[PATCH 5.2 16/45] HID: hidraw: Fix invalid read in hidraw_ioctl

stable.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	stable@vger.kernel.org, Alan Stern <stern@rowland.harvard.edu>,
	Jiri Kosina <jkosina@suse.cz>,
	syzbot+5a6c4ec678a0c6ee84ba@syzkaller.appspotmail.com
Subject: [PATCH 5.2 16/45] HID: hidraw: Fix invalid read in hidraw_ioctl
Date: Sun, 29 Sep 2019 15:55:44 +0200	[thread overview]
Message-ID: <20190929135028.883859509@linuxfoundation.org> (raw)
In-Reply-To: <20190929135024.387033930@linuxfoundation.org>

From: Alan Stern <stern@rowland.harvard.edu>

commit 416dacb819f59180e4d86a5550052033ebb6d72c upstream.

The syzbot fuzzer has reported a pair of problems in the
hidraw_ioctl() function: slab-out-of-bounds read and use-after-free
read.  An example of the first:

BUG: KASAN: slab-out-of-bounds in strlen+0x79/0x90 lib/string.c:525
Read of size 1 at addr ffff8881c8035f38 by task syz-executor.4/2833

CPU: 1 PID: 2833 Comm: syz-executor.4 Not tainted 5.3.0-rc2+ #1
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
  __dump_stack lib/dump_stack.c:77 [inline]
  dump_stack+0xca/0x13e lib/dump_stack.c:113
  print_address_description+0x6a/0x32c mm/kasan/report.c:351
  __kasan_report.cold+0x1a/0x33 mm/kasan/report.c:482
  kasan_report+0xe/0x12 mm/kasan/common.c:612
  strlen+0x79/0x90 lib/string.c:525
  strlen include/linux/string.h:281 [inline]
  hidraw_ioctl+0x245/0xae0 drivers/hid/hidraw.c:446
  vfs_ioctl fs/ioctl.c:46 [inline]
  file_ioctl fs/ioctl.c:509 [inline]
  do_vfs_ioctl+0xd2d/0x1330 fs/ioctl.c:696
  ksys_ioctl+0x9b/0xc0 fs/ioctl.c:713
  __do_sys_ioctl fs/ioctl.c:720 [inline]
  __se_sys_ioctl fs/ioctl.c:718 [inline]
  __x64_sys_ioctl+0x6f/0xb0 fs/ioctl.c:718
  do_syscall_64+0xb7/0x580 arch/x86/entry/common.c:296
  entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x459829
Code: fd b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7
48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff
ff 0f 83 cb b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007f7a68f6dc78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000459829
RDX: 0000000000000000 RSI: 0000000080404805 RDI: 0000000000000004
RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f7a68f6e6d4
R13: 00000000004c21de R14: 00000000004d5620 R15: 00000000ffffffff

The two problems have the same cause: hidraw_ioctl() fails to test
whether the device has been removed.  This patch adds the missing test.

Reported-and-tested-by: syzbot+5a6c4ec678a0c6ee84ba@syzkaller.appspotmail.com
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
CC: <stable@vger.kernel.org>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/hid/hidraw.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/hid/hidraw.c
+++ b/drivers/hid/hidraw.c
@@ -370,7 +370,7 @@ static long hidraw_ioctl(struct file *fi
 
 	mutex_lock(&minors_lock);
 	dev = hidraw_table[minor];
-	if (!dev) {
+	if (!dev || !dev->exist) {
 		ret = -ENODEV;
 		goto out;
 	}

next prev parent reply	other threads:[~2019-09-29 14:05 UTC|newest]

