| From 1e4ce418b1cb1a810256b5fb3fd33d22d1325993 Mon Sep 17 00:00:00 2001 |
| From: "F.A.Sulaiman" <asha.16@itfac.mrt.ac.lk> |
| Date: Tue, 24 Aug 2021 20:37:30 +0530 |
| Subject: HID: betop: fix slab-out-of-bounds Write in betop_probe |
| |
| From: F.A.Sulaiman <asha.16@itfac.mrt.ac.lk> |
| |
| commit 1e4ce418b1cb1a810256b5fb3fd33d22d1325993 upstream. |
| |
| Syzbot reported slab-out-of-bounds Write bug in hid-betopff driver. |
| The problem is the driver assumes the device must have an input report but |
| some malicious devices violate this assumption. |
| |
| So this patch checks hid_device's input is non empty before it's been used. |
| |
| Reported-by: syzbot+07efed3bc5a1407bd742@syzkaller.appspotmail.com |
| Signed-off-by: F.A. SULAIMAN <asha.16@itfac.mrt.ac.lk> |
| Reviewed-by: Pavel Skripkin <paskripkin@gmail.com> |
| Signed-off-by: Jiri Kosina <jkosina@suse.cz> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| --- |
| drivers/hid/hid-betopff.c | 13 ++++++++++--- |
| 1 file changed, 10 insertions(+), 3 deletions(-) |
| |
| --- a/drivers/hid/hid-betopff.c |
| +++ b/drivers/hid/hid-betopff.c |
| @@ -56,15 +56,22 @@ static int betopff_init(struct hid_devic |
| { |
| struct betopff_device *betopff; |
| struct hid_report *report; |
| - struct hid_input *hidinput = |
| - list_first_entry(&hid->inputs, struct hid_input, list); |
| + struct hid_input *hidinput; |
| struct list_head *report_list = |
| &hid->report_enum[HID_OUTPUT_REPORT].report_list; |
| - struct input_dev *dev = hidinput->input; |
| + struct input_dev *dev; |
| int field_count = 0; |
| int error; |
| int i, j; |
| |
| + if (list_empty(&hid->inputs)) { |
| + hid_err(hid, "no inputs found\n"); |
| + return -ENODEV; |
| + } |
| + |
| + hidinput = list_first_entry(&hid->inputs, struct hid_input, list); |
| + dev = hidinput->input; |
| + |
| if (list_empty(report_list)) { |
| hid_err(hid, "no output reports found\n"); |
| return -ENODEV; |
