From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Jiri Kosina <jikos@kernel.org>,
Benjamin Tissoires <benjamin.tissoires@redhat.com>,
linux-input@vger.kernel.org, Lee Jones <lee.jones@linaro.org>,
Jiri Kosina <jkosina@suse.cz>
Subject: [PATCH 5.15 27/73] HID: steam: Prevent NULL pointer dereference in steam_{recv,send}_report
Date: Fri, 2 Sep 2022 14:18:51 +0200 [thread overview]
Message-ID: <20220902121405.336885912@linuxfoundation.org> (raw)
In-Reply-To: <20220902121404.435662285@linuxfoundation.org>
From: Lee Jones <lee.jones@linaro.org>
commit cd11d1a6114bd4bc6450ae59f6e110ec47362126 upstream.
It is possible for a malicious device to forgo submitting a Feature
Report. The HID Steam driver presently makes no prevision for this
and de-references the 'struct hid_report' pointer obtained from the
HID devices without first checking its validity. Let's change that.
Cc: Jiri Kosina <jikos@kernel.org>
Cc: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Cc: linux-input@vger.kernel.org
Fixes: c164d6abf3841 ("HID: add driver for Valve Steam Controller")
Signed-off-by: Lee Jones <lee.jones@linaro.org>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/hid/hid-steam.c | 10 ++++++++++
1 file changed, 10 insertions(+)
--- a/drivers/hid/hid-steam.c
+++ b/drivers/hid/hid-steam.c
@@ -134,6 +134,11 @@ static int steam_recv_report(struct stea
int ret;
r = steam->hdev->report_enum[HID_FEATURE_REPORT].report_id_hash[0];
+ if (!r) {
+ hid_err(steam->hdev, "No HID_FEATURE_REPORT submitted - nothing to read\n");
+ return -EINVAL;
+ }
+
if (hid_report_len(r) < 64)
return -EINVAL;
@@ -165,6 +170,11 @@ static int steam_send_report(struct stea
int ret;
r = steam->hdev->report_enum[HID_FEATURE_REPORT].report_id_hash[0];
+ if (!r) {
+ hid_err(steam->hdev, "No HID_FEATURE_REPORT submitted - nothing to read\n");
+ return -EINVAL;
+ }
+
if (hid_report_len(r) < 64)
return -EINVAL;
next prev parent reply other threads:[~2022-09-02 12:47 UTC|newest]
Thread overview: 82+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-09-02 12:18 [PATCH 5.15 00/73] 5.15.65-rc1 review Greg Kroah-Hartman
2022-09-02 12:18 ` [PATCH 5.15 01/73] mm: Force TLB flush for PFNMAP mappings before unlink_file_vma() Greg Kroah-Hartman
2022-09-02 12:18 ` [PATCH 5.15 02/73] drm/bridge: Add stubs for devm_drm_of_get_bridge when OF is disabled Greg Kroah-Hartman
2022-09-02 12:18 ` [PATCH 5.15 03/73] ACPI: thermal: drop an always true check Greg Kroah-Hartman
2022-09-02 12:18 ` [PATCH 5.15 04/73] drm/vc4: hdmi: Rework power up Greg Kroah-Hartman
2022-09-02 12:18 ` [PATCH 5.15 05/73] drm/vc4: hdmi: Depends on CONFIG_PM Greg Kroah-Hartman
2022-09-02 12:18 ` [PATCH 5.15 06/73] firmware: tegra: bpmp: Do only aligned access to IPC memory area Greg Kroah-Hartman
2022-09-02 12:18 ` [PATCH 5.15 07/73] crypto: lib - remove unneeded selection of XOR_BLOCKS Greg Kroah-Hartman
2022-09-02 12:18 ` [PATCH 5.15 08/73] Drivers: hv: balloon: Support status report for larger page sizes Greg Kroah-Hartman
2022-09-02 12:18 ` [PATCH 5.15 09/73] mm/hugetlb: avoid corrupting page->mapping in hugetlb_mcopy_atomic_pte Greg Kroah-Hartman
2022-09-02 12:18 ` [PATCH 5.15 10/73] arm64: errata: Add Cortex-A510 to the repeat tlbi list Greg Kroah-Hartman
2022-09-02 12:18 ` [PATCH 5.15 11/73] io_uring: correct fill events helpers types Greg Kroah-Hartman
2022-09-02 12:18 ` [PATCH 5.15 12/73] io_uring: clean cqe filling functions Greg Kroah-Hartman
2022-09-02 12:18 ` [PATCH 5.15 13/73] io_uring: refactor poll update Greg Kroah-Hartman
2022-09-02 12:18 ` [PATCH 5.15 14/73] io_uring: move common poll bits Greg Kroah-Hartman
