From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Andrey Konovalov <andreyknvl@google.com>,
Jaejoong Kim <climbbb.kim@gmail.com>,
Alan Stern <stern@rowland.harvard.edu>,
Jiri Kosina <jkosina@suse.cz>
Subject: [PATCH 3.18 03/19] HID: usbhid: fix out-of-bounds bug
Date: Mon, 16 Oct 2017 18:11:54 +0200 [thread overview]
Message-ID: <20171016160922.181101575@linuxfoundation.org> (raw)
In-Reply-To: <20171016160922.020176454@linuxfoundation.org>
3.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jaejoong Kim <climbbb.kim@gmail.com>
commit f043bfc98c193c284e2cd768fefabe18ac2fed9b upstream.
The hid descriptor identifies the length and type of subordinate
descriptors for a device. If the received hid descriptor is smaller than
the size of the struct hid_descriptor, it is possible to cause
out-of-bounds.
In addition, if bNumDescriptors of the hid descriptor have an incorrect
value, this can also cause out-of-bounds while approaching hdesc->desc[n].
So check the size of hid descriptor and bNumDescriptors.
BUG: KASAN: slab-out-of-bounds in usbhid_parse+0x9b1/0xa20
Read of size 1 at addr ffff88006c5f8edf by task kworker/1:2/1261
CPU: 1 PID: 1261 Comm: kworker/1:2 Not tainted
4.14.0-rc1-42251-gebb2c2437d80 #169
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
Workqueue: usb_hub_wq hub_event
Call Trace:
__dump_stack lib/dump_stack.c:16
dump_stack+0x292/0x395 lib/dump_stack.c:52
print_address_description+0x78/0x280 mm/kasan/report.c:252
kasan_report_error mm/kasan/report.c:351
kasan_report+0x22f/0x340 mm/kasan/report.c:409
__asan_report_load1_noabort+0x19/0x20 mm/kasan/report.c:427
usbhid_parse+0x9b1/0xa20 drivers/hid/usbhid/hid-core.c:1004
hid_add_device+0x16b/0xb30 drivers/hid/hid-core.c:2944
usbhid_probe+0xc28/0x1100 drivers/hid/usbhid/hid-core.c:1369
usb_probe_interface+0x35d/0x8e0 drivers/usb/core/driver.c:361
really_probe drivers/base/dd.c:413
driver_probe_device+0x610/0xa00 drivers/base/dd.c:557
__device_attach_driver+0x230/0x290 drivers/base/dd.c:653
bus_for_each_drv+0x161/0x210 drivers/base/bus.c:463
__device_attach+0x26e/0x3d0 drivers/base/dd.c:710
device_initial_probe+0x1f/0x30 drivers/base/dd.c:757
bus_probe_device+0x1eb/0x290 drivers/base/bus.c:523
device_add+0xd0b/0x1660 drivers/base/core.c:1835
usb_set_configuration+0x104e/0x1870 drivers/usb/core/message.c:1932
generic_probe+0x73/0xe0 drivers/usb/core/generic.c:174
usb_probe_device+0xaf/0xe0 drivers/usb/core/driver.c:266
really_probe drivers/base/dd.c:413
driver_probe_device+0x610/0xa00 drivers/base/dd.c:557
__device_attach_driver+0x230/0x290 drivers/base/dd.c:653
bus_for_each_drv+0x161/0x210 drivers/base/bus.c:463
__device_attach+0x26e/0x3d0 drivers/base/dd.c:710
device_initial_probe+0x1f/0x30 drivers/base/dd.c:757
bus_probe_device+0x1eb/0x290 drivers/base/bus.c:523
device_add+0xd0b/0x1660 drivers/base/core.c:1835
usb_new_device+0x7b8/0x1020 drivers/usb/core/hub.c:2457
hub_port_connect drivers/usb/core/hub.c:4903
hub_port_connect_change drivers/usb/core/hub.c:5009
port_event drivers/usb/core/hub.c:5115
hub_event+0x194d/0x3740 drivers/usb/core/hub.c:5195
process_one_work+0xc7f/0x1db0 kernel/workqueue.c:2119
worker_thread+0x221/0x1850 kernel/workqueue.c:2253
kthread+0x3a1/0x470 kernel/kthread.c:231
ret_from_fork+0x2a/0x40 arch/x86/entry/entry_64.S:431
Reported-by: Andrey Konovalov <andreyknvl@google.com>
Signed-off-by: Jaejoong Kim <climbbb.kim@gmail.com>
Tested-by: Andrey Konovalov <andreyknvl@google.com>
Acked-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/hid/usbhid/hid-core.c | 12 +++++++++++-
1 file changed, 11 insertions(+), 1 deletion(-)
--- a/drivers/hid/usbhid/hid-core.c
+++ b/drivers/hid/usbhid/hid-core.c
@@ -959,6 +959,8 @@ static int usbhid_parse(struct hid_devic
unsigned int rsize = 0;
char *rdesc;
int ret, n;
+ int num_descriptors;
