* [PATCH 1/2] HID: magicmouse: sanity check report size in raw_event() callback
@ 2014-08-27 7:12 Jiri Kosina
2014-08-27 7:13 ` [PATCH 2/2] HID: picolcd: " Jiri Kosina
2014-08-27 13:54 ` [PATCH 1/2] HID: magicmouse: " Benjamin Tissoires
0 siblings, 2 replies; 7+ messages in thread
From: Jiri Kosina @ 2014-08-27 7:12 UTC (permalink / raw)
To: linux-input; +Cc: linux-kernel
The report passed to us from transport driver could potentially be
arbitrarily large, therefore we better sanity-check it so that
magicmouse_emit_touch() gets only valid values of raw_id.
Cc: stable@vger.kernel.org
Reported-by: Steven Vittitoe <scvitti@google.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
---
drivers/hid/hid-magicmouse.c | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/drivers/hid/hid-magicmouse.c b/drivers/hid/hid-magicmouse.c
index ecc2cbf..29a74c1 100644
--- a/drivers/hid/hid-magicmouse.c
+++ b/drivers/hid/hid-magicmouse.c
@@ -290,6 +290,11 @@ static int magicmouse_raw_event(struct hid_device *hdev,
if (size < 4 || ((size - 4) % 9) != 0)
return 0;
npoints = (size - 4) / 9;
+ if (npoints > 15) {
+ hid_warn(hdev, "invalid size value (%d) for TRACKPAD_REPORT_ID\n",
+ size);
+ return 0;
+ }
msc->ntouches = 0;
for (ii = 0; ii < npoints; ii++)
magicmouse_emit_touch(msc, ii, data + ii * 9 + 4);
@@ -307,6 +312,11 @@ static int magicmouse_raw_event(struct hid_device *hdev,
if (size < 6 || ((size - 6) % 8) != 0)
return 0;
npoints = (size - 6) / 8;
+ if (npoints > 15) {
+ hid_warn(hdev, "invalid size value (%d) for MOUSE_REPORT_ID\n",
+ size);
+ return 0;
+ }
msc->ntouches = 0;
for (ii = 0; ii < npoints; ii++)
magicmouse_emit_touch(msc, ii, data + ii * 8 + 6);
--
1.9.2
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [PATCH 2/2] HID: picolcd: sanity check report size in raw_event() callback
2014-08-27 7:12 [PATCH 1/2] HID: magicmouse: sanity check report size in raw_event() callback Jiri Kosina
@ 2014-08-27 7:13 ` Jiri Kosina
2014-08-27 8:13 ` Bruno Prémont
2014-08-27 13:54 ` [PATCH 1/2] HID: magicmouse: " Benjamin Tissoires
1 sibling, 1 reply; 7+ messages in thread
From: Jiri Kosina @ 2014-08-27 7:13 UTC (permalink / raw)
To: linux-input; +Cc: linux-kernel, Bruno Prémont
The report passed to us from transport driver could potentially be
arbitrarily large, therefore we better sanity-check it so that raw_data
that we hold in picolcd_pending structure are always kept within proper
bounds.
