From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-19.0 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,USER_AGENT_SANE_1 autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 04447C433EF for ; Wed, 22 Sep 2021 07:31:47 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id D04D2610A0 for ; Wed, 22 Sep 2021 07:31:46 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233059AbhIVHdP (ORCPT ); Wed, 22 Sep 2021 03:33:15 -0400 Received: from mail.kernel.org ([198.145.29.99]:42806 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231429AbhIVHdP (ORCPT ); Wed, 22 Sep 2021 03:33:15 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 79A8460E8B; Wed, 22 Sep 2021 07:31:44 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1632295905; bh=GJfxswTas8HMqf4MeuLP21erMt5kueVbW2x0om+Zw3Y=; h=Date:From:To:cc:Subject:In-Reply-To:References:From; b=F9THj58mUmhrE4kiF1sRwvDUGS1NFeYUJs4ZIOL7aTwV46riMhA6mFTvn5GOTdGem QeDXicWMJyt7USf3usHSOhQF3ZIlMhRDcjlKv6Dax0vp85+SK7g8mZxQ6x5cHRftXZ UbJ267TJmLlaqz2YmDykBo5lQqspyJw6IkzFGubGrhgdvbhsQUByc1h3xs+pqwfOVK k+KxCjzJtzquEVdUl7X9hk/tZMAw58ZahhDWMr70VyUF/qXs5WV7HDq9jpUhRtdArp 9J5OQD8uXtXxwM8eXp2mVguw6fmJgbzZvXmS7/yfB6YKyqlhu1KwKPkrKe+StzAoY8 Z7/KO8jYBy59A== Date: Wed, 22 Sep 2021 09:31:42 +0200 (CEST) From: Jiri Kosina To: Andrej Shadura cc: linux-input@vger.kernel.org, linux-usb@vger.kernel.org, kernel@collabora.com, Benjamin Tissoires Subject: Re: [PATCH] HID: u2fzero: ignore incomplete packets without data In-Reply-To: <20210916163311.11968-1-andrew.shadura@collabora.co.uk> Message-ID: References: <20210916163311.11968-1-andrew.shadura@collabora.co.uk> User-Agent: Alpine 2.21 (LSU 202 2017-01-01) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Precedence: bulk List-ID: X-Mailing-List: linux-input@vger.kernel.org On Thu, 16 Sep 2021, Andrej Shadura wrote: > Since the actual_length calculation is performed unsigned, packets > shorter than 7 bytes (e.g. packets without data or otherwise truncated) > or non-received packets ("zero" bytes) can cause buffer overflow. > > Link: https://bugzilla.kernel.org/show_bug.cgi?id=214437 > Fixes: 42337b9d4d958("HID: add driver for U2F Zero built-in LED and RNG") > Signed-off-by: Andrej Shadura > --- > drivers/hid/hid-u2fzero.c | 4 +++- > 1 file changed, 3 insertions(+), 1 deletion(-) > > diff --git a/drivers/hid/hid-u2fzero.c b/drivers/hid/hid-u2fzero.c > index 95e0807878c7..d70cd3d7f583 100644 > --- a/drivers/hid/hid-u2fzero.c > +++ b/drivers/hid/hid-u2fzero.c > @@ -198,7 +198,9 @@ static int u2fzero_rng_read(struct hwrng *rng, void *data, > } > > ret = u2fzero_recv(dev, &req, &resp); > - if (ret < 0) > + > + /* ignore errors or packets without data */ > + if (ret < offsetof(struct u2f_hid_msg, init.data)) > return 0; > Applied, thanks. -- Jiri Kosina SUSE Labs