+ size_t offset = offsetof(struct hid_descriptor, desc);
quirks = usbhid_lookup_quirk(le16_to_cpu(dev->descriptor.idVendor),
le16_to_cpu(dev->descriptor.idProduct));
@@ -981,10 +983,18 @@ static int usbhid_parse(struct hid_devic
return -ENODEV;
}
+ if (hdesc->bLength < sizeof(struct hid_descriptor)) {
+ dbg_hid("hid descriptor is too short\n");
+ return -EINVAL;
+ }
+
hid->version = le16_to_cpu(hdesc->bcdHID);
hid->country = hdesc->bCountryCode;
- for (n = 0; n < hdesc->bNumDescriptors; n++)
+ num_descriptors = min_t(int, hdesc->bNumDescriptors,
+ (hdesc->bLength - offset) / sizeof(struct hid_class_descriptor));
+
+ for (n = 0; n < num_descriptors; n++)
if (hdesc->desc[n].bDescriptorType == HID_DT_REPORT)
rsize = le16_to_cpu(hdesc->desc[n].wDescriptorLength);
next prev parent reply other threads:[~2017-10-16 16:12 UTC|newest]
Thread overview: 30+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-10-16 16:11 [PATCH 3.18 00/19] 3.18.76-stable review Greg Kroah-Hartman
2017-10-16 16:11 ` [PATCH 3.18 01/19] ext4: in ext4_seek_{hole,data}, return -ENXIO for negative offsets Greg Kroah-Hartman
2017-10-16 16:11 ` [PATCH 3.18 02/19] CIFS: Reconnect expired SMB sessions Greg Kroah-Hartman
2017-10-16 16:11 ` Greg Kroah-Hartman [this message]
2017-10-16 16:11 ` [PATCH 3.18 05/19] KVM: nVMX: fix guest CR4 loading when emulating L2 to L1 exit Greg Kroah-Hartman
2017-10-16 16:11 ` [PATCH 3.18 06/19] usb: renesas_usbhs: Fix DMAC sequence for receiving zero-length packet Greg Kroah-Hartman
2017-10-16 16:11 ` [PATCH 3.18 07/19] iommu/amd: Finish TLB flush in amd_iommu_unmap() Greg Kroah-Hartman
2017-10-16 16:11 ` [PATCH 3.18 08/19] ALSA: usb-audio: Kill stray URB at exiting Greg Kroah-Hartman
2017-10-16 18:50 ` Takashi Iwai
2017-10-17 14:07 ` Greg Kroah-Hartman
2017-10-16 16:12 ` [PATCH 3.18 09/19] ALSA: seq: Fix use-after-free at creating a port Greg Kroah-Hartman
2017-10-16 16:12 ` [PATCH 3.18 10/19] ALSA: seq: Fix copy_from_user() call inside lock Greg Kroah-Hartman
2017-10-16 16:12 ` [PATCH 3.18 11/19] ALSA: caiaq: Fix stray URB at probe error path Greg Kroah-Hartman
2017-10-16 16:12 ` [PATCH 3.18 12/19] usb: gadget: composite: Fix use-after-free in usb_composite_overwrite_options Greg Kroah-Hartman
2017-10-16 16:12 ` [PATCH 3.18 13/19] direct-io: Prevent NULL pointer access in submit_page_section Greg Kroah-Hartman
2017-10-16 16:12 ` [PATCH 3.18 14/19] fix unbalanced page refcounting in bio_map_user_iov Greg Kroah-Hartman
2017-10-16 16:12 ` [PATCH 3.18 15/19] USB: serial: cp210x: add support for ELV TFD500 Greg Kroah-Hartman
2017-10-16 16:12 ` [PATCH 3.18 16/19] USB: serial: option: add support for TP-Link LTE module Greg Kroah-Hartman
2017-10-16 16:12 ` [PATCH 3.18 17/19] USB: serial: qcserial: add Dell DW5818, DW5819 Greg Kroah-Hartman
2017-10-16 16:12 ` [PATCH 3.18 18/19] USB: serial: console: fix use-after-free after failed setup Greg Kroah-Hartman
2017-10-16 16:12 ` [PATCH 3.18 19/19] ALSA: seq: Fix missing NULL check at remove_events ioctl Greg Kroah-Hartman
2017-10-16 23:42 ` [PATCH 3.18 00/19] 3.18.76-stable review Shuah Khan
2017-10-17 0:23 ` Guenter Roeck
[not found] ` <59e53ebe.532f1c0a.7d93d.9f31@mx.google.com>
2017-10-17 13:22 ` Greg Kroah-Hartman
2017-10-19 12:21 ` Kevin Hilman
2017-10-19 13:45 ` Guillaume Tucker
2017-10-17 14:40 ` Greg Kroah-Hartman
2017-10-17 18:12 ` Shuah Khan
2017-10-18 7:09 ` Greg Kroah-Hartman
[not found] ` <CALpmF+Fgzn6mzp_ReEfcQ7t=LvSTK5uDP_jftV_Cf1dBf1h0wQ@mail.gmail.com>
2017-10-18 7:09 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20171016160922.181101575@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=andreyknvl@google.com \
--cc=climbbb.kim@gmail.com \
--cc=jkosina@suse.cz \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=stern@rowland.harvard.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.