From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Alan Stern <stern@rowland.harvard.edu>,
Jiri Kosina <jkosina@suse.cz>,
syzbot+5a6c4ec678a0c6ee84ba@syzkaller.appspotmail.com
Subject: [PATCH 4.4 05/99] HID: hidraw: Fix invalid read in hidraw_ioctl
Date: Thu, 3 Oct 2019 17:52:28 +0200 [thread overview]
Message-ID: <20191003154254.877282336@linuxfoundation.org> (raw)
In-Reply-To: <20191003154252.297991283@linuxfoundation.org>
From: Alan Stern <stern@rowland.harvard.edu>
commit 416dacb819f59180e4d86a5550052033ebb6d72c upstream.
The syzbot fuzzer has reported a pair of problems in the
hidraw_ioctl() function: slab-out-of-bounds read and use-after-free
read. An example of the first:
BUG: KASAN: slab-out-of-bounds in strlen+0x79/0x90 lib/string.c:525
Read of size 1 at addr ffff8881c8035f38 by task syz-executor.4/2833
CPU: 1 PID: 2833 Comm: syz-executor.4 Not tainted 5.3.0-rc2+ #1
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0xca/0x13e lib/dump_stack.c:113
print_address_description+0x6a/0x32c mm/kasan/report.c:351
__kasan_report.cold+0x1a/0x33 mm/kasan/report.c:482
kasan_report+0xe/0x12 mm/kasan/common.c:612
strlen+0x79/0x90 lib/string.c:525
strlen include/linux/string.h:281 [inline]
hidraw_ioctl+0x245/0xae0 drivers/hid/hidraw.c:446
vfs_ioctl fs/ioctl.c:46 [inline]
file_ioctl fs/ioctl.c:509 [inline]
do_vfs_ioctl+0xd2d/0x1330 fs/ioctl.c:696
ksys_ioctl+0x9b/0xc0 fs/ioctl.c:713
__do_sys_ioctl fs/ioctl.c:720 [inline]
__se_sys_ioctl fs/ioctl.c:718 [inline]
__x64_sys_ioctl+0x6f/0xb0 fs/ioctl.c:718
do_syscall_64+0xb7/0x580 arch/x86/entry/common.c:296
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x459829
Code: fd b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7
48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff
ff 0f 83 cb b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007f7a68f6dc78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000459829
RDX: 0000000000000000 RSI: 0000000080404805 RDI: 0000000000000004
RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f7a68f6e6d4
R13: 00000000004c21de R14: 00000000004d5620 R15: 00000000ffffffff
The two problems have the same cause: hidraw_ioctl() fails to test
whether the device has been removed. This patch adds the missing test.
Reported-and-tested-by: syzbot+5a6c4ec678a0c6ee84ba@syzkaller.appspotmail.com
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
CC: <stable@vger.kernel.org>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/hid/hidraw.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/hid/hidraw.c
+++ b/drivers/hid/hidraw.c
@@ -383,7 +383,7 @@ static long hidraw_ioctl(struct file *fi
mutex_lock(&minors_lock);
dev = hidraw_table[minor];
- if (!dev) {
+ if (!dev || !dev->exist) {
ret = -ENODEV;
goto out;
}
next prev parent reply other threads:[~2019-10-03 17:42 UTC|newest]
