[PATCH 1/2] HID: magicmouse: sanity check report size in raw_event() callback

[PATCH 1/2] HID: magicmouse: sanity check report size in raw_event() callback

[Jiri Kosina]

The report passed to us from transport driver could potentially be 
arbitrarily large, therefore we better sanity-check it so that 
magicmouse_emit_touch() gets only valid values of raw_id.

Cc: stable@vger.kernel.org
Reported-by: Steven Vittitoe <scvitti@google.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
---
 drivers/hid/hid-magicmouse.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/drivers/hid/hid-magicmouse.c b/drivers/hid/hid-magicmouse.c
index ecc2cbf..29a74c1 100644
--- a/drivers/hid/hid-magicmouse.c
+++ b/drivers/hid/hid-magicmouse.c
@@ -290,6 +290,11 @@ static int magicmouse_raw_event(struct hid_device *hdev,
 		if (size < 4 || ((size - 4) % 9) != 0)
 			return 0;
 		npoints = (size - 4) / 9;
+		if (npoints > 15) {
+			hid_warn(hdev, "invalid size value (%d) for TRACKPAD_REPORT_ID\n",
+					size);
+			return 0;
+		}
 		msc->ntouches = 0;
 		for (ii = 0; ii < npoints; ii++)
 			magicmouse_emit_touch(msc, ii, data + ii * 9 + 4);
@@ -307,6 +312,11 @@ static int magicmouse_raw_event(struct hid_device *hdev,
 		if (size < 6 || ((size - 6) % 8) != 0)
 			return 0;
 		npoints = (size - 6) / 8;
+		if (npoints > 15) {
+			hid_warn(hdev, "invalid size value (%d) for MOUSE_REPORT_ID\n",
+					size);
+			return 0;
+		}
 		msc->ntouches = 0;
 		for (ii = 0; ii < npoints; ii++)
 			magicmouse_emit_touch(msc, ii, data + ii * 8 + 6);
-- 
1.9.2

[PATCH 2/2] HID: picolcd: sanity check report size in raw_event() callback

[Jiri Kosina]

The report passed to us from transport driver could potentially be 
arbitrarily large, therefore we better sanity-check it so that raw_data 
that we hold in picolcd_pending structure are always kept within proper 
bounds.

Cc: stable@vger.kernel.org
Reported-by: Steven Vittitoe <scvitti@google.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
---
 drivers/hid/hid-picolcd_core.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/drivers/hid/hid-picolcd_core.c b/drivers/hid/hid-picolcd_core.c
index acbb0210..020df3c 100644
--- a/drivers/hid/hid-picolcd_core.c
+++ b/drivers/hid/hid-picolcd_core.c
@@ -350,6 +350,12 @@ static int picolcd_raw_event(struct hid_device *hdev,
 	if (!data)
 		return 1;
 
+	if (size > 64) {
+		hid_warn(hdev, "invalid size value (%d) for picolcd raw event\n",
+				size);
+		return 0;
+	}
+
 	if (report->id == REPORT_KEY_STATE) {
 		if (data->input_keys)
 			ret = picolcd_raw_keypad(data, report, raw_data+1, size-1);
-- 
1.9.2

Re: [PATCH 2/2] HID: picolcd: sanity check report size in raw_event() callback

[Bruno Prémont]

On Wed, 27 Aug 2014 09:13:15 +0200 (CEST) Jiri Kosina wrote:
> The report passed to us from transport driver could potentially be 
> arbitrarily large, therefore we better sanity-check it so that raw_data 
> that we hold in picolcd_pending structure are always kept within proper 
> bounds.
> 
> Cc: stable@vger.kernel.org
> Reported-by: Steven Vittitoe <scvitti@google.com>
> Signed-off-by: Jiri Kosina <jkosina@suse.cz>

Acked-by: Bruno Prémont <bonbons@linux-vserver.org>

> ---
>  drivers/hid/hid-picolcd_core.c | 6 ++++++
>  1 file changed, 6 insertions(+)
> 
> diff --git a/drivers/hid/hid-picolcd_core.c b/drivers/hid/hid-picolcd_core.c
> index acbb0210..020df3c 100644
> --- a/drivers/hid/hid-picolcd_core.c
> +++ b/drivers/hid/hid-picolcd_core.c
> @@ -350,6 +350,12 @@ static int picolcd_raw_event(struct hid_device *hdev,
>  	if (!data)
>  		return 1;
>  
> +	if (size > 64) {
> +		hid_warn(hdev, "invalid size value (%d) for picolcd raw event\n",
> +				size);

Is it worth adding report->id to this hid_warn()?

