From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Anirudh Rayabharam <mail@anirudhrb.com>,
syzbot+7c2bb71996f95a82524c@syzkaller.appspotmail.com,
Benjamin Tissoires <benjamin.tissoires@redhat.com>,
Jiri Kosina <jkosina@suse.cz>, Sasha Levin <sashal@kernel.org>,
linux-usb@vger.kernel.org, linux-input@vger.kernel.org
Subject: [PATCH AUTOSEL 5.4 08/29] HID: usbhid: fix info leak in hid_submit_ctrl
Date: Mon, 7 Jun 2021 12:13:49 -0400 [thread overview]
Message-ID: <20210607161410.3584036-8-sashal@kernel.org> (raw)
In-Reply-To: <20210607161410.3584036-1-sashal@kernel.org>
From: Anirudh Rayabharam <mail@anirudhrb.com>
[ Upstream commit 6be388f4a35d2ce5ef7dbf635a8964a5da7f799f ]
In hid_submit_ctrl(), the way of calculating the report length doesn't
take into account that report->size can be zero. When running the
syzkaller reproducer, a report of size 0 causes hid_submit_ctrl) to
calculate transfer_buffer_length as 16384. When this urb is passed to
the usb core layer, KMSAN reports an info leak of 16384 bytes.
To fix this, first modify hid_report_len() to account for the zero
report size case by using DIV_ROUND_UP for the division. Then, call it
from hid_submit_ctrl().
Reported-by: syzbot+7c2bb71996f95a82524c@syzkaller.appspotmail.com
Signed-off-by: Anirudh Rayabharam <mail@anirudhrb.com>
Acked-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/hid/usbhid/hid-core.c | 2 +-
include/linux/hid.h | 3 +--
2 files changed, 2 insertions(+), 3 deletions(-)
diff --git a/drivers/hid/usbhid/hid-core.c b/drivers/hid/usbhid/hid-core.c
index 17a638f15082..1cfbbaf6901d 100644
--- a/drivers/hid/usbhid/hid-core.c
+++ b/drivers/hid/usbhid/hid-core.c
@@ -374,7 +374,7 @@ static int hid_submit_ctrl(struct hid_device *hid)
raw_report = usbhid->ctrl[usbhid->ctrltail].raw_report;
dir = usbhid->ctrl[usbhid->ctrltail].dir;
- len = ((report->size - 1) >> 3) + 1 + (report->id > 0);
+ len = hid_report_len(report);
if (dir == USB_DIR_OUT) {
usbhid->urbctrl->pipe = usb_sndctrlpipe(hid_to_usb_dev(hid), 0);
usbhid->urbctrl->transfer_buffer_length = len;
diff --git a/include/linux/hid.h b/include/linux/hid.h
index ae906deb42e8..85bedeb9ca9f 100644
--- a/include/linux/hid.h
+++ b/include/linux/hid.h
@@ -1154,8 +1154,7 @@ static inline void hid_hw_wait(struct hid_device *hdev)
*/
static inline u32 hid_report_len(struct hid_report *report)
{
- /* equivalent to DIV_ROUND_UP(report->size, 8) + !!(report->id > 0) */
- return ((report->size - 1) >> 3) + 1 + (report->id > 0);
+ return DIV_ROUND_UP(report->size, 8) + (report->id > 0);
}
int hid_report_raw_event(struct hid_device *hid, int type, u8 *data, u32 size,
--
2.30.2
next prev parent reply other threads:[~2021-06-07 16:19 UTC|newest]
Thread overview: 41+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-06-07 16:13 [PATCH AUTOSEL 5.4 01/29] net: ieee802154: fix null deref in parse dev addr Sasha Levin
2021-06-07 16:13 ` [PATCH AUTOSEL 5.4 02/29] HID: quirks: Set INCREMENT_USAGE_ON_DUPLICATE for Saitek X65 Sasha Levin
2021-06-07 16:13 ` [PATCH AUTOSEL 5.4 03/29] HID: hid-input: add mapping for emoji picker key Sasha Levin
2021-06-07 16:13 ` [PATCH AUTOSEL 5.4 04/29] HID: hid-sensor-hub: Return error for hid_set_field() failure Sasha Levin
2021-06-07 16:13 ` [PATCH AUTOSEL 5.4 05/29] HID: quirks: Add quirk for Lenovo optical mouse Sasha Levin