Thread overview: 54+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-09-29 13:55 [PATCH 5.2 00/45] 5.2.18-stable review Greg Kroah-Hartman
2019-09-29 13:55 ` [PATCH 5.2 01/45] Revert "Bluetooth: validate BLE connection interval updates" Greg Kroah-Hartman
2019-09-29 13:55 ` [PATCH 5.2 02/45] smb3: fix unmount hang in open_shroot Greg Kroah-Hartman
2019-10-01 20:41   ` Pavel Shilovskiy
2019-10-01 22:49     ` Sasha Levin
2019-10-01 22:58       ` Pavel Shilovskiy
2019-09-29 13:55 ` [PATCH 5.2 03/45] phy: qcom-qmp: Raise qcom_qmp_phy_enable() polling delay Greg Kroah-Hartman
2019-09-29 13:55 ` [PATCH 5.2 04/45] phy: qcom-qmp: Correct ready status, again Greg Kroah-Hartman
2019-09-29 13:55 ` [PATCH 5.2 05/45] net/ibmvnic: free reset work of removed device from queue Greg Kroah-Hartman
2019-09-29 13:55 ` [PATCH 5.2 06/45] drm/amd/display: Allow cursor async updates for framebuffer swaps Greg Kroah-Hartman
2019-09-29 13:55 ` [PATCH 5.2 07/45] drm/amd/display: Skip determining update type for async updates Greg Kroah-Hartman
2019-09-29 13:55 ` [PATCH 5.2 08/45] drm/amd/display: Dont replace the dc_state for fast updates Greg Kroah-Hartman
2019-09-29 13:55 ` [PATCH 5.2 09/45] powerpc/xive: Fix bogus error code returned by OPAL Greg Kroah-Hartman
2019-09-29 13:55 ` [PATCH 5.2 10/45] drm/amd/display: readd -msse2 to prevent Clang from emitting libcalls to undefined SW FP routines Greg Kroah-Hartman
2019-09-29 13:55 ` [PATCH 5.2 11/45] Revert "net: hns: fix LED configuration for marvell phy" Greg Kroah-Hartman
2019-09-29 13:55 ` [PATCH 5.2 12/45] HID: prodikeys: Fix general protection fault during probe Greg Kroah-Hartman
2019-09-29 13:55 ` [PATCH 5.2 13/45] HID: sony: Fix memory corruption issue on cleanup Greg Kroah-Hartman
2019-09-29 13:55 ` [PATCH 5.2 14/45] HID: logitech: Fix general protection fault caused by Logitech driver Greg Kroah-Hartman
2019-09-29 13:55 ` [PATCH 5.2 15/45] HID: logitech-dj: Fix crash when initial logi_dj_recv_query_paired_devices fails Greg Kroah-Hartman
2019-09-29 13:55 ` Greg Kroah-Hartman [this message]
2019-09-29 13:55 ` [PATCH 5.2 17/45] HID: Add quirk for HP X500 PIXART OEM mouse Greg Kroah-Hartman
2019-09-29 13:55 ` [PATCH 5.2 18/45] mtd: cfi_cmdset_0002: Use chip_good() to retry in do_write_oneword() Greg Kroah-Hartman
2019-09-29 13:55 ` [PATCH 5.2 19/45] crypto: talitos - fix missing break in switch statement Greg Kroah-Hartman
2019-09-29 13:55 ` [PATCH 5.2 20/45] clk: imx: imx8mm: fix audio pll setting Greg Kroah-Hartman
2019-09-29 13:55 ` [PATCH 5.2 21/45] Revert "HID: logitech-hidpp: add USB PID for a few more supported mice" Greg Kroah-Hartman
2019-09-29 13:55 ` [PATCH 5.2 22/45] Revert "mm/z3fold.c: fix race between migration and destruction" Greg Kroah-Hartman
2019-09-29 13:55 ` [PATCH 5.2 23/45] ALSA: usb-audio: Add Hiby device family to quirks for native DSD support Greg Kroah-Hartman
2019-09-29 13:55 ` [PATCH 5.2 24/45] ALSA: usb-audio: Add DSD support for EVGA NU Audio Greg Kroah-Hartman
