From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Andrey Konovalov <andreyknvl@google.com>,
Jaejoong Kim <climbbb.kim@gmail.com>,
Alan Stern <stern@rowland.harvard.edu>,
Jiri Kosina <jkosina@suse.cz>
Subject: [PATCH 4.13 09/53] HID: usbhid: fix out-of-bounds bug
Date: Mon, 16 Oct 2017 18:16:06 +0200 [thread overview]
Message-ID: <20171016161442.620630412@linuxfoundation.org> (raw)
In-Reply-To: <20171016161442.263947886@linuxfoundation.org>
4.13-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jaejoong Kim <climbbb.kim@gmail.com>
commit f043bfc98c193c284e2cd768fefabe18ac2fed9b upstream.
The hid descriptor identifies the length and type of subordinate
descriptors for a device. If the received hid descriptor is smaller than
the size of the struct hid_descriptor, it is possible to cause
out-of-bounds.
In addition, if bNumDescriptors of the hid descriptor have an incorrect
value, this can also cause out-of-bounds while approaching hdesc->desc[n].
So check the size of hid descriptor and bNumDescriptors.
BUG: KASAN: slab-out-of-bounds in usbhid_parse+0x9b1/0xa20
Read of size 1 at addr ffff88006c5f8edf by task kworker/1:2/1261
CPU: 1 PID: 1261 Comm: kworker/1:2 Not tainted
4.14.0-rc1-42251-gebb2c2437d80 #169
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
Workqueue: usb_hub_wq hub_event
Call Trace:
__dump_stack lib/dump_stack.c:16
dump_stack+0x292/0x395 lib/dump_stack.c:52
print_address_description+0x78/0x280 mm/kasan/report.c:252
kasan_report_error mm/kasan/report.c:351
kasan_report+0x22f/0x340 mm/kasan/report.c:409
__asan_report_load1_noabort+0x19/0x20 mm/kasan/report.c:427
usbhid_parse+0x9b1/0xa20 drivers/hid/usbhid/hid-core.c:1004
hid_add_device+0x16b/0xb30 drivers/hid/hid-core.c:2944
usbhid_probe+0xc28/0x1100 drivers/hid/usbhid/hid-core.c:1369
usb_probe_interface+0x35d/0x8e0 drivers/usb/core/driver.c:361
really_probe drivers/base/dd.c:413
driver_probe_device+0x610/0xa00 drivers/base/dd.c:557
__device_attach_driver+0x230/0x290 drivers/base/dd.c:653
bus_for_each_drv+0x161/0x210 drivers/base/bus.c:463
__device_attach+0x26e/0x3d0 drivers/base/dd.c:710
device_initial_probe+0x1f/0x30 drivers/base/dd.c:757
bus_probe_device+0x1eb/0x290 drivers/base/bus.c:523
device_add+0xd0b/0x1660 drivers/base/core.c:1835
usb_set_configuration+0x104e/0x1870 drivers/usb/core/message.c:1932
generic_probe+0x73/0xe0 drivers/usb/core/generic.c:174
usb_probe_device+0xaf/0xe0 drivers/usb/core/driver.c:266
really_probe drivers/base/dd.c:413
driver_probe_device+0x610/0xa00 drivers/base/dd.c:557
__device_attach_driver+0x230/0x290 drivers/base/dd.c:653
bus_for_each_drv+0x161/0x210 drivers/base/bus.c:463
__device_attach+0x26e/0x3d0 drivers/base/dd.c:710
device_initial_probe+0x1f/0x30 drivers/base/dd.c:757
bus_probe_device+0x1eb/0x290 drivers/base/bus.c:523
device_add+0xd0b/0x1660 drivers/base/core.c:1835
usb_new_device+0x7b8/0x1020 drivers/usb/core/hub.c:2457
hub_port_connect drivers/usb/core/hub.c:4903
hub_port_connect_change drivers/usb/core/hub.c:5009
port_event drivers/usb/core/hub.c:5115
hub_event+0x194d/0x3740 drivers/usb/core/hub.c:5195
process_one_work+0xc7f/0x1db0 kernel/workqueue.c:2119
worker_thread+0x221/0x1850 kernel/workqueue.c:2253
kthread+0x3a1/0x470 kernel/kthread.c:231
ret_from_fork+0x2a/0x40 arch/x86/entry/entry_64.S:431
Reported-by: Andrey Konovalov <andreyknvl@google.com>
Signed-off-by: Jaejoong Kim <climbbb.kim@gmail.com>
Tested-by: Andrey Konovalov <andreyknvl@google.com>
Acked-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/hid/usbhid/hid-core.c | 12 +++++++++++-
1 file changed, 11 insertions(+), 1 deletion(-)
--- a/drivers/hid/usbhid/hid-core.c
+++ b/drivers/hid/usbhid/hid-core.c
