From: syzbot <syzbot+c52569baf0c843f35495@syzkaller.appspotmail.com>
To: linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com
Subject: Re: [syzbot] [PATCH] usbhid: fix array-index-out-of-bounds in usbhid_parse UBSAN warning
Date: Sat, 23 Dec 2023 11:59:51 -0800 [thread overview]
Message-ID: <0000000000009ae37b060d32c643@google.com> (raw)
In-Reply-To: <000000000000d330500607d85a5f@google.com>
For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.
***
Subject: [PATCH] usbhid: fix array-index-out-of-bounds in usbhid_parse UBSAN warning
Author: tintinm2017@gmail.com
#syz test: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
Look at the bug https://syzkaller.appspot.com/bug?extid=c52569baf0c843f35495 reported by syzbot. Tested a patch through syzbot, which gives an error.
Requesting help from the maintainers to understand what is really going wrong in the code.
Based on my understanding, I believe the value of the number of descriptors is calculated incorrectly before the for loop.
Signed-off-by: Attreyee Mukherjee <tintinm2017@gmail.com>
---
drivers/hid/usbhid/hid-core.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/hid/usbhid/hid-core.c b/drivers/hid/usbhid/hid-core.c
index a90ed2ceae84..582ddbef448f 100644
--- a/drivers/hid/usbhid/hid-core.c
+++ b/drivers/hid/usbhid/hid-core.c
@@ -1021,6 +1021,8 @@ static int usbhid_parse(struct hid_device *hid)
(hdesc->bLength - offset) / sizeof(struct hid_class_descriptor));
for (n = 0; n < num_descriptors; n++)
+ if (n >= ARRAY_SIZE(hdesc->desc))
+ break;
if (hdesc->desc[n].bDescriptorType == HID_DT_REPORT)
rsize = le16_to_cpu(hdesc->desc[n].wDescriptorLength);
--
2.34.1
next prev parent reply other threads:[~2023-12-23 19:59 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-10-16 17:01 [syzbot] [usb?] UBSAN: array-index-out-of-bounds in usbhid_parse syzbot
2023-11-17 14:23 ` [syzbot] Test syzbot
2023-11-21 19:19 ` [syzbot] [PATCH] Tried to correct syzbot
2023-11-22 8:08 ` kernel test robot
2023-12-23 19:59 ` syzbot [this message]
2024-01-03 14:12 ` [PATCH] usbhid: fix array-index-out-of-bounds in usbhid_parse UBSAN warning Dan Carpenter
2024-01-03 14:29 ` Aleksandr Nogikh
2024-03-05 18:55 ` [syzbot] " Kees Cook
2024-05-23 14:17 ` [syzbot] [usb?] UBSAN: array-index-out-of-bounds in usbhid_parse Nikita Zhandarovich
2024-05-24 1:56 ` syzbot
2025-01-30 10:20 ` Nikita Zhandarovich
2025-01-30 14:14 ` syzbot
2025-01-31 7:13 ` Nikita Zhandarovich
2025-01-31 7:39 ` syzbot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=0000000000009ae37b060d32c643@google.com \
--to=syzbot+c52569baf0c843f35495@syzkaller.appspotmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox