All of lore.kernel.org
 help / color / mirror / Atom feed
From: Pietro Borrello <borrello@diag.uniroma1.it>
To: Jiri Kosina <jikos@kernel.org>,
	Benjamin Tissoires <benjamin.tissoires@redhat.com>,
	Kees Cook <keescook@chromium.org>, Hanno Zulla <abos@hanno.de>
Cc: Cristiano Giuffrida <c.giuffrida@vu.nl>,
	"Bos, H.J." <h.j.bos@vu.nl>, Jakob Koschel <jkl820.git@gmail.com>,
	Jiri Kosina <jkosina@suse.cz>,
	linux-input@vger.kernel.org, linux-kernel@vger.kernel.org,
	Pietro Borrello <borrello@diag.uniroma1.it>
Subject: [PATCH 2/2] HID: check empty report_list in bigben_probe()
Date: Mon, 16 Jan 2023 11:11:25 +0000	[thread overview]
Message-ID: <20230114-hid-fix-emmpty-report-list-v1-2-e4d02fad3ba5@diag.uniroma1.it> (raw)
In-Reply-To: <20230114-hid-fix-emmpty-report-list-v1-0-e4d02fad3ba5@diag.uniroma1.it>

Add a check for empty report_list in bigben_probe().
The missing check causes a type confusion when issuing a list_entry()
on an empty report_list.
The problem is caused by the assumption that the device must
have valid report_list. While this will be true for all normal HID
devices, a suitably malicious device can violate the assumption.

Fixes: 256a90ed9e46 ("HID: hid-bigbenff: driver for BigBen Interactive PS3OFMINIPAD gamepad")
Signed-off-by: Pietro Borrello <borrello@diag.uniroma1.it>
---
 drivers/hid/hid-bigbenff.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/drivers/hid/hid-bigbenff.c b/drivers/hid/hid-bigbenff.c
index e8c5e3ac9fff..e8b16665860d 100644
--- a/drivers/hid/hid-bigbenff.c
+++ b/drivers/hid/hid-bigbenff.c
@@ -344,6 +344,11 @@ static int bigben_probe(struct hid_device *hid,
 	}
 
 	report_list = &hid->report_enum[HID_OUTPUT_REPORT].report_list;
+	if (list_empty(report_list)) {
+		hid_err(hid, "no output report found\n");
+		error = -ENODEV;
+		goto error_hw_stop;
+	}
 	bigben->report = list_entry(report_list->next,
 		struct hid_report, list);
 

-- 
2.25.1

  parent reply	other threads:[~2023-01-16 11:12 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-01-16 11:11 [PATCH 0/2] Cover Letter: HID: drop assumptions on non-empty report lists Pietro Borrello
2023-01-16 11:11 ` [PATCH 1/2] HID: check empty report_list in hid_validate_values() Pietro Borrello
2023-01-16 11:11 ` Pietro Borrello [this message]
2023-01-17 12:10 ` [PATCH 0/2] Cover Letter: HID: drop assumptions on non-empty report lists Jiri Kosina

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20230114-hid-fix-emmpty-report-list-v1-2-e4d02fad3ba5@diag.uniroma1.it \
    --to=borrello@diag.uniroma1.it \
    --cc=abos@hanno.de \
    --cc=benjamin.tissoires@redhat.com \
    --cc=c.giuffrida@vu.nl \
    --cc=h.j.bos@vu.nl \
    --cc=jikos@kernel.org \
    --cc=jkl820.git@gmail.com \
    --cc=jkosina@suse.cz \
    --cc=keescook@chromium.org \
    --cc=linux-input@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.