A valid device is not expected to ever send >64 bytes reports but in
case a firmware update would do so it would help to know for which
report it was.

> +		return 0;
> +	}
> +
>  	if (report->id == REPORT_KEY_STATE) {
>  		if (data->input_keys)
>  			ret = picolcd_raw_keypad(data, report, raw_data+1, size-1);

Re: [PATCH 2/2] HID: picolcd: sanity check report size in raw_event() callback

[Jiri Kosina]

On Wed, 27 Aug 2014, Bruno Prémont wrote:

> > The report passed to us from transport driver could potentially be 
> > arbitrarily large, therefore we better sanity-check it so that raw_data 
> > that we hold in picolcd_pending structure are always kept within proper 
> > bounds.
> > 
> > Cc: stable@vger.kernel.org
> > Reported-by: Steven Vittitoe <scvitti@google.com>
> > Signed-off-by: Jiri Kosina <jkosina@suse.cz>
> 
> Acked-by: Bruno Prémont <bonbons@linux-vserver.org>

Thanks.

> > ---
> >  drivers/hid/hid-picolcd_core.c | 6 ++++++
> >  1 file changed, 6 insertions(+)
> > 
> > diff --git a/drivers/hid/hid-picolcd_core.c b/drivers/hid/hid-picolcd_core.c
> > index acbb0210..020df3c 100644
> > --- a/drivers/hid/hid-picolcd_core.c
> > +++ b/drivers/hid/hid-picolcd_core.c
> > @@ -350,6 +350,12 @@ static int picolcd_raw_event(struct hid_device *hdev,
> >  	if (!data)
> >  		return 1;
> >  
> > +	if (size > 64) {
> > +		hid_warn(hdev, "invalid size value (%d) for picolcd raw event\n",
> > +				size);
> 
> Is it worth adding report->id to this hid_warn()?
> 
> A valid device is not expected to ever send >64 bytes reports but in
> case a firmware update would do so it would help to know for which
> report it was.

It definitely wouldn't hurt. Pull request with the original patch is now 
on its way to Linus though, so let's do this as a followup patch on top 
once this is merged.

-- 
Jiri Kosina
SUSE Labs

Re: [PATCH 1/2] HID: magicmouse: sanity check report size in raw_event() callback

[Benjamin Tissoires]

On Wed, Aug 27, 2014 at 3:12 AM, Jiri Kosina <jkosina@suse.cz> wrote:
> The report passed to us from transport driver could potentially be
> arbitrarily large, therefore we better sanity-check it so that
> magicmouse_emit_touch() gets only valid values of raw_id.
>
> Cc: stable@vger.kernel.org
> Reported-by: Steven Vittitoe <scvitti@google.com>
> Signed-off-by: Jiri Kosina <jkosina@suse.cz>

Fair enough.
Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>

Cheers,
Benjamin

> ---
>  drivers/hid/hid-magicmouse.c | 10 ++++++++++
>  1 file changed, 10 insertions(+)
>
> diff --git a/drivers/hid/hid-magicmouse.c b/drivers/hid/hid-magicmouse.c
> index ecc2cbf..29a74c1 100644
> --- a/drivers/hid/hid-magicmouse.c
> +++ b/drivers/hid/hid-magicmouse.c
> @@ -290,6 +290,11 @@ static int magicmouse_raw_event(struct hid_device *hdev,
>                 if (size < 4 || ((size - 4) % 9) != 0)
>                         return 0;
>                 npoints = (size - 4) / 9;
> +               if (npoints > 15) {
> +                       hid_warn(hdev, "invalid size value (%d) for TRACKPAD_REPORT_ID\n",
> +                                       size);
> +                       return 0;
> +               }
>                 msc->ntouches = 0;
>                 for (ii = 0; ii < npoints; ii++)
>                         magicmouse_emit_touch(msc, ii, data + ii * 9 + 4);
> @@ -307,6 +312,11 @@ static int magicmouse_raw_event(struct hid_device *hdev,
>                 if (size < 6 || ((size - 6) % 8) != 0)
>                         return 0;
>                 npoints = (size - 6) / 8;
> +               if (npoints > 15) {
> +                       hid_warn(hdev, "invalid size value (%d) for MOUSE_REPORT_ID\n",
> +                                       size);
> +                       return 0;
> +               }
>                 msc->ntouches = 0;
>                 for (ii = 0; ii < npoints; ii++)
>                         magicmouse_emit_touch(msc, ii, data + ii * 8 + 6);
> --
> 1.9.2
> --
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at  http://www.tux.org/lkml/