2021-06-07 16:13 ` [PATCH AUTOSEL 5.4 06/29] HID: multitouch: set Stylus suffix for Stylus-application devices, too Sasha Levin
2021-06-07 16:13 ` [PATCH AUTOSEL 5.4 07/29] HID: Add BUS_VIRTUAL to hid_connect logging Sasha Levin
2021-06-07 16:13 ` Sasha Levin [this message]
2021-06-07 16:13 ` [PATCH AUTOSEL 5.4 09/29] drm/tegra: sor: Do not leak runtime PM reference Sasha Levin
2021-06-07 16:13 ` Sasha Levin
2021-06-07 16:13 ` [PATCH AUTOSEL 5.4 10/29] ARM: OMAP2+: Fix build warning when mmc_omap is not built Sasha Levin
2021-06-07 16:13 ` Sasha Levin
2021-06-07 16:13 ` [PATCH AUTOSEL 5.4 11/29] gfs2: Prevent direct-I/O write fallback errors from getting lost Sasha Levin
2021-06-07 16:13 ` [Cluster-devel] " Sasha Levin
2021-06-07 16:13 ` [PATCH AUTOSEL 5.4 12/29] HID: gt683r: add missing MODULE_DEVICE_TABLE Sasha Levin
2021-06-07 16:13 ` [PATCH AUTOSEL 5.4 13/29] riscv: Use -mno-relax when using lld linker Sasha Levin
2021-06-07 16:13 ` Sasha Levin
2021-06-07 16:13 ` [PATCH AUTOSEL 5.4 14/29] gfs2: Fix use-after-free in gfs2_glock_shrink_scan Sasha Levin
2021-06-07 16:13 ` [Cluster-devel] " Sasha Levin
2021-06-07 16:13 ` [PATCH AUTOSEL 5.4 15/29] Bluetooth: use correct lock to prevent UAF of hdev object Sasha Levin
2021-06-07 16:13 ` [PATCH AUTOSEL 5.4 16/29] scsi: target: core: Fix warning on realtime kernels Sasha Levin
2021-06-07 16:13 ` [PATCH AUTOSEL 5.4 17/29] ethernet: myri10ge: Fix missing error code in myri10ge_probe() Sasha Levin
2021-06-07 16:13 ` [PATCH AUTOSEL 5.4 18/29] scsi: qedf: Do not put host in qedf_vport_create() unconditionally Sasha Levin
2021-06-07 16:14 ` [PATCH AUTOSEL 5.4 19/29] scsi: scsi_devinfo: Add blacklist entry for HPE OPEN-V Sasha Levin
2021-06-07 16:14 ` [PATCH AUTOSEL 5.4 20/29] nvme-loop: reset queue count to 1 in nvme_loop_destroy_io_queues() Sasha Levin
2021-06-07 16:14 ` Sasha Levin
2021-06-07 16:14 ` [PATCH AUTOSEL 5.4 21/29] nvme-loop: clear NVME_LOOP_Q_LIVE when nvme_loop_configure_admin_queue() fails Sasha Levin
2021-06-07 16:14 ` Sasha Levin
2021-06-07 16:14 ` [PATCH AUTOSEL 5.4 22/29] nvme-loop: check for NVME_LOOP_Q_LIVE in nvme_loop_destroy_admin_queue() Sasha Levin
2021-06-07 16:14 ` Sasha Levin
2021-06-07 16:14 ` [PATCH AUTOSEL 5.4 23/29] net: ipconfig: Don't override command-line hostnames or domains Sasha Levin
2021-06-07 16:14 ` [PATCH AUTOSEL 5.4 24/29] drm/amd/display: Allow bandwidth validation for 0 streams Sasha Levin
2021-06-07 16:14 ` Sasha Levin
2021-06-07 16:14 ` Sasha Levin
2021-06-07 16:14 ` [PATCH AUTOSEL 5.4 25/29] drm/amd/display: Fix overlay validation by considering cursors Sasha Levin
2021-06-07 16:14 ` Sasha Levin
2021-06-07 16:14 ` Sasha Levin
2021-06-07 16:14 ` [PATCH AUTOSEL 5.4 26/29] rtnetlink: Fix missing error code in rtnl_bridge_notify() Sasha Levin
2021-06-07 16:14 ` [PATCH AUTOSEL 5.4 27/29] net/x25: Return the correct errno code Sasha Levin
2021-06-07 16:14 ` [PATCH AUTOSEL 5.4 28/29] net: " Sasha Levin
2021-06-07 16:14 ` [PATCH AUTOSEL 5.4 29/29] fib: " Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210607161410.3584036-8-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=benjamin.tissoires@redhat.com \
--cc=jkosina@suse.cz \
--cc=linux-input@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-usb@vger.kernel.org \
--cc=mail@anirudhrb.com \
--cc=stable@vger.kernel.org \
--cc=syzbot+7c2bb71996f95a82524c@syzkaller.appspotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.