2022-09-02 12:18 ` [PATCH 5.15 15/73] io_uring: kill poll linking optimisation Greg Kroah-Hartman
2022-09-02 12:18 ` [PATCH 5.15 16/73] io_uring: inline io_poll_complete Greg Kroah-Hartman
2022-09-02 12:18 ` [PATCH 5.15 17/73] io_uring: poll rework Greg Kroah-Hartman
2022-09-02 12:18 ` [PATCH 5.15 18/73] io_uring: Remove unused function req_ref_put Greg Kroah-Hartman
2022-09-02 12:18 ` [PATCH 5.15 19/73] io_uring: remove poll entry from list when canceling all Greg Kroah-Hartman
2022-09-02 12:18 ` [PATCH 5.15 20/73] io_uring: bump poll refs to full 31-bits Greg Kroah-Hartman
2022-09-02 12:18 ` [PATCH 5.15 21/73] io_uring: fail links when poll fails Greg Kroah-Hartman
2022-09-02 12:18 ` [PATCH 5.15 22/73] io_uring: fix wrong arm_poll error handling Greg Kroah-Hartman
2022-09-02 12:18 ` [PATCH 5.15 23/73] io_uring: fix UAF due to missing POLLFREE handling Greg Kroah-Hartman
2022-09-02 12:18 ` [PATCH 5.15 24/73] kbuild: Fix include path in scripts/Makefile.modpost Greg Kroah-Hartman
2022-09-02 12:18 ` [PATCH 5.15 25/73] Bluetooth: L2CAP: Fix build errors in some archs Greg Kroah-Hartman
2022-09-02 12:18 ` [PATCH 5.15 26/73] Revert "PCI/portdrv: Dont disable AER reporting in get_port_device_capability()" Greg Kroah-Hartman
2022-09-02 12:18 ` Greg Kroah-Hartman [this message]
2022-09-02 12:18 ` [PATCH 5.15 28/73] udmabuf: Set the DMA mask for the udmabuf device (v2) Greg Kroah-Hartman
2022-09-02 12:18 ` [PATCH 5.15 29/73] media: pvrusb2: fix memory leak in pvr_probe Greg Kroah-Hartman
2022-09-02 12:18 ` [PATCH 5.15 30/73] HID: hidraw: fix memory leak in hidraw_release() Greg Kroah-Hartman
2022-09-02 12:18 ` [PATCH 5.15 31/73] net: fix refcount bug in sk_psock_get (2) Greg Kroah-Hartman
2022-09-02 12:18 ` [PATCH 5.15 32/73] fbdev: fb_pm2fb: Avoid potential divide by zero error Greg Kroah-Hartman
2022-09-02 12:18 ` [PATCH 5.15 33/73] ftrace: Fix NULL pointer dereference in is_ftrace_trampoline when ftrace is dead Greg Kroah-Hartman
2022-09-02 12:18 ` [PATCH 5.15 34/73] bpf: Dont redirect packets with invalid pkt_len Greg Kroah-Hartman
2022-09-02 12:18 ` [PATCH 5.15 35/73] mm/rmap: Fix anon_vma->degree ambiguity leading to double-reuse Greg Kroah-Hartman
2022-09-02 12:19 ` [PATCH 5.15 36/73] ALSA: usb-audio: Add quirk for LH Labs Geek Out HD Audio 1V5 Greg Kroah-Hartman
2022-09-02 12:19 ` [PATCH 5.15 37/73] HID: add Lenovo Yoga C630 battery quirk Greg Kroah-Hartman
2022-09-02 12:19 ` [PATCH 5.15 38/73] HID: AMD_SFH: Add a DMI quirk entry for Chromebooks Greg Kroah-Hartman
2022-09-02 12:19 ` [PATCH 5.15 39/73] HID: asus: ROG NKey: Ignore portion of 0x5a report Greg Kroah-Hartman
2022-09-02 12:19 ` [PATCH 5.15 40/73] HID: thrustmaster: Add sparco wheel and fix array length Greg Kroah-Hartman
2022-09-02 12:19 ` [PATCH 5.15 41/73] drm/i915/gt: Skip TLB invalidations once wedged Greg Kroah-Hartman
2022-09-02 12:19 ` [PATCH 5.15 42/73] mmc: mtk-sd: Clear interrupts when cqe off/disable Greg Kroah-Hartman
2022-09-02 12:19 ` [PATCH 5.15 43/73] mmc: sdhci-of-dwcmshc: add reset call back for rockchip Socs Greg Kroah-Hartman
2022-09-02 12:19 ` [PATCH 5.15 44/73] mmc: sdhci-of-dwcmshc: rename rk3568 to rk35xx Greg Kroah-Hartman
2022-09-02 12:19 ` [PATCH 5.15 45/73] mmc: sdhci-of-dwcmshc: Re-enable support for the BlueField-3 SoC Greg Kroah-Hartman
2022-09-02 12:19 ` [PATCH 5.15 46/73] btrfs: remove root argument from btrfs_unlink_inode() Greg Kroah-Hartman
2022-09-02 12:19 ` [PATCH 5.15 47/73] btrfs: remove no longer needed logic for replaying directory deletes Greg Kroah-Hartman
