From: Jiri Kosina <jikos@kernel.org>
To: Randy Dunlap <rdunlap@infradead.org>
Cc: linux-kernel@vger.kernel.org,
syzbot+1e911ad71dd4ea72e04a@syzkaller.appspotmail.com,
Benjamin Tissoires <benjamin.tissoires@redhat.com>,
linux-input@vger.kernel.org
Subject: Re: [PATCH] HID: core: detect and skip invalid inputs to snto32()
Date: Fri, 8 Jan 2021 14:52:09 +0100 (CET) [thread overview]
Message-ID: <nycvar.YFH.7.76.2101081450590.13752@cbobk.fhfr.pm> (raw)
In-Reply-To: <20201217011221.25678-1-rdunlap@infradead.org>
On Wed, 16 Dec 2020, Randy Dunlap wrote:
> Prevent invalid (0, 0) inputs to hid-core's snto32() function.
>
> Maybe it is just the dummy device here that is causing this, but
> there are hundreds of calls to snto32(0, 0). Having n (bits count)
> of 0 is causing the current UBSAN trap with a shift value of
> 0xffffffff (-1, or n - 1 in this function).
>
> Either of the value to shift being 0 or the bits count being 0 can be
> handled by just returning 0 to the caller, avoiding the following
> complex shift + OR operations:
>
> return value & (1 << (n - 1)) ? value | (~0U << n) : value;
>
> Fixes: dde5845a529f ("[PATCH] Generic HID layer - code split")
> Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
> Reported-by: syzbot+1e911ad71dd4ea72e04a@syzkaller.appspotmail.com
> Cc: Jiri Kosina <jikos@kernel.org>
> Cc: Benjamin Tissoires <benjamin.tissoires@redhat.com>
> Cc: linux-input@vger.kernel.org
> ---
> drivers/hid/hid-core.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> --- lnx-510.orig/drivers/hid/hid-core.c
> +++ lnx-510/drivers/hid/hid-core.c
> @@ -1307,6 +1307,9 @@ EXPORT_SYMBOL_GPL(hid_open_report);
>
> static s32 snto32(__u32 value, unsigned n)
> {
> + if (!value || !n)
> + return 0;
> +
Given the fact that this has been in the code basically since ever, we're
probably fine, but it's good to have this fixed nevertheless. Applied
conservatively to hid.git#for-5.12/core.
Thanks,
--
Jiri Kosina
SUSE Labs
prev parent reply other threads:[~2021-01-08 13:52 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-12-17 1:12 [PATCH] HID: core: detect and skip invalid inputs to snto32() Randy Dunlap
2021-01-08 13:52 ` Jiri Kosina [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=nycvar.YFH.7.76.2101081450590.13752@cbobk.fhfr.pm \
--to=jikos@kernel.org \
--cc=benjamin.tissoires@redhat.com \
--cc=linux-input@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=rdunlap@infradead.org \
--cc=syzbot+1e911ad71dd4ea72e04a@syzkaller.appspotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).