Cc: stable@vger.kernel.org
Reported-by: Steven Vittitoe <scvitti@google.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
---
drivers/hid/hid-picolcd_core.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/drivers/hid/hid-picolcd_core.c b/drivers/hid/hid-picolcd_core.c
index acbb0210..020df3c 100644
--- a/drivers/hid/hid-picolcd_core.c
+++ b/drivers/hid/hid-picolcd_core.c
@@ -350,6 +350,12 @@ static int picolcd_raw_event(struct hid_device *hdev,
if (!data)
return 1;
+ if (size > 64) {
+ hid_warn(hdev, "invalid size value (%d) for picolcd raw event\n",
+ size);
+ return 0;
+ }
+
if (report->id == REPORT_KEY_STATE) {
if (data->input_keys)
ret = picolcd_raw_keypad(data, report, raw_data+1, size-1);
--
1.9.2
^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [PATCH 2/2] HID: picolcd: sanity check report size in raw_event() callback
2014-08-27 7:13 ` [PATCH 2/2] HID: picolcd: " Jiri Kosina
@ 2014-08-27 8:13 ` Bruno Prémont
2014-08-27 8:25 ` Jiri Kosina
0 siblings, 1 reply; 7+ messages in thread
From: Bruno Prémont @ 2014-08-27 8:13 UTC (permalink / raw)
To: Jiri Kosina; +Cc: linux-input, linux-kernel
On Wed, 27 Aug 2014 09:13:15 +0200 (CEST) Jiri Kosina wrote:
> The report passed to us from transport driver could potentially be
> arbitrarily large, therefore we better sanity-check it so that raw_data
> that we hold in picolcd_pending structure are always kept within proper
> bounds.
>
> Cc: stable@vger.kernel.org
> Reported-by: Steven Vittitoe <scvitti@google.com>
> Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Acked-by: Bruno Prémont <bonbons@linux-vserver.org>
> ---
> drivers/hid/hid-picolcd_core.c | 6 ++++++
> 1 file changed, 6 insertions(+)
>
> diff --git a/drivers/hid/hid-picolcd_core.c b/drivers/hid/hid-picolcd_core.c
> index acbb0210..020df3c 100644
> --- a/drivers/hid/hid-picolcd_core.c
> +++ b/drivers/hid/hid-picolcd_core.c
> @@ -350,6 +350,12 @@ static int picolcd_raw_event(struct hid_device *hdev,
> if (!data)
> return 1;
>
> + if (size > 64) {
> + hid_warn(hdev, "invalid size value (%d) for picolcd raw event\n",
> + size);
Is it worth adding report->id to this hid_warn()?
A valid device is not expected to ever send >64 bytes reports but in
case a firmware update would do so it would help to know for which
report it was.
> + return 0;
> + }
> +
> if (report->id == REPORT_KEY_STATE) {
> if (data->input_keys)
> ret = picolcd_raw_keypad(data, report, raw_data+1, size-1);
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH 2/2] HID: picolcd: sanity check report size in raw_event() callback
2014-08-27 8:13 ` Bruno Prémont
@ 2014-08-27 8:25 ` Jiri Kosina
2014-08-27 21:32 ` Jiri Kosina
0 siblings, 1 reply; 7+ messages in thread
From: Jiri Kosina @ 2014-08-27 8:25 UTC (permalink / raw)
To: Bruno Prémont; +Cc: linux-input, linux-kernel
On Wed, 27 Aug 2014, Bruno Prémont wrote:
> > The report passed to us from transport driver could potentially be
> > arbitrarily large, therefore we better sanity-check it so that raw_data
> > that we hold in picolcd_pending structure are always kept within proper
> > bounds.
> >
> > Cc: stable@vger.kernel.org
> > Reported-by: Steven Vittitoe <scvitti@google.com>
> > Signed-off-by: Jiri Kosina <jkosina@suse.cz>
>
> Acked-by: Bruno Prémont <bonbons@linux-vserver.org>
Thanks.
> > ---
> > drivers/hid/hid-picolcd_core.c | 6 ++++++
> > 1 file changed, 6 insertions(+)
> >
> > diff --git a/drivers/hid/hid-picolcd_core.c b/drivers/hid/hid-picolcd_core.c
> > index acbb0210..020df3c 100644
> > --- a/drivers/hid/hid-picolcd_core.c
> > +++ b/drivers/hid/hid-picolcd_core.c
> > @@ -350,6 +350,12 @@ static int picolcd_raw_event(struct hid_device *hdev,
> > if (!data)
> > return 1;
> >
> > + if (size > 64) {
> > + hid_warn(hdev, "invalid size value (%d) for picolcd raw event\n",
> > + size);
>
> Is it worth adding report->id to this hid_warn()?