2022-09-02 12:19 ` [PATCH 5.15 48/73] btrfs: add and use helper for unlinking inode during log replay Greg Kroah-Hartman
2022-09-02 12:19 ` [PATCH 5.15 49/73] btrfs: fix warning during log replay when bumping inode link count Greg Kroah-Hartman
2022-09-02 12:19 ` [PATCH 5.15 50/73] fs/ntfs3: Fix work with fragmented xattr Greg Kroah-Hartman
2022-09-02 12:19 ` [PATCH 5.15 51/73] ASoC: sh: rz-ssi: Improve error handling in rz_ssi_probe() error path Greg Kroah-Hartman
2022-09-02 12:19 ` [PATCH 5.15 52/73] drm/amd/display: Avoid MPC infinite loop Greg Kroah-Hartman
2022-09-02 12:19 ` [PATCH 5.15 53/73] drm/amd/display: Fix HDMI VSIF V3 incorrect issue Greg Kroah-Hartman
2022-09-02 12:19 ` [PATCH 5.15 54/73] drm/amd/display: For stereo keep "FLIP_ANY_FRAME" Greg Kroah-Hartman
2022-09-02 12:19 ` [PATCH 5.15 55/73] drm/amd/display: clear optc underflow before turn off odm clock Greg Kroah-Hartman
2022-09-02 12:19 ` [PATCH 5.15 56/73] ksmbd: return STATUS_BAD_NETWORK_NAME error status if share is not configured Greg Kroah-Hartman
2022-09-02 12:19 ` [PATCH 5.15 57/73] neigh: fix possible DoS due to net iface start/stop loop Greg Kroah-Hartman
2022-09-02 12:19 ` [PATCH 5.15 58/73] s390/hypfs: avoid error message under KVM Greg Kroah-Hartman
2022-09-02 12:19 ` [PATCH 5.15 59/73] ksmbd: dont remove dos attribute xattr on O_TRUNC open Greg Kroah-Hartman
2022-09-02 12:19 ` [PATCH 5.15 60/73] drm/amd/pm: add missing ->fini_microcode interface for Sienna Cichlid Greg Kroah-Hartman
2022-09-02 12:19 ` [PATCH 5.15 61/73] drm/amd/display: Fix pixel clock programming Greg Kroah-Hartman
2022-09-02 12:19 ` [PATCH 5.15 62/73] drm/amdgpu: Increase tlb flush timeout for sriov Greg Kroah-Hartman
2022-09-02 12:19 ` [PATCH 5.15 63/73] drm/amd/display: avoid doing vm_init multiple time Greg Kroah-Hartman
2022-09-02 12:19 ` [PATCH 5.15 64/73] netfilter: conntrack: NF_CONNTRACK_PROCFS should no longer default to y Greg Kroah-Hartman
2022-09-02 12:19 ` [PATCH 5.15 65/73] testing: selftests: nft_flowtable.sh: use random netns names Greg Kroah-Hartman
2022-09-02 12:19 ` [PATCH 5.15 66/73] btrfs: move lockdep class helpers to locking.c Greg Kroah-Hartman
2022-09-02 12:19 ` [PATCH 5.15 67/73] btrfs: fix lockdep splat with reloc root extent buffers Greg Kroah-Hartman
2022-09-02 12:19 ` [PATCH 5.15 68/73] btrfs: tree-checker: check for overlapping extent items Greg Kroah-Hartman
2022-09-02 12:19 ` [PATCH 5.15 69/73] kprobes: dont call disarm_kprobe() for disabled kprobes Greg Kroah-Hartman
2022-09-02 12:19 ` [PATCH 5.15 70/73] btrfs: fix space cache corruption and potential double allocations Greg Kroah-Hartman
2022-09-02 12:19 ` [PATCH 5.15 71/73] android: binder: fix lockdep check on clearing vma Greg Kroah-Hartman
2022-09-02 12:19 ` [PATCH 5.15 72/73] net/af_packet: check len when min_header_len equals to 0 Greg Kroah-Hartman
2022-09-02 12:19 ` [PATCH 5.15 73/73] net: neigh: dont call kfree_skb() under spin_lock_irqsave() Greg Kroah-Hartman
2022-09-02 16:36 ` [PATCH 5.15 00/73] 5.15.65-rc1 review Jon Hunter
2022-09-02 18:00 ` Florian Fainelli
2022-09-02 22:06 ` Shuah Khan
2022-09-03 0:36 ` Guenter Roeck
2022-09-03 3:33 ` Naresh Kamboju
2022-09-03 4:10 ` Bagas Sanjaya
2022-09-03 7:42 ` Ron Economos
2022-09-03 10:47 ` Sudip Mukherjee
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220902121405.336885912@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=benjamin.tissoires@redhat.com \
--cc=jikos@kernel.org \
--cc=jkosina@suse.cz \
--cc=lee.jones@linaro.org \
--cc=linux-input@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.