From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-9.8 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI, SIGNED_OFF_BY,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id D8D5EC43461 for ; Fri, 11 Sep 2020 13:02:15 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 8FCC02222A for ; Fri, 11 Sep 2020 13:02:15 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1599829335; bh=WfBcY1zSWre1JihwGq+YcH6ZzX+EwLdW5Jvhm07z5KU=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=Zs816c+SgNCh+uvpE9vMiqw9u7AQPebgdOeXID7Jc89fLUqfSinOONGmfA2DMxpSX u8MyMlD42vdoXiH0zG2Hd1kf+ZmU2xDP/L7XfSggY5y4CDhWg1TpWaTc7UByuBGcii NHtDrYwMjc6Zu1ByuCDYZVr7WCId4uRe1Q8Xwh+g= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726159AbgIKNB3 (ORCPT ); Fri, 11 Sep 2020 09:01:29 -0400 Received: from mail.kernel.org ([198.145.29.99]:49240 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725916AbgIKM7I (ORCPT ); Fri, 11 Sep 2020 08:59:08 -0400 Received: from localhost (83-86-74-64.cable.dynamic.v4.ziggo.nl [83.86.74.64]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 62D612222B; Fri, 11 Sep 2020 12:55:53 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1599828953; bh=WfBcY1zSWre1JihwGq+YcH6ZzX+EwLdW5Jvhm07z5KU=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=mYgtA7fpw1pCJkK0uTBSXYOYKFijXQWYOHs+1M6TYNojhoEhDhxA/4F+dDVRR2TDU zPThEu4449FQVSK1n0YMiws3JSlC/dJ3NIJJzgEjSSM6O6eie7MW2Jtg8sATm0Npub bXs3Cha9dIY9mCaj1A22QFPQvQ1SHM9wjKNe0nsY= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Marc Zyngier , Benjamin Tissoires Subject: [PATCH 4.9 01/71] HID: core: Correctly handle ReportSize being zero Date: Fri, 11 Sep 2020 14:45:45 +0200 Message-Id: <20200911122505.006765914@linuxfoundation.org> X-Mailer: git-send-email 2.28.0 In-Reply-To: <20200911122504.928931589@linuxfoundation.org> References: <20200911122504.928931589@linuxfoundation.org> User-Agent: quilt/0.66 X-stable: review X-Patchwork-Hint: ignore MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Marc Zyngier commit bce1305c0ece3dc549663605e567655dd701752c upstream. It appears that a ReportSize value of zero is legal, even if a bit non-sensical. Most of the HID code seems to handle that gracefully, except when computing the total size in bytes. When fed as input to memset, this leads to some funky outcomes. Detect the corner case and correctly compute the size. Cc: stable@vger.kernel.org Signed-off-by: Marc Zyngier Signed-off-by: Benjamin Tissoires Signed-off-by: Greg Kroah-Hartman --- drivers/hid/hid-core.c | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) --- a/drivers/hid/hid-core.c +++ b/drivers/hid/hid-core.c @@ -1407,6 +1407,17 @@ static void hid_output_field(const struc } /* + * Compute the size of a report. + */ +static size_t hid_compute_report_size(struct hid_report *report) +{ + if (report->size) + return ((report->size - 1) >> 3) + 1; + + return 0; +} + +/* * Create a report. 'data' has to be allocated using * hid_alloc_report_buf() so that it has proper size. */ @@ -1418,7 +1429,7 @@ void hid_output_report(struct hid_report if (report->id > 0) *data++ = report->id; - memset(data, 0, ((report->size - 1) >> 3) + 1); + memset(data, 0, hid_compute_report_size(report)); for (n = 0; n < report->maxfield; n++) hid_output_field(report->device, report->field[n], data); } @@ -1545,7 +1556,7 @@ int hid_report_raw_event(struct hid_devi csize--; } - rsize = ((report->size - 1) >> 3) + 1; + rsize = hid_compute_report_size(report); if (report_enum->numbered && rsize >= HID_MAX_BUFFER_SIZE) rsize = HID_MAX_BUFFER_SIZE - 1;