Thread overview: 105+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-10-03 15:52 [PATCH 4.4 00/99] 4.4.195-stable review Greg Kroah-Hartman
2019-10-03 15:52 ` [PATCH 4.4 01/99] Revert "Bluetooth: validate BLE connection interval updates" Greg Kroah-Hartman
2019-10-03 15:52 ` [PATCH 4.4 02/99] HID: prodikeys: Fix general protection fault during probe Greg Kroah-Hartman
2019-10-03 15:52 ` [PATCH 4.4 03/99] HID: lg: make transfer buffers DMA capable Greg Kroah-Hartman
2019-10-03 15:52 ` [PATCH 4.4 04/99] HID: logitech: Fix general protection fault caused by Logitech driver Greg Kroah-Hartman
2019-10-03 15:52 ` Greg Kroah-Hartman [this message]
2019-10-03 15:52 ` [PATCH 4.4 06/99] mtd: cfi_cmdset_0002: Use chip_good() to retry in do_write_oneword() Greg Kroah-Hartman
2019-10-03 15:52 ` [PATCH 4.4 07/99] crypto: talitos - fix missing break in switch statement Greg Kroah-Hartman
2019-10-03 15:52 ` [PATCH 4.4 08/99] [PATCH stable 4.4 net] net: rds: Fix NULL ptr use in rds_tcp_kill_sock Greg Kroah-Hartman
2019-10-03 15:52 ` [PATCH 4.4 09/99] ASoC: fsl: Fix of-node refcount unbalance in fsl_ssi_probe_from_dt() Greg Kroah-Hartman
2019-10-03 15:52 ` [PATCH 4.4 10/99] ALSA: hda - Add laptop imic fixup for ASUS M9V laptop Greg Kroah-Hartman
2019-10-03 15:52 ` [PATCH 4.4 11/99] mac80211: Print text for disassociation reason Greg Kroah-Hartman
2019-10-03 15:52 ` [PATCH 4.4 12/99] mac80211: handle deauthentication/disassociation from TDLS peer Greg Kroah-Hartman
2019-10-03 15:52 ` [PATCH 4.4 13/99] locking/lockdep: Add debug_locks check in __lock_downgrade() Greg Kroah-Hartman
2019-10-03 15:52 ` [PATCH 4.4 14/99] irqchip/gic-v3-its: Fix LPI release for Multi-MSI devices Greg Kroah-Hartman
2019-10-03 15:52 ` [PATCH 4.4 15/99] f2fs: check all the data segments against all node ones Greg Kroah-Hartman
2019-10-03 15:52 ` [PATCH 4.4 16/99] Revert "f2fs: avoid out-of-range memory access" Greg Kroah-Hartman
2019-10-03 15:52 ` [PATCH 4.4 17/99] f2fs: fix to do sanity check on segment bitmap of LFS curseg Greg Kroah-Hartman
2019-10-03 15:52 ` [PATCH 4.4 18/99] drm: Flush output polling on shutdown Greg Kroah-Hartman
2019-10-03 15:52 ` [PATCH 4.4 19/99] Bluetooth: btrtl: Additional Realtek 8822CE Bluetooth devices Greg Kroah-Hartman
2019-10-03 15:52 ` [PATCH 4.4 20/99] arcnet: provide a buffer big enough to actually receive packets Greg Kroah-Hartman
2019-10-03 15:52 ` [PATCH 4.4 21/99] cdc_ncm: fix divide-by-zero caused by invalid wMaxPacketSize Greg Kroah-Hartman
2019-10-03 15:52 ` [PATCH 4.4 22/99] net/phy: fix DP83865 10 Mbps HDX loopback disable function Greg Kroah-Hartman
2019-10-03 15:52 ` [PATCH 4.4 23/99] openvswitch: change type of UPCALL_PID attribute to NLA_UNSPEC Greg Kroah-Hartman
2019-10-03 15:52 ` [PATCH 4.4 24/99] sch_netem: fix a divide by zero in tabledist() Greg Kroah-Hartman
2019-10-03 15:52 ` [PATCH 4.4 25/99] skge: fix checksum byte order Greg Kroah-Hartman
