/time/timer.c:1790
 run_timer_softirq+0x63/0xf0 kernel/time/timer.c:1803
 __do_softirq+0x277/0x75b kernel/softirq.c:571
 __irq_exit_rcu+0xec/0x170 kernel/softirq.c:650
 irq_exit_rcu+0x5/0x20 kernel/softirq.c:662
 sysvec_apic_timer_interrupt+0x91/0xb0 arch/x86/kernel/apic/apic.c:1107
======================================================================

If the size of the integer (unsigned n) is bigger than 32 in snto32(),
shift exponent will be too large for 32-bit type 'int', resulting in a
shift-out-of-bounds bug.
Fix this by adding a check on the size of the integer (unsigned n) in
snto32(). To add support for n greater than 32 bits, set n to 32, if n
is greater than 32.

Reported-by: syzbot+8b1641d2f14732407e23@syzkaller.appspotmail.com
Fixes: dde5845a529f ("[PATCH] Generic HID layer - code split")
Signed-off-by: ZhangPeng <zhangpeng362@huawei.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/hid/hid-core.c |    3 +++
 1 file changed, 3 insertions(+)

--- a/drivers/hid/hid-core.c
+++ b/drivers/hid/hid-core.c
@@ -1132,6 +1132,9 @@ static s32 snto32(__u32 value, unsigned
 	if (!value || !n)
 		return 0;

+	if (n > 32)
+		n = 32;
+
 	switch (n) {
 	case 8:  return ((__s8)value);
 	case 16: return ((__s16)value);

next prev parent reply	other threads:[~2022-12-12 13:52 UTC|newest]