@@ -975,6 +975,8 @@ static int usbhid_parse(struct hid_devic
unsigned int rsize = 0;
char *rdesc;
int ret, n;
+ int num_descriptors;
+ size_t offset = offsetof(struct hid_descriptor, desc);
quirks = usbhid_lookup_quirk(le16_to_cpu(dev->descriptor.idVendor),
le16_to_cpu(dev->descriptor.idProduct));
@@ -997,10 +999,18 @@ static int usbhid_parse(struct hid_devic
return -ENODEV;
}
+ if (hdesc->bLength < sizeof(struct hid_descriptor)) {
+ dbg_hid("hid descriptor is too short\n");
+ return -EINVAL;
+ }
+
hid->version = le16_to_cpu(hdesc->bcdHID);
hid->country = hdesc->bCountryCode;
- for (n = 0; n < hdesc->bNumDescriptors; n++)
+ num_descriptors = min_t(int, hdesc->bNumDescriptors,
+ (hdesc->bLength - offset) / sizeof(struct hid_class_descriptor));
+
+ for (n = 0; n < num_descriptors; n++)
if (hdesc->desc[n].bDescriptorType == HID_DT_REPORT)
rsize = le16_to_cpu(hdesc->desc[n].wDescriptorLength);
next prev parent reply other threads:[~2017-10-16 16:20 UTC|newest]
Thread overview: 54+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-10-16 16:15 [PATCH 4.13 00/53] 4.13.8-stable review Greg Kroah-Hartman
2017-10-16 16:15 ` [PATCH 4.13 01/53] USB: dummy-hcd: Fix deadlock caused by disconnect detection Greg Kroah-Hartman
2017-10-16 16:15 ` [PATCH 4.13 02/53] MIPS: math-emu: Remove pr_err() calls from fpu_emu() Greg Kroah-Hartman
2017-10-16 16:16 ` [PATCH 4.13 03/53] MIPS: bpf: Fix uninitialised target compiler error Greg Kroah-Hartman
2017-10-16 16:16 ` [PATCH 4.13 04/53] mei: always use domain runtime pm callbacks Greg Kroah-Hartman
2017-10-16 16:16 ` [PATCH 4.13 05/53] dmaengine: edma: Align the memcpy acnt array size with the transfer Greg Kroah-Hartman
2017-10-16 16:16 ` [PATCH 4.13 06/53] dmaengine: ti-dma-crossbar: Fix possible race condition with dma_inuse Greg Kroah-Hartman
2017-10-16 16:16 ` [PATCH 4.13 07/53] NFS: Fix uninitialized rpc_wait_queue Greg Kroah-Hartman
2017-10-16 16:16 ` [PATCH 4.13 08/53] nfs/filelayout: fix oops when freeing filelayout segment Greg Kroah-Hartman
2017-10-16 16:16 ` Greg Kroah-Hartman [this message]
2017-10-16 16:16 ` [PATCH 4.13 12/53] KVM: MMU: always terminate page walks at level 1 Greg Kroah-Hartman
2017-10-16 16:16 ` [PATCH 4.13 13/53] KVM: nVMX: fix guest CR4 loading when emulating L2 to L1 exit Greg Kroah-Hartman
2017-10-16 16:16 ` [PATCH 4.13 14/53] usb: renesas_usbhs: Fix DMAC sequence for receiving zero-length packet Greg Kroah-Hartman
2017-10-16 16:16 ` [PATCH 4.13 16/53] iommu/amd: Finish TLB flush in amd_iommu_unmap() Greg Kroah-Hartman
2017-10-16 16:16 ` [PATCH 4.13 17/53] device property: Track owner device of device property Greg Kroah-Hartman
2017-10-16 16:16 ` [PATCH 4.13 18/53] Revert "vmalloc: back off when the current task is killed" Greg Kroah-Hartman
2017-10-16 16:16 ` [PATCH 4.13 19/53] fs/mpage.c: fix mpage_writepage() for pages with buffers Greg Kroah-Hartman
2017-10-16 16:16 ` [PATCH 4.13 20/53] ALSA: usb-audio: Kill stray URB at exiting Greg Kroah-Hartman
2017-10-16 16:16 ` [PATCH 4.13 21/53] ALSA: seq: Fix use-after-free at creating a port Greg Kroah-Hartman
2017-10-16 16:16 ` [PATCH 4.13 22/53] ALSA: seq: Fix copy_from_user() call inside lock Greg Kroah-Hartman
2017-10-16 16:16 ` [PATCH 4.13 23/53] ALSA: caiaq: Fix stray URB at probe error path Greg Kroah-Hartman
2017-10-16 16:16 ` [PATCH 4.13 24/53] ALSA: line6: Fix NULL dereference at podhd_disconnect() Greg Kroah-Hartman
2017-10-16 16:16 ` [PATCH 4.13 25/53] ALSA: line6: Fix missing initialization before error path Greg Kroah-Hartman
2017-10-16 16:16 ` [PATCH 4.13 26/53] ALSA: line6: Fix leftover URB at error-path during probe Greg Kroah-Hartman