2019-10-03 15:52 ` [PATCH 4.4 26/99] usbnet: ignore endpoints with invalid wMaxPacketSize Greg Kroah-Hartman
2019-10-03 15:52 ` [PATCH 4.4 27/99] usbnet: sanity checking of packet sizes and device mtu Greg Kroah-Hartman
2019-10-03 15:52 ` [PATCH 4.4 28/99] mISDN: enforce CAP_NET_RAW for raw sockets Greg Kroah-Hartman
2019-10-03 15:52 ` [PATCH 4.4 29/99] appletalk: " Greg Kroah-Hartman
2019-10-03 15:52 ` [PATCH 4.4 30/99] ax25: " Greg Kroah-Hartman
2019-10-03 15:52 ` [PATCH 4.4 31/99] ieee802154: " Greg Kroah-Hartman
2019-10-03 15:52 ` [PATCH 4.4 32/99] nfc: " Greg Kroah-Hartman
2019-10-03 15:52 ` [PATCH 4.4 33/99] ALSA: hda: Flush interrupts on disabling Greg Kroah-Hartman
2019-10-03 15:52 ` [PATCH 4.4 34/99] ASoC: sgtl5000: Fix charge pump source assignment Greg Kroah-Hartman
2019-10-03 15:52 ` [PATCH 4.4 35/99] dmaengine: bcm2835: Print error in case setting DMA mask fails Greg Kroah-Hartman
2019-10-03 15:52 ` [PATCH 4.4 36/99] leds: leds-lp5562 allow firmware files up to the maximum length Greg Kroah-Hartman
2019-10-03 15:53 ` [PATCH 4.4 37/99] media: dib0700: fix link error for dibx000_i2c_set_speed Greg Kroah-Hartman
2019-10-03 15:53 ` [PATCH 4.4 38/99] media: hdpvr: Add device num check and handling Greg Kroah-Hartman
2019-10-03 15:53 ` [PATCH 4.4 39/99] sched/fair: Fix imbalance due to CPU affinity Greg Kroah-Hartman
2019-10-03 15:53 ` [PATCH 4.4 40/99] sched/core: Fix CPU controller for !RT_GROUP_SCHED Greg Kroah-Hartman
2019-10-03 15:53 ` [PATCH 4.4 41/99] x86/reboot: Always use NMI fallback when shutdown via reboot vector IPI fails Greg Kroah-Hartman
2019-10-03 15:53 ` [PATCH 4.4 42/99] x86/apic: Soft disable APIC before initializing it Greg Kroah-Hartman
2019-10-03 15:53 ` [PATCH 4.4 43/99] ALSA: hda - Show the fatal CORB/RIRB error more clearly Greg Kroah-Hartman
2019-10-03 15:53 ` [PATCH 4.4 44/99] ALSA: i2c: ak4xxx-adda: Fix a possible null pointer dereference in build_adc_controls() Greg Kroah-Hartman
2019-10-03 15:53 ` [PATCH 4.4 45/99] media: iguanair: add sanity checks Greg Kroah-Hartman
2019-10-03 15:53 ` [PATCH 4.4 46/99] base: soc: Export soc_device_register/unregister APIs Greg Kroah-Hartman
2019-10-03 15:53 ` [PATCH 4.4 47/99] ALSA: usb-audio: Skip bSynchAddress endpoint check if it is invalid Greg Kroah-Hartman
2019-10-03 15:53 ` [PATCH 4.4 48/99] ia64:unwind: fix double free for mod->arch.init_unw_table Greg Kroah-Hartman
2019-10-03 15:53 ` [PATCH 4.4 49/99] md: dont call spare_active in md_reap_sync_thread if all member devices cant work Greg Kroah-Hartman
2019-10-03 15:53 ` [PATCH 4.4 50/99] md: dont set In_sync if array is frozen Greg Kroah-Hartman
2019-10-03 15:53 ` [PATCH 4.4 51/99] efi: cper: print AER info of PCIe fatal error Greg Kroah-Hartman
2019-10-03 15:53 ` [PATCH 4.4 52/99] media: gspca: zero usb_buf on error Greg Kroah-Hartman