Thread overview: 43+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-12-12 13:19 [PATCH 4.14 00/38] 4.14.302-rc1 review Greg Kroah-Hartman
2022-12-12 13:19 ` [PATCH 4.14 01/38] arm: dts: rockchip: fix node name for hym8563 rtc Greg Kroah-Hartman
2022-12-12 13:19 ` [PATCH 4.14 02/38] ARM: dts: rockchip: fix ir-receiver node names Greg Kroah-Hartman
2022-12-12 13:19 ` [PATCH 4.14 03/38] ARM: 9251/1: perf: Fix stacktraces for tracepoint events in THUMB2 kernels Greg Kroah-Hartman
2022-12-12 13:19 ` [PATCH 4.14 04/38] ARM: 9266/1: mm: fix no-MMU ZERO_PAGE() implementation Greg Kroah-Hartman
2022-12-12 13:19 ` [PATCH 4.14 05/38] ARM: dts: rockchip: disable arm_global_timer on rk3066 and rk3188 Greg Kroah-Hartman
2022-12-12 13:19 ` [PATCH 4.14 06/38] ALSA: seq: Fix function prototype mismatch in snd_seq_expand_var_event Greg Kroah-Hartman
2022-12-12 13:19 ` [PATCH 4.14 07/38] ASoC: soc-pcm: Add NULL check in BE reparenting Greg Kroah-Hartman
2022-12-12 13:19 ` [PATCH 4.14 08/38] regulator: twl6030: fix get status of twl6032 regulators Greg Kroah-Hartman
2022-12-12 13:19 ` [PATCH 4.14 09/38] net: usb: qmi_wwan: add u-blox 0x1342 composition Greg Kroah-Hartman
2022-12-12 13:19 ` [PATCH 4.14 10/38] xen/netback: Ensure protocol headers dont fall in the non-linear area Greg Kroah-Hartman
2022-12-12 13:19 ` [PATCH 4.14 11/38] xen/netback: do some code cleanup Greg Kroah-Hartman
2022-12-12 13:19 ` [PATCH 4.14 12/38] xen/netback: dont call kfree_skb() with interrupts disabled Greg Kroah-Hartman
2022-12-12 13:19 ` [PATCH 4.14 13/38] rcutorture: Automatically create initrd directory Greg Kroah-Hartman
2022-12-12 13:19 ` [PATCH 4.14 14/38] media: v4l2-dv-timings.c: fix too strict blanking sanity checks Greg Kroah-Hartman
2022-12-12 13:19 ` [PATCH 4.14 15/38] memcg: fix possible use-after-free in memcg_write_event_control() Greg Kroah-Hartman
2022-12-12 13:19 ` [PATCH 4.14 16/38] KVM: s390: vsie: Fix the initialization of the epoch extension (epdx) field Greg Kroah-Hartman
2022-12-12 13:19 ` [PATCH 4.14 17/38] HID: hid-lg4ff: Add check for empty lbuf Greg Kroah-Hartman
2022-12-12 13:19 ` Greg Kroah-Hartman [this message]
2022-12-12 13:19 ` [PATCH 4.14 19/38] ieee802154: cc2520: Fix error return code in cc2520_hw_init() Greg Kroah-Hartman
2022-12-12 13:19 ` [PATCH 4.14 20/38] ca8210: Fix crash by zero initializing data Greg Kroah-Hartman
2022-12-12 13:19 ` [PATCH 4.14 21/38] gpio: amd8111: Fix PCI device reference count leak Greg Kroah-Hartman
2022-12-12 13:19 ` [PATCH 4.14 22/38] e1000e: Fix TX dispatch condition Greg Kroah-Hartman
2022-12-12 13:19 ` [PATCH 4.14 23/38] igb: Allocate MSI-X vector when testing Greg Kroah-Hartman
2022-12-12 13:19 ` [PATCH 4.14 24/38] Bluetooth: 6LoWPAN: add missing hci_dev_put() in get_l2cap_conn() Greg Kroah-Hartman
2022-12-12 13:19 ` [PATCH 4.14 25/38] mac802154: fix missing INIT_LIST_HEAD in ieee802154_if_add() Greg Kroah-Hartman
2022-12-12 13:19 ` [PATCH 4.14 26/38] net: encx24j600: Add parentheses to fix precedence Greg Kroah-Hartman
2022-12-12 13:19 ` [PATCH 4.14 27/38] net: encx24j600: Fix invalid logic in reading of MISTAT register Greg Kroah-Hartman
2022-12-12 13:19 ` [PATCH 4.14 28/38] net: mvneta: Prevent out of bounds read in mvneta_config_rss() Greg Kroah-Hartman
2022-12-12 13:19 ` [PATCH 4.14 29/38] NFC: nci: Bounds check struct nfc_target arrays Greg Kroah-Hartman
2022-12-12 13:19 ` [PATCH 4.14 30/38] net: stmmac: fix "snps,axi-config" node property parsing Greg Kroah-Hartman
2022-12-12 13:19 ` [PATCH 4.14 31/38] net: hisilicon: Fix potential use-after-free in hisi_femac_rx() Greg Kroah-Hartman
2022-12-12 13:19 ` [PATCH 4.14 32/38] net: hisilicon: Fix potential use-after-free in hix5hd2_rx() Greg Kroah-Hartman
2022-12-12 13:19 ` [PATCH 4.14 33/38] tipc: Fix potential OOB in tipc_link_proto_rcv() Greg Kroah-Hartman
2022-12-12 13:19 ` [PATCH 4.14 34/38] ethernet: aeroflex: fix potential skb leak in greth_init_rings() Greg Kroah-Hartman
2022-12-12 13:19 ` [PATCH 4.14 35/38] xen/netback: fix build warning Greg Kroah-Hartman
2022-12-12 13:19 ` [PATCH 4.14 36/38] net: plip: dont call kfree_skb/dev_kfree_skb() under spin_lock_irq() Greg Kroah-Hartman
2022-12-12 13:19 ` [PATCH 4.14 37/38] ipv6: avoid use-after-free in ip6_fragment() Greg Kroah-Hartman
2022-12-12 13:19 ` [PATCH 4.14 38/38] net: mvneta: Fix an out of bounds check Greg Kroah-Hartman
2022-12-12 20:11 ` [PATCH 4.14 00/38] 4.14.302-rc1 review Jon Hunter
2022-12-12 20:21 ` Slade Watkins
2022-12-13  0:23 ` Guenter Roeck
2022-12-13 12:05 ` Naresh Kamboju

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20221212130913.035913261@linuxfoundation.org \
    --to=gregkh@linuxfoundation.org \
    --cc=jkosina@suse.cz \
    --cc=patches@lists.linux.dev \
    --cc=stable@vger.kernel.org \
    --cc=syzbot+8b1641d2f14732407e23@syzkaller.appspotmail.com \
    --cc=zhangpeng362@huawei.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox