From: Alan Stern <stern@rowland.harvard.edu>
To: Jiri Kosina <jikos@kernel.org>
Cc: Benjamin Tissoires <benjamin.tissoires@redhat.com>,
<linux-input@vger.kernel.org>,
USB list <linux-usb@vger.kernel.org>,
syzkaller-bugs <syzkaller-bugs@googlegroups.com>
Subject: Re: [PATCH] HID: Fix slab-out-of-bounds read in hid_field_extract
Date: Wed, 11 Dec 2019 10:10:43 -0500 (EST) [thread overview]
Message-ID: <Pine.LNX.4.44L0.1912111009080.1549-100000@iolanthe.rowland.org> (raw)
In-Reply-To: <nycvar.YFH.7.76.1912111517570.4603@cbobk.fhfr.pm>
On Wed, 11 Dec 2019, Jiri Kosina wrote:
> On Tue, 10 Dec 2019, Alan Stern wrote:
>
> > The syzbot fuzzer found a slab-out-of-bounds bug in the HID report
> > handler. The bug was caused by a report descriptor which included a
> > field with size 12 bits and count 4899, for a total size of 7349
> > bytes.
> >
> > The usbhid driver uses at most a single-page 4-KB buffer for reports.
> > In the test there wasn't any problem about overflowing the buffer,
> > since only one byte was received from the device. Rather, the bug
> > occurred when the HID core tried to extract the data from the report
> > fields, which caused it to try reading data beyond the end of the
> > allocated buffer.
> >
> > This patch fixes the problem by rejecting any report whose total
> > length exceeds the HID_MAX_BUFFER_SIZE limit (minus one byte to allow
> > for a possible report index). In theory a device could have a report
> > longer than that, but if there was such a thing we wouldn't handle it
> > correctly anyway.
> >
> > Reported-and-tested-by: syzbot+09ef48aa58261464b621@syzkaller.appspotmail.com
> > Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
> > CC: <stable@vger.kernel.org>
>
> Thanks for hunting this down Alan. Applied.
I just noticed this code:
u8 *hid_alloc_report_buf(struct hid_report *report, gfp_t flags)
{
/*
* 7 extra bytes are necessary to achieve proper functionality
* of implement() working on 8 byte chunks
*/
u32 len = hid_report_len(report) + 7;
return kmalloc(len, flags);
}
Does this indicate that the upper limit on a report length should
really be HID_MAX_BUFFER_SIZE - 8 instead of HID_MAX_BUFFER_SIZE - 1?
Alan Stern
next prev parent reply other threads:[~2019-12-11 16:11 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-11-21 14:45 INFO: rcu detected stall in hub_event syzbot
2019-11-22 16:51 ` Alan Stern
2019-11-22 21:31 ` Andrey Konovalov
2019-11-25 17:30 ` Alan Stern
2019-12-09 18:26 ` Alan Stern
2019-12-10 21:26 ` [PATCH] HID: Fix slab-out-of-bounds read in hid_field_extract Alan Stern
2019-12-11 14:18 ` Jiri Kosina
2019-12-11 15:10 ` Alan Stern [this message]
2019-12-13 8:44 ` Jiri Kosina
2024-04-08 16:55 ` INFO: rcu detected stall in hub_event Alan Stern
2019-11-23 20:20 ` syzbot
2019-11-24 16:17 ` Alan Stern
2019-11-25 9:38 ` syzbot
2019-11-25 21:24 ` Alan Stern
2019-11-26 7:48 ` Jiri Kosina
2019-11-26 15:18 ` Alan Stern
2019-11-26 20:21 ` syzbot
2022-07-30 10:27 ` [syzbot] " syzbot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Pine.LNX.4.44L0.1912111009080.1549-100000@iolanthe.rowland.org \
--to=stern@rowland.harvard.edu \
--cc=benjamin.tissoires@redhat.com \
--cc=jikos@kernel.org \
--cc=linux-input@vger.kernel.org \
--cc=linux-usb@vger.kernel.org \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).