>
> A valid device is not expected to ever send >64 bytes reports but in
> case a firmware update would do so it would help to know for which
> report it was.
It definitely wouldn't hurt. Pull request with the original patch is now
on its way to Linus though, so let's do this as a followup patch on top
once this is merged.
--
Jiri Kosina
SUSE Labs
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH 1/2] HID: magicmouse: sanity check report size in raw_event() callback
2014-08-27 7:12 [PATCH 1/2] HID: magicmouse: sanity check report size in raw_event() callback Jiri Kosina
2014-08-27 7:13 ` [PATCH 2/2] HID: picolcd: " Jiri Kosina
@ 2014-08-27 13:54 ` Benjamin Tissoires
1 sibling, 0 replies; 7+ messages in thread
From: Benjamin Tissoires @ 2014-08-27 13:54 UTC (permalink / raw)
To: Jiri Kosina; +Cc: linux-input, linux-kernel
On Wed, Aug 27, 2014 at 3:12 AM, Jiri Kosina <jkosina@suse.cz> wrote:
> The report passed to us from transport driver could potentially be
> arbitrarily large, therefore we better sanity-check it so that
> magicmouse_emit_touch() gets only valid values of raw_id.
>
> Cc: stable@vger.kernel.org
> Reported-by: Steven Vittitoe <scvitti@google.com>
> Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Fair enough.
Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Cheers,
Benjamin
> ---
> drivers/hid/hid-magicmouse.c | 10 ++++++++++
> 1 file changed, 10 insertions(+)
>
> diff --git a/drivers/hid/hid-magicmouse.c b/drivers/hid/hid-magicmouse.c
> index ecc2cbf..29a74c1 100644
> --- a/drivers/hid/hid-magicmouse.c
> +++ b/drivers/hid/hid-magicmouse.c
> @@ -290,6 +290,11 @@ static int magicmouse_raw_event(struct hid_device *hdev,
> if (size < 4 || ((size - 4) % 9) != 0)
> return 0;
> npoints = (size - 4) / 9;
> + if (npoints > 15) {
> + hid_warn(hdev, "invalid size value (%d) for TRACKPAD_REPORT_ID\n",
> + size);
> + return 0;
> + }
> msc->ntouches = 0;
> for (ii = 0; ii < npoints; ii++)
> magicmouse_emit_touch(msc, ii, data + ii * 9 + 4);
> @@ -307,6 +312,11 @@ static int magicmouse_raw_event(struct hid_device *hdev,
> if (size < 6 || ((size - 6) % 8) != 0)
> return 0;
> npoints = (size - 6) / 8;
> + if (npoints > 15) {
> + hid_warn(hdev, "invalid size value (%d) for MOUSE_REPORT_ID\n",
> + size);
> + return 0;
> + }
> msc->ntouches = 0;
> for (ii = 0; ii < npoints; ii++)
> magicmouse_emit_touch(msc, ii, data + ii * 8 + 6);
> --
> 1.9.2
> --
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at http://www.tux.org/lkml/
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH 2/2] HID: picolcd: sanity check report size in raw_event() callback
2014-08-27 8:25 ` Jiri Kosina
@ 2014-08-27 21:32 ` Jiri Kosina
2014-08-28 5:57 ` Bruno Prémont
0 siblings, 1 reply; 7+ messages in thread
From: Jiri Kosina @ 2014-08-27 21:32 UTC (permalink / raw)
To: Bruno Prémont; +Cc: linux-input, linux-kernel
On Wed, 27 Aug 2014, Jiri Kosina wrote:
> > Is it worth adding report->id to this hid_warn()?
> >
> > A valid device is not expected to ever send >64 bytes reports but in
> > case a firmware update would do so it would help to know for which
> > report it was.
>
> It definitely wouldn't hurt. Pull request with the original patch is now
> on its way to Linus though, so let's do this as a followup patch on top
> once this is merged.
I've just queued the below for 3.18.
