* [PATCH v2] HID: hid-input: clear unmapped usages
@ 2019-12-07 21:05 Dmitry Torokhov
2019-12-13 9:28 ` Jiri Kosina
0 siblings, 1 reply; 4+ messages in thread
From: Dmitry Torokhov @ 2019-12-07 21:05 UTC (permalink / raw)
To: Jiri Kosina, Benjamin Tissoires
Cc: Greg Kroah-Hartman, linux-input, linux-kernel
We should not be leaving half-mapped usages with potentially invalid
keycodes, as that may confuse hidinput_find_key() when the key is located
by index, which may end up feeding way too large keycode into the VT
keyboard handler and cause OOB write there:
BUG: KASAN: global-out-of-bounds in clear_bit include/asm-generic/bitops-instrumented.h:56 [inline]
BUG: KASAN: global-out-of-bounds in kbd_keycode drivers/tty/vt/keyboard.c:1411 [inline]
BUG: KASAN: global-out-of-bounds in kbd_event+0xe6b/0x3790 drivers/tty/vt/keyboard.c:1495
Write of size 8 at addr ffffffff89a1b2d8 by task syz-executor108/1722
...
kbd_keycode drivers/tty/vt/keyboard.c:1411 [inline]
kbd_event+0xe6b/0x3790 drivers/tty/vt/keyboard.c:1495
input_to_handler+0x3b6/0x4c0 drivers/input/input.c:118
input_pass_values.part.0+0x2e3/0x720 drivers/input/input.c:145
input_pass_values drivers/input/input.c:949 [inline]
input_set_keycode+0x290/0x320 drivers/input/input.c:954
evdev_handle_set_keycode_v2+0xc4/0x120 drivers/input/evdev.c:882
evdev_do_ioctl drivers/input/evdev.c:1150 [inline]
Reported-by: syzbot+19340dff067c2d3835c0@syzkaller.appspotmail.com
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
---
v2: fixed up interaction with hid-multitouch according to Benjamin's
feedback
Please consider tagging for stable.
drivers/hid/hid-input.c | 16 ++++++++++++----
1 file changed, 12 insertions(+), 4 deletions(-)
diff --git a/drivers/hid/hid-input.c b/drivers/hid/hid-input.c
index 63855f275a38..9428f49fd218 100644
--- a/drivers/hid/hid-input.c
+++ b/drivers/hid/hid-input.c
@@ -1132,9 +1132,15 @@ static void hidinput_configure_usage(struct hid_input *hidinput, struct hid_fiel
}
mapped:
- if (device->driver->input_mapped && device->driver->input_mapped(device,
- hidinput, field, usage, &bit, &max) < 0)
- goto ignore;
+ if (device->driver->input_mapped &&
+ device->driver->input_mapped(device, hidinput, field, usage,
+ &bit, &max) < 0) {
+ /*
+ * The driver indicated that no further generic handling
+ * of the usage is desired.
+ */
+ return;
+ }
set_bit(usage->type, input->evbit);
@@ -1215,9 +1221,11 @@ static void hidinput_configure_usage(struct hid_input *hidinput, struct hid_fiel
set_bit(MSC_SCAN, input->mscbit);
}
-ignore:
return;
+ignore:
+ usage->type = 0;
+ usage->code = 0;
}
static void hidinput_handle_scroll(struct hid_usage *usage,
--
2.24.0.393.g34dc348eaf-goog
--
Dmitry
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH v2] HID: hid-input: clear unmapped usages
2019-12-07 21:05 [PATCH v2] HID: hid-input: clear unmapped usages Dmitry Torokhov
@ 2019-12-13 9:28 ` Jiri Kosina
2019-12-13 11:22 ` Benjamin Tissoires
0 siblings, 1 reply; 4+ messages in thread
From: Jiri Kosina @ 2019-12-13 9:28 UTC (permalink / raw)
To: Dmitry Torokhov
Cc: Benjamin Tissoires, Greg Kroah-Hartman, linux-input, linux-kernel
On Sat, 7 Dec 2019, Dmitry Torokhov wrote:
> We should not be leaving half-mapped usages with potentially invalid
> keycodes, as that may confuse hidinput_find_key() when the key is located
> by index, which may end up feeding way too large keycode into the VT
> keyboard handler and cause OOB write there:
>
> BUG: KASAN: global-out-of-bounds in clear_bit include/asm-generic/bitops-instrumented.h:56 [inline]
> BUG: KASAN: global-out-of-bounds in kbd_keycode drivers/tty/vt/keyboard.c:1411 [inline]
> BUG: KASAN: global-out-of-bounds in kbd_event+0xe6b/0x3790 drivers/tty/vt/keyboard.c:1495
> Write of size 8 at addr ffffffff89a1b2d8 by task syz-executor108/1722
> ...