2019-10-03 15:53 ` [PATCH 4.4 53/99] dmaengine: iop-adma: use correct printk format strings Greg Kroah-Hartman
2019-10-03 15:53 ` [PATCH 4.4 54/99] media: omap3isp: Dont set streaming state on random subdevs Greg Kroah-Hartman
2019-10-03 15:53 ` [PATCH 4.4 55/99] net: lpc-enet: fix printk format strings Greg Kroah-Hartman
2019-10-03 15:53 ` [PATCH 4.4 56/99] media: radio/si470x: kill urb on error Greg Kroah-Hartman
2019-10-03 15:53 ` [PATCH 4.4 57/99] media: hdpvr: add terminating 0 at end of string Greg Kroah-Hartman
2019-10-03 15:53 ` [PATCH 4.4 58/99] media: saa7146: add cleanup in hexium_attach() Greg Kroah-Hartman
2019-10-03 15:53 ` [PATCH 4.4 59/99] media: cpia2_usb: fix memory leaks Greg Kroah-Hartman
2019-10-03 15:53 ` [PATCH 4.4 60/99] media: saa7134: fix terminology around saa7134_i2c_eeprom_md7134_gate() Greg Kroah-Hartman
2019-10-03 15:53 ` [PATCH 4.4 61/99] media: ov9650: add a sanity check Greg Kroah-Hartman
2019-10-03 15:53 ` [PATCH 4.4 62/99] ACPI / CPPC: do not require the _PSD method Greg Kroah-Hartman
2019-10-03 15:53 ` [PATCH 4.4 63/99] libtraceevent: Change users plugin directory Greg Kroah-Hartman
2019-10-03 15:53 ` [PATCH 4.4 64/99] ACPI: custom_method: fix memory leaks Greg Kroah-Hartman
2019-10-03 15:53 ` [PATCH 4.4 65/99] hwmon: (acpi_power_meter) Change log level for unsafe software power cap Greg Kroah-Hartman
2019-10-03 15:53 ` [PATCH 4.4 66/99] md/raid1: fail run raid1 array when active disk less than one Greg Kroah-Hartman
2019-10-03 15:53 ` [PATCH 4.4 67/99] dmaengine: ti: edma: Do not reset reserved paRAM slots Greg Kroah-Hartman
2019-10-03 15:53 ` [PATCH 4.4 68/99] kprobes: Prohibit probing on BUG() and WARN() address Greg Kroah-Hartman
2019-10-03 15:53 ` [PATCH 4.4 69/99] ASoC: dmaengine: Make the pcm->name equal to pcm->id if the name is not set Greg Kroah-Hartman
2019-10-03 15:53 ` [PATCH 4.4 70/99] mmc: sdhci: Fix incorrect switch to HS mode Greg Kroah-Hartman
2019-10-03 15:53 ` [PATCH 4.4 71/99] libertas: Add missing sentinel at end of if_usb.c fw_table Greg Kroah-Hartman
2019-10-03 15:53 ` [PATCH 4.4 72/99] media: ttusb-dec: Fix info-leak in ttusb_dec_send_command() Greg Kroah-Hartman
2019-10-03 15:53 ` [PATCH 4.4 73/99] ALSA: hda/realtek - Blacklist PC beep for Lenovo ThinkCentre M73/93 Greg Kroah-Hartman
2019-10-03 15:53 ` [PATCH 4.4 74/99] btrfs: extent-tree: Make sure we only allocate extents from block groups with the same type Greg Kroah-Hartman
2019-10-03 15:53 ` [PATCH 4.4 75/99] media: omap3isp: Set device on omap3isp subdevs Greg Kroah-Hartman
2019-10-03 15:53 ` [PATCH 4.4 76/99] ALSA: firewire-tascam: handle error code when getting current source of clock Greg Kroah-Hartman
2019-10-03 15:53 ` [PATCH 4.4 77/99] ALSA: firewire-tascam: check intermediate state of clock status and retry Greg Kroah-Hartman
