| From 25a097f5204675550afb879ee18238ca917cba7a Mon Sep 17 00:00:00 2001 |
| From: Peilin Ye <yepeilin.cs@gmail.com> |
| Date: Wed, 29 Jul 2020 07:37:12 -0400 |
| Subject: HID: hiddev: Fix slab-out-of-bounds write in hiddev_ioctl_usage() |
| |
| From: Peilin Ye <yepeilin.cs@gmail.com> |
| |
| commit 25a097f5204675550afb879ee18238ca917cba7a upstream. |
| |
| `uref->usage_index` is not always being properly checked, causing |
| hiddev_ioctl_usage() to go out of bounds under some cases. Fix it. |
| |
| Reported-by: syzbot+34ee1b45d88571c2fa8b@syzkaller.appspotmail.com |
| Link: https://syzkaller.appspot.com/bug?id=f2aebe90b8c56806b050a20b36f51ed6acabe802 |
| Reviewed-by: Dan Carpenter <dan.carpenter@oracle.com> |
| Signed-off-by: Peilin Ye <yepeilin.cs@gmail.com> |
| Signed-off-by: Jiri Kosina <jkosina@suse.cz> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| |
| --- |
| drivers/hid/usbhid/hiddev.c | 4 ++++ |
| 1 file changed, 4 insertions(+) |
| |
| --- a/drivers/hid/usbhid/hiddev.c |
| +++ b/drivers/hid/usbhid/hiddev.c |
| @@ -554,12 +554,16 @@ static noinline int hiddev_ioctl_usage(s |
| |
| switch (cmd) { |
| case HIDIOCGUSAGE: |
| + if (uref->usage_index >= field->report_count) |
| + goto inval; |
| uref->value = field->value[uref->usage_index]; |
| if (copy_to_user(user_arg, uref, sizeof(*uref))) |
| goto fault; |
| goto goodreturn; |
| |
| case HIDIOCSUSAGE: |
| + if (uref->usage_index >= field->report_count) |
| + goto inval; |
| field->value[uref->usage_index] = uref->value; |
| goto goodreturn; |
| |