| From 5ebdffd25098898aff1249ae2f7dbfddd76d8f8f Mon Sep 17 00:00:00 2001 |
| From: Johan Korsnes <jkorsnes@cisco.com> |
| Date: Fri, 17 Jan 2020 13:08:35 +0100 |
| Subject: HID: core: fix off-by-one memset in hid_report_raw_event() |
| |
| From: Johan Korsnes <jkorsnes@cisco.com> |
| |
| commit 5ebdffd25098898aff1249ae2f7dbfddd76d8f8f upstream. |
| |
| In case a report is greater than HID_MAX_BUFFER_SIZE, it is truncated, |
| but the report-number byte is not correctly handled. This results in a |
| off-by-one in the following memset, causing a kernel Oops and ensuing |
| system crash. |
| |
| Note: With commit 8ec321e96e05 ("HID: Fix slab-out-of-bounds read in |
| hid_field_extract") I no longer hit the kernel Oops as we instead fail |
| "controlled" at probe if there is a report too long in the HID |
| report-descriptor. hid_report_raw_event() is an exported symbol, so |
| presumabely we cannot always rely on this being the case. |
| |
| Fixes: 966922f26c7f ("HID: fix a crash in hid_report_raw_event() |
| function.") |
| Signed-off-by: Johan Korsnes <jkorsnes@cisco.com> |
| Cc: Armando Visconti <armando.visconti@st.com> |
| Cc: Jiri Kosina <jkosina@suse.cz> |
| Cc: Alan Stern <stern@rowland.harvard.edu> |
| Signed-off-by: Jiri Kosina <jkosina@suse.cz> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| |
| --- |
| drivers/hid/hid-core.c | 4 +++- |
| 1 file changed, 3 insertions(+), 1 deletion(-) |
| |
| --- a/drivers/hid/hid-core.c |
| +++ b/drivers/hid/hid-core.c |
| @@ -1741,7 +1741,9 @@ int hid_report_raw_event(struct hid_devi |
| |
| rsize = ((report->size - 1) >> 3) + 1; |
| |
| - if (rsize > HID_MAX_BUFFER_SIZE) |
| + if (report_enum->numbered && rsize >= HID_MAX_BUFFER_SIZE) |
| + rsize = HID_MAX_BUFFER_SIZE - 1; |
| + else if (rsize > HID_MAX_BUFFER_SIZE) |
| rsize = HID_MAX_BUFFER_SIZE; |
| |
| if (csize < rsize) { |