Re: [PATCH 2/2] HID: picolcd: sanity check report size in raw_event() callback

[Jiri Kosina]

On Wed, 27 Aug 2014, Jiri Kosina wrote:

> > Is it worth adding report->id to this hid_warn()?
> > 
> > A valid device is not expected to ever send >64 bytes reports but in
> > case a firmware update would do so it would help to know for which
> > report it was.
> 
> It definitely wouldn't hurt. Pull request with the original patch is now 
> on its way to Linus though, so let's do this as a followup patch on top 
> once this is merged.

I've just queued the below for 3.18.



From: Jiri Kosina <jkosina@suse.cz>
Subject: [PATCH] HID: picolcd: be more verbose when reporting report size error

picolcd device is not expected to send any report with size larger than 64 
bytes.

If this impossible event happens (sic!), print also a report ID to allow 
for easier debugging.

Suggested-by: Bruno Prémont <bonbons@linux-vserver.org>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
---
 drivers/hid/hid-picolcd_core.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/hid/hid-picolcd_core.c b/drivers/hid/hid-picolcd_core.c
index 020df3c..c1b29a9 100644
--- a/drivers/hid/hid-picolcd_core.c
+++ b/drivers/hid/hid-picolcd_core.c
@@ -351,8 +351,8 @@ static int picolcd_raw_event(struct hid_device *hdev,
 		return 1;
 
 	if (size > 64) {
-		hid_warn(hdev, "invalid size value (%d) for picolcd raw event\n",
-				size);
+		hid_warn(hdev, "invalid size value (%d) for picolcd raw event (%d)\n",
+				size, report->id);
 		return 0;
 	}
 
-- 
Jiri Kosina
SUSE Labs

Re: [PATCH 2/2] HID: picolcd: sanity check report size in raw_event() callback

[Bruno Prémont]

On Wed, 27 Aug 2014 23:32:00 +0200 (CEST) Jiri Kosina wrote:
> On Wed, 27 Aug 2014, Jiri Kosina wrote:
> 
> > > Is it worth adding report->id to this hid_warn()?
> > > 
> > > A valid device is not expected to ever send >64 bytes reports but in
> > > case a firmware update would do so it would help to know for which
> > > report it was.
> > 
> > It definitely wouldn't hurt. Pull request with the original patch is now 
> > on its way to Linus though, so let's do this as a followup patch on top 
> > once this is merged.
> 
> I've just queued the below for 3.18.

Looks good,
Thanks

Bruno

> From: Jiri Kosina <jkosina@suse.cz>
> Subject: [PATCH] HID: picolcd: be more verbose when reporting report size error
> 
> picolcd device is not expected to send any report with size larger than 64 
> bytes.
> 
> If this impossible event happens (sic!), print also a report ID to allow 
> for easier debugging.
> 
> Suggested-by: Bruno Prémont <bonbons@linux-vserver.org>
> Signed-off-by: Jiri Kosina <jkosina@suse.cz>
> ---
>  drivers/hid/hid-picolcd_core.c | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/hid/hid-picolcd_core.c b/drivers/hid/hid-picolcd_core.c
> index 020df3c..c1b29a9 100644
> --- a/drivers/hid/hid-picolcd_core.c
> +++ b/drivers/hid/hid-picolcd_core.c
> @@ -351,8 +351,8 @@ static int picolcd_raw_event(struct hid_device *hdev,
>  		return 1;
>  
>  	if (size > 64) {
> -		hid_warn(hdev, "invalid size value (%d) for picolcd raw event\n",
> -				size);
> +		hid_warn(hdev, "invalid size value (%d) for picolcd raw event (%d)\n",
> +				size, report->id);
>  		return 0;
>  	}
>