releases/5.5.8/hid-core-fix-off-by-one-memset-in-hid_report_raw_event.patch - pub/scm/linux/kernel/git/stable/stable-queue - Git at Google

 From 5ebdffd25098898aff1249ae2f7dbfddd76d8f8f Mon Sep 17 00:00:00 2001
 From: Johan Korsnes <jkorsnes@cisco.com>
 Date: Fri, 17 Jan 2020 13:08:35 +0100
 Subject: HID: core: fix off-by-one memset in hid_report_raw_event()

 From: Johan Korsnes <jkorsnes@cisco.com>

 commit 5ebdffd25098898aff1249ae2f7dbfddd76d8f8f upstream.

 In case a report is greater than HID_MAX_BUFFER_SIZE, it is truncated,
 but the report-number byte is not correctly handled. This results in a
 off-by-one in the following memset, causing a kernel Oops and ensuing
 system crash.

 Note: With commit 8ec321e96e05 ("HID: Fix slab-out-of-bounds read in
 hid_field_extract") I no longer hit the kernel Oops as we instead fail
 "controlled" at probe if there is a report too long in the HID
 report-descriptor. hid_report_raw_event() is an exported symbol, so
 presumabely we cannot always rely on this being the case.

 Fixes: 966922f26c7f ("HID: fix a crash in hid_report_raw_event()
                      function.")
 Signed-off-by: Johan Korsnes <jkorsnes@cisco.com>
 Cc: Armando Visconti <armando.visconti@st.com>
 Cc: Jiri Kosina <jkosina@suse.cz>
 Cc: Alan Stern <stern@rowland.harvard.edu>
 Signed-off-by: Jiri Kosina <jkosina@suse.cz>
 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 ---
  drivers/hid/hid-core.c |    4 +++-
  1 file changed, 3 insertions(+), 1 deletion(-)

 --- a/drivers/hid/hid-core.c
 +++ b/drivers/hid/hid-core.c
 @@ -1741,7 +1741,9 @@ int hid_report_raw_event(struct hid_devi

  	rsize = ((report->size - 1) >> 3) + 1;

 -	if (rsize > HID_MAX_BUFFER_SIZE)
 +	if (report_enum->numbered && rsize >= HID_MAX_BUFFER_SIZE)
 +		rsize = HID_MAX_BUFFER_SIZE - 1;
 +	else if (rsize > HID_MAX_BUFFER_SIZE)
  		rsize = HID_MAX_BUFFER_SIZE;

  	if (csize < rsize) {
	From 5ebdffd25098898aff1249ae2f7dbfddd76d8f8f Mon Sep 17 00:00:00 2001
	From: Johan Korsnes <jkorsnes@cisco.com>
	Date: Fri, 17 Jan 2020 13:08:35 +0100
	Subject: HID: core: fix off-by-one memset in hid_report_raw_event()

	From: Johan Korsnes <jkorsnes@cisco.com>

	commit 5ebdffd25098898aff1249ae2f7dbfddd76d8f8f upstream.

	In case a report is greater than HID_MAX_BUFFER_SIZE, it is truncated,
	but the report-number byte is not correctly handled. This results in a
	off-by-one in the following memset, causing a kernel Oops and ensuing
	system crash.

	Note: With commit 8ec321e96e05 ("HID: Fix slab-out-of-bounds read in
	hid_field_extract") I no longer hit the kernel Oops as we instead fail
	"controlled" at probe if there is a report too long in the HID
	report-descriptor. hid_report_raw_event() is an exported symbol, so
	presumabely we cannot always rely on this being the case.

	Fixes: 966922f26c7f ("HID: fix a crash in hid_report_raw_event()
	function.")
	Signed-off-by: Johan Korsnes <jkorsnes@cisco.com>
	Cc: Armando Visconti <armando.visconti@st.com>
	Cc: Jiri Kosina <jkosina@suse.cz>
	Cc: Alan Stern <stern@rowland.harvard.edu>
	Signed-off-by: Jiri Kosina <jkosina@suse.cz>
	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

	---
	drivers/hid/hid-core.c \| 4 +++-
	1 file changed, 3 insertions(+), 1 deletion(-)

	--- a/drivers/hid/hid-core.c
	+++ b/drivers/hid/hid-core.c
	@@ -1741,7 +1741,9 @@ int hid_report_raw_event(struct hid_devi

	rsize = ((report->size - 1) >> 3) + 1;

	- if (rsize > HID_MAX_BUFFER_SIZE)
	+ if (report_enum->numbered && rsize >= HID_MAX_BUFFER_SIZE)
	+ rsize = HID_MAX_BUFFER_SIZE - 1;
	+ else if (rsize > HID_MAX_BUFFER_SIZE)
	rsize = HID_MAX_BUFFER_SIZE;

	if (csize < rsize) {