2017-10-16 16:16 ` [PATCH 4.13 27/53] drm/atomic: Unref duplicated drm_atomic_state in drm_atomic_helper_resume() Greg Kroah-Hartman
2017-10-16 16:16 ` [PATCH 4.13 28/53] drm/i915/edp: Get the Panel Power Off timestamp after panel is off Greg Kroah-Hartman
2017-10-16 16:16 ` [PATCH 4.13 31/53] drm/i915: Use crtc_state_is_legacy_gamma in intel_color_check Greg Kroah-Hartman
2017-10-16 16:16 ` [PATCH 4.13 32/53] usb: gadget: configfs: Fix memory leak of interface directory data Greg Kroah-Hartman
2017-10-16 16:16 ` [PATCH 4.13 33/53] usb: gadget: composite: Fix use-after-free in usb_composite_overwrite_options Greg Kroah-Hartman
2017-10-16 16:16 ` [PATCH 4.13 34/53] PCI: aardvark: Move to struct pci_host_bridge IRQ mapping functions Greg Kroah-Hartman
2017-10-16 16:16 ` [PATCH 4.13 35/53] Revert "PCI: tegra: Do not allocate MSI target memory" Greg Kroah-Hartman
2017-10-16 16:16 ` [PATCH 4.13 36/53] direct-io: Prevent NULL pointer access in submit_page_section Greg Kroah-Hartman
2017-10-16 16:16 ` [PATCH 4.13 37/53] fix unbalanced page refcounting in bio_map_user_iov Greg Kroah-Hartman
2017-10-16 16:16 ` [PATCH 4.13 38/53] more bio_map_user_iov() leak fixes Greg Kroah-Hartman
2017-10-16 16:16 ` [PATCH 4.13 39/53] bio_copy_user_iov(): dont ignore ->iov_offset Greg Kroah-Hartman
2017-10-16 16:16 ` [PATCH 4.13 40/53] perf script: Add missing separator for "-F ip,brstack" (and brstackoff) Greg Kroah-Hartman
2017-10-16 16:16 ` [PATCH 4.13 41/53] genirq/cpuhotplug: Enforce affinity setting on startup of managed irqs Greg Kroah-Hartman
2017-10-16 16:16 ` [PATCH 4.13 42/53] genirq/cpuhotplug: Add sanity check for effective affinity mask Greg Kroah-Hartman
2017-10-16 16:16 ` [PATCH 4.13 43/53] USB: serial: ftdi_sio: add id for Cypress WICED dev board Greg Kroah-Hartman
2017-10-16 16:16 ` [PATCH 4.13 44/53] USB: serial: cp210x: fix partnum regression Greg Kroah-Hartman
2017-10-16 16:16 ` [PATCH 4.13 45/53] USB: serial: cp210x: add support for ELV TFD500 Greg Kroah-Hartman
2017-10-16 16:16 ` [PATCH 4.13 46/53] USB: serial: option: add support for TP-Link LTE module Greg Kroah-Hartman
2017-10-16 16:16 ` [PATCH 4.13 47/53] USB: serial: qcserial: add Dell DW5818, DW5819 Greg Kroah-Hartman
2017-10-16 16:16 ` [PATCH 4.13 48/53] USB: serial: console: fix use-after-free on disconnect Greg Kroah-Hartman
2017-10-16 16:16 ` [PATCH 4.13 49/53] USB: serial: console: fix use-after-free after failed setup Greg Kroah-Hartman
2017-10-16 16:16 ` [PATCH 4.13 50/53] RAS/CEC: Use the right length for "cec_disable" Greg Kroah-Hartman
2017-10-16 16:16 ` [PATCH 4.13 51/53] x86/microcode: Do the family check first Greg Kroah-Hartman
2017-10-16 16:16 ` [PATCH 4.13 52/53] x86/alternatives: Fix alt_max_short macro to really be a max() Greg Kroah-Hartman
2017-10-16 16:16 ` [PATCH 4.13 53/53] KVM: nVMX: update last_nonleaf_level when initializing nested EPT Greg Kroah-Hartman
2017-10-16 23:41 ` [PATCH 4.13 00/53] 4.13.8-stable review Shuah Khan
2017-10-17 6:59 ` Greg Kroah-Hartman
2017-10-17 0:25 ` Guenter Roeck
2017-10-17 13:21 ` Greg Kroah-Hartman
[not found] ` <20171016161443.534299546@linuxfoundation.org>
[not found] ` <866e97b1-08dd-fd43-7713-699759f63fcf@3CityElectronics.com>
2017-10-17 7:02 ` [PATCH 4.13 30/53] drm/i915/bios: parse DDI ports also for CHV for HDMI DDC pin and DP AUX channel Jani Nikula
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20171016161442.620630412@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=andreyknvl@google.com \
--cc=climbbb.kim@gmail.com \
--cc=jkosina@suse.cz \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=stern@rowland.harvard.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).