> kbd_keycode drivers/tty/vt/keyboard.c:1411 [inline]
> kbd_event+0xe6b/0x3790 drivers/tty/vt/keyboard.c:1495
> input_to_handler+0x3b6/0x4c0 drivers/input/input.c:118
> input_pass_values.part.0+0x2e3/0x720 drivers/input/input.c:145
> input_pass_values drivers/input/input.c:949 [inline]
> input_set_keycode+0x290/0x320 drivers/input/input.c:954
> evdev_handle_set_keycode_v2+0xc4/0x120 drivers/input/evdev.c:882
> evdev_do_ioctl drivers/input/evdev.c:1150 [inline]
>
> Reported-by: syzbot+19340dff067c2d3835c0@syzkaller.appspotmail.com
> Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
> ---
>
> v2: fixed up interaction with hid-multitouch according to Benjamin's
> feedback
>
> Please consider tagging for stable.
I'd like to push this for 5.5 (and tag for stable), but would prefer this
to have gone through the full battery of Benjamin's testing infrastructure
first.
Benjamin, did you have chance to run Dmitry's patch through your
machinery?
Thanks,
--
Jiri Kosina
SUSE Labs
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH v2] HID: hid-input: clear unmapped usages
2019-12-13 9:28 ` Jiri Kosina
@ 2019-12-13 11:22 ` Benjamin Tissoires
2019-12-13 20:42 ` Jiri Kosina
0 siblings, 1 reply; 4+ messages in thread
From: Benjamin Tissoires @ 2019-12-13 11:22 UTC (permalink / raw)
To: Jiri Kosina
Cc: Dmitry Torokhov, Greg Kroah-Hartman, open list:HID CORE LAYER, lkml
Hi,
On Fri, Dec 13, 2019 at 10:28 AM Jiri Kosina <jikos@kernel.org> wrote:
>
> On Sat, 7 Dec 2019, Dmitry Torokhov wrote:
>
> > We should not be leaving half-mapped usages with potentially invalid
> > keycodes, as that may confuse hidinput_find_key() when the key is located
> > by index, which may end up feeding way too large keycode into the VT
> > keyboard handler and cause OOB write there:
> >
> > BUG: KASAN: global-out-of-bounds in clear_bit include/asm-generic/bitops-instrumented.h:56 [inline]
> > BUG: KASAN: global-out-of-bounds in kbd_keycode drivers/tty/vt/keyboard.c:1411 [inline]
> > BUG: KASAN: global-out-of-bounds in kbd_event+0xe6b/0x3790 drivers/tty/vt/keyboard.c:1495
> > Write of size 8 at addr ffffffff89a1b2d8 by task syz-executor108/1722
> > ...