2019-09-29 13:55 ` [PATCH 5.2 25/45] ALSA: dice: fix wrong packet parameter for Alesis iO26 Greg Kroah-Hartman
2019-09-29 13:55 ` [PATCH 5.2 26/45] ALSA: hda - Add laptop imic fixup for ASUS M9V laptop Greg Kroah-Hartman
2019-09-29 13:55 ` [PATCH 5.2 27/45] ALSA: hda - Apply AMD controller workaround for Raven platform Greg Kroah-Hartman
2019-09-29 13:55 ` [PATCH 5.2 28/45] platform/x86: i2c-multi-instantiate: Derive the device name from parent Greg Kroah-Hartman
2019-09-29 13:55 ` [PATCH 5.2 29/45] objtool: Clobber user CFLAGS variable Greg Kroah-Hartman
2019-09-29 13:55 ` [PATCH 5.2 30/45] Revert "f2fs: avoid out-of-range memory access" Greg Kroah-Hartman
2019-09-29 13:55 ` [PATCH 5.2 31/45] dm zoned: fix invalid memory access Greg Kroah-Hartman
2019-09-29 13:56 ` [PATCH 5.2 32/45] net/ibmvnic: Fix missing { in __ibmvnic_reset Greg Kroah-Hartman
2019-09-29 13:56 ` [PATCH 5.2 33/45] f2fs: fix to do sanity check on segment bitmap of LFS curseg Greg Kroah-Hartman
2019-09-29 13:56 ` [PATCH 5.2 34/45] drm: Flush output polling on shutdown Greg Kroah-Hartman
2019-09-29 13:56 ` [PATCH 5.2 35/45] drm/dp: Add DP_DPCD_QUIRK_NO_SINK_COUNT Greg Kroah-Hartman
2019-09-29 13:56 ` [PATCH 5.2 36/45] net: dont warn in inet diag when IPV6 is disabled Greg Kroah-Hartman
2019-09-29 13:56 ` [PATCH 5.2 37/45] Bluetooth: btrtl: HCI reset on close for Realtek BT chip Greg Kroah-Hartman
2019-09-29 13:56 ` [PATCH 5.2 38/45] ACPI: video: Add new hw_changes_brightness quirk, set it on PB Easynote MZ35 Greg Kroah-Hartman
2019-09-29 13:56 ` [PATCH 5.2 39/45] drm/nouveau/disp/nv50-: fix center/aspect-corrected scaling Greg Kroah-Hartman
2019-09-29 13:56 ` [PATCH 5.2 40/45] xfs: dont crash on null attr fork xfs_bmapi_read Greg Kroah-Hartman
2019-09-29 13:56 ` [PATCH 5.2 41/45] xfrm: policy: avoid warning splat when merging nodes Greg Kroah-Hartman
2019-09-29 13:56 ` [PATCH 5.2 42/45] netfilter: nft_socket: fix erroneous socket assignment Greg Kroah-Hartman
2019-09-29 13:56 ` [PATCH 5.2 43/45] Bluetooth: btrtl: Additional Realtek 8822CE Bluetooth devices Greg Kroah-Hartman
2019-09-29 13:56 ` [PATCH 5.2 44/45] net_sched: check cops->tcf_block in tc_bind_tclass() Greg Kroah-Hartman
2019-09-29 13:56 ` [PATCH 5.2 45/45] net/rds: An rds_sock is added too early to the hash table Greg Kroah-Hartman
2019-09-29 19:00 ` [PATCH 5.2 00/45] 5.2.18-stable review kernelci.org bot
2019-09-30 18:30 ` Guenter Roeck
2019-10-01  0:53 ` shuah
2019-10-01  1:10 ` Dan Rue
2019-10-01 14:58 ` Jon Hunter

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20190929135028.883859509@linuxfoundation.org \
    --to=gregkh@linuxfoundation.org \
    --cc=jkosina@suse.cz \
    --cc=linux-kernel@vger.kernel.org \
    --cc=stable@vger.kernel.org \
    --cc=stern@rowland.harvard.edu \
    --cc=syzbot+5a6c4ec678a0c6ee84ba@syzkaller.appspotmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).