From: Jiri Kosina <jkosina@suse.cz>
Subject: [PATCH] HID: picolcd: be more verbose when reporting report size error
picolcd device is not expected to send any report with size larger than 64
bytes.
If this impossible event happens (sic!), print also a report ID to allow
for easier debugging.
Suggested-by: Bruno Prémont <bonbons@linux-vserver.org>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
---
drivers/hid/hid-picolcd_core.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/hid/hid-picolcd_core.c b/drivers/hid/hid-picolcd_core.c
index 020df3c..c1b29a9 100644
--- a/drivers/hid/hid-picolcd_core.c
+++ b/drivers/hid/hid-picolcd_core.c
@@ -351,8 +351,8 @@ static int picolcd_raw_event(struct hid_device *hdev,
return 1;
if (size > 64) {
- hid_warn(hdev, "invalid size value (%d) for picolcd raw event\n",
- size);
+ hid_warn(hdev, "invalid size value (%d) for picolcd raw event (%d)\n",
+ size, report->id);
return 0;
}
--
Jiri Kosina
SUSE Labs
^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [PATCH 2/2] HID: picolcd: sanity check report size in raw_event() callback
2014-08-27 21:32 ` Jiri Kosina
@ 2014-08-28 5:57 ` Bruno Prémont
0 siblings, 0 replies; 7+ messages in thread
From: Bruno Prémont @ 2014-08-28 5:57 UTC (permalink / raw)
To: Jiri Kosina; +Cc: linux-input, linux-kernel
On Wed, 27 Aug 2014 23:32:00 +0200 (CEST) Jiri Kosina wrote:
> On Wed, 27 Aug 2014, Jiri Kosina wrote:
>
> > > Is it worth adding report->id to this hid_warn()?
> > >
> > > A valid device is not expected to ever send >64 bytes reports but in
> > > case a firmware update would do so it would help to know for which
> > > report it was.
> >
> > It definitely wouldn't hurt. Pull request with the original patch is now
> > on its way to Linus though, so let's do this as a followup patch on top
> > once this is merged.
>
> I've just queued the below for 3.18.
Looks good,
Thanks
Bruno
> From: Jiri Kosina <jkosina@suse.cz>
> Subject: [PATCH] HID: picolcd: be more verbose when reporting report size error
>
> picolcd device is not expected to send any report with size larger than 64
> bytes.
>
> If this impossible event happens (sic!), print also a report ID to allow
> for easier debugging.
>
> Suggested-by: Bruno Prémont <bonbons@linux-vserver.org>
> Signed-off-by: Jiri Kosina <jkosina@suse.cz>
> ---
> drivers/hid/hid-picolcd_core.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/hid/hid-picolcd_core.c b/drivers/hid/hid-picolcd_core.c
> index 020df3c..c1b29a9 100644
> --- a/drivers/hid/hid-picolcd_core.c
> +++ b/drivers/hid/hid-picolcd_core.c
> @@ -351,8 +351,8 @@ static int picolcd_raw_event(struct hid_device *hdev,
> return 1;
>
> if (size > 64) {
> - hid_warn(hdev, "invalid size value (%d) for picolcd raw event\n",
> - size);
> + hid_warn(hdev, "invalid size value (%d) for picolcd raw event (%d)\n",
> + size, report->id);
> return 0;
> }
>
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2014-08-28 5:57 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2014-08-27 7:12 [PATCH 1/2] HID: magicmouse: sanity check report size in raw_event() callback Jiri Kosina
2014-08-27 7:13 ` [PATCH 2/2] HID: picolcd: " Jiri Kosina
2014-08-27 8:13 ` Bruno Prémont
2014-08-27 8:25 ` Jiri Kosina
2014-08-27 21:32 ` Jiri Kosina
2014-08-28 5:57 ` Bruno Prémont
2014-08-27 13:54 ` [PATCH 1/2] HID: magicmouse: " Benjamin Tissoires
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).