> > kbd_keycode drivers/tty/vt/keyboard.c:1411 [inline]
> > kbd_event+0xe6b/0x3790 drivers/tty/vt/keyboard.c:1495
> > input_to_handler+0x3b6/0x4c0 drivers/input/input.c:118
> > input_pass_values.part.0+0x2e3/0x720 drivers/input/input.c:145
> > input_pass_values drivers/input/input.c:949 [inline]
> > input_set_keycode+0x290/0x320 drivers/input/input.c:954
> > evdev_handle_set_keycode_v2+0xc4/0x120 drivers/input/evdev.c:882
> > evdev_do_ioctl drivers/input/evdev.c:1150 [inline]
> >
> > Reported-by: syzbot+19340dff067c2d3835c0@syzkaller.appspotmail.com
> > Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
> > ---
> >
> > v2: fixed up interaction with hid-multitouch according to Benjamin's
> > feedback
> >
> > Please consider tagging for stable.
>
> I'd like to push this for 5.5 (and tag for stable), but would prefer this
> to have gone through the full battery of Benjamin's testing infrastructure
> first.
>
> Benjamin, did you have chance to run Dmitry's patch through your
> machinery?
yep, this one was OK, so:
Tested-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Cheers,
Benjamin
>
> Thanks,
>
> --
> Jiri Kosina
> SUSE Labs
>
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH v2] HID: hid-input: clear unmapped usages
2019-12-13 11:22 ` Benjamin Tissoires
@ 2019-12-13 20:42 ` Jiri Kosina
0 siblings, 0 replies; 4+ messages in thread
From: Jiri Kosina @ 2019-12-13 20:42 UTC (permalink / raw)
To: Benjamin Tissoires
Cc: Dmitry Torokhov, Greg Kroah-Hartman, open list:HID CORE LAYER,
lkml, Jiri Kosina
On Fri, 13 Dec 2019, Benjamin Tissoires wrote:
> > > We should not be leaving half-mapped usages with potentially invalid
> > > keycodes, as that may confuse hidinput_find_key() when the key is located
> > > by index, which may end up feeding way too large keycode into the VT
> > > keyboard handler and cause OOB write there:
> > >
> > > BUG: KASAN: global-out-of-bounds in clear_bit include/asm-generic/bitops-instrumented.h:56 [inline]
> > > BUG: KASAN: global-out-of-bounds in kbd_keycode drivers/tty/vt/keyboard.c:1411 [inline]
> > > BUG: KASAN: global-out-of-bounds in kbd_event+0xe6b/0x3790 drivers/tty/vt/keyboard.c:1495
> > > Write of size 8 at addr ffffffff89a1b2d8 by task syz-executor108/1722
> > > ...
> > > kbd_keycode drivers/tty/vt/keyboard.c:1411 [inline]
> > > kbd_event+0xe6b/0x3790 drivers/tty/vt/keyboard.c:1495
> > > input_to_handler+0x3b6/0x4c0 drivers/input/input.c:118
> > > input_pass_values.part.0+0x2e3/0x720 drivers/input/input.c:145
> > > input_pass_values drivers/input/input.c:949 [inline]
> > > input_set_keycode+0x290/0x320 drivers/input/input.c:954
> > > evdev_handle_set_keycode_v2+0xc4/0x120 drivers/input/evdev.c:882
> > > evdev_do_ioctl drivers/input/evdev.c:1150 [inline]
> > >
> > > Reported-by: syzbot+19340dff067c2d3835c0@syzkaller.appspotmail.com
> > > Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
> > > ---
> > >
> > > v2: fixed up interaction with hid-multitouch according to Benjamin's
> > > feedback
> > >
> > > Please consider tagging for stable.
> >
> > I'd like to push this for 5.5 (and tag for stable), but would prefer this
> > to have gone through the full battery of Benjamin's testing infrastructure
> > first.
> >
> > Benjamin, did you have chance to run Dmitry's patch through your
> > machinery?
>
> yep, this one was OK, so:
> Tested-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Thanks, I am queuing this in for-5.5/upstream-fixes.
--
Jiri Kosina
SUSE Labs
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2019-12-13 20:42 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-12-07 21:05 [PATCH v2] HID: hid-input: clear unmapped usages Dmitry Torokhov
2019-12-13 9:28 ` Jiri Kosina
2019-12-13 11:22 ` Benjamin Tissoires
2019-12-13 20:42 ` Jiri Kosina
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.