2019-10-03 15:53 ` [PATCH 4.4 78/99] printk: Do not lose last line in kmsg buffer dump Greg Kroah-Hartman
2019-10-03 15:53 ` [PATCH 4.4 79/99] fuse: fix missing unlock_page in fuse_writepage() Greg Kroah-Hartman
2019-10-03 15:53 ` [PATCH 4.4 80/99] parisc: Disable HP HSC-PCI Cards to prevent kernel crash Greg Kroah-Hartman
2019-10-03 15:53 ` [PATCH 4.4 81/99] KVM: x86: always stop emulation on page fault Greg Kroah-Hartman
2019-10-03 15:53 ` [PATCH 4.4 82/99] KVM: x86: set ctxt->have_exception in x86_decode_insn() Greg Kroah-Hartman
2019-10-03 15:53 ` [PATCH 4.4 83/99] KVM: x86: Manually calculate reserved bits when loading PDPTRS Greg Kroah-Hartman
2019-10-03 15:53 ` [PATCH 4.4 84/99] media: sn9c20x: Add MSI MS-1039 laptop to flip_dmi_table Greg Kroah-Hartman
2019-10-03 15:53 ` [PATCH 4.4 85/99] ASoC: Intel: Fix use of potentially uninitialized variable Greg Kroah-Hartman
2019-10-03 15:53 ` [PATCH 4.4 86/99] ARM: zynq: Use memcpy_toio instead of memcpy on smp bring-up Greg Kroah-Hartman
2019-10-03 15:53 ` [PATCH 4.4 87/99] alarmtimer: Use EOPNOTSUPP instead of ENOTSUPP Greg Kroah-Hartman
2019-10-03 15:53 ` [PATCH 4.4 88/99] md/raid6: Set R5_ReadError when there is read failure on parity disk Greg Kroah-Hartman
2019-10-03 15:53 ` [PATCH 4.4 89/99] cfg80211: Purge frame registrations on iftype change Greg Kroah-Hartman
2019-10-03 15:53 ` [PATCH 4.4 90/99] /dev/mem: Bail out upon SIGKILL Greg Kroah-Hartman
2019-10-03 15:53 ` [PATCH 4.4 91/99] ext4: fix punch hole for inline_data file systems Greg Kroah-Hartman
2019-10-03 15:53 ` [PATCH 4.4 92/99] quota: fix wrong condition in is_quota_modification() Greg Kroah-Hartman
2019-10-03 15:53 ` [PATCH 4.4 93/99] hwrng: core - dont wait on add_early_randomness() Greg Kroah-Hartman
2019-10-03 15:53 ` [PATCH 4.4 94/99] i2c: riic: Clear NACK in tend isr Greg Kroah-Hartman
2019-10-03 15:53 ` [PATCH 4.4 95/99] CIFS: Fix oplock handling for SMB 2.1+ protocols Greg Kroah-Hartman
2019-10-03 15:53 ` [PATCH 4.4 96/99] ovl: filter of trusted xattr results in audit Greg Kroah-Hartman
2019-10-03 15:54 ` [PATCH 4.4 97/99] Btrfs: fix use-after-free when using the tree modification log Greg Kroah-Hartman
2019-10-03 15:54 ` [PATCH 4.4 98/99] btrfs: Relinquish CPUs in btrfs_compare_trees Greg Kroah-Hartman
2019-10-03 15:54 ` [PATCH 4.4 99/99] Btrfs: fix race setting up and completing qgroup rescan workers Greg Kroah-Hartman
2019-10-03 23:53 ` [PATCH 4.4 00/99] 4.4.195-stable review shuah
2019-10-04 6:41 ` kernelci.org bot
2019-10-04 7:36 ` Jon Hunter
2019-10-04 15:02 ` Dan Rue
2019-10-04 22:55 ` Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20191003154254.877282336@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=jkosina@suse.cz \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=stern@rowland.harvard.edu \
--cc=syzbot+5a6c4ec678a0c6ee84ba@syzkaller.appspotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).