From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-3.7 required=3.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SIGNED_OFF_BY,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 727F3C2D0C8 for ; Wed, 11 Dec 2019 16:11:38 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 493DE208C3 for ; Wed, 11 Dec 2019 16:11:38 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730691AbfLKQLh (ORCPT ); Wed, 11 Dec 2019 11:11:37 -0500 Received: from iolanthe.rowland.org ([192.131.102.54]:55074 "HELO iolanthe.rowland.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with SMTP id S1730797AbfLKPKo (ORCPT ); Wed, 11 Dec 2019 10:10:44 -0500 Received: (qmail 1752 invoked by uid 2102); 11 Dec 2019 10:10:43 -0500 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 11 Dec 2019 10:10:43 -0500 Date: Wed, 11 Dec 2019 10:10:43 -0500 (EST) From: Alan Stern X-X-Sender: stern@iolanthe.rowland.org To: Jiri Kosina cc: Benjamin Tissoires , , USB list , syzkaller-bugs Subject: Re: [PATCH] HID: Fix slab-out-of-bounds read in hid_field_extract In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: linux-usb-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-usb@vger.kernel.org On Wed, 11 Dec 2019, Jiri Kosina wrote: > On Tue, 10 Dec 2019, Alan Stern wrote: > > > The syzbot fuzzer found a slab-out-of-bounds bug in the HID report > > handler. The bug was caused by a report descriptor which included a > > field with size 12 bits and count 4899, for a total size of 7349 > > bytes. > > > > The usbhid driver uses at most a single-page 4-KB buffer for reports. > > In the test there wasn't any problem about overflowing the buffer, > > since only one byte was received from the device. Rather, the bug > > occurred when the HID core tried to extract the data from the report > > fields, which caused it to try reading data beyond the end of the > > allocated buffer. > > > > This patch fixes the problem by rejecting any report whose total > > length exceeds the HID_MAX_BUFFER_SIZE limit (minus one byte to allow > > for a possible report index). In theory a device could have a report > > longer than that, but if there was such a thing we wouldn't handle it > > correctly anyway. > > > > Reported-and-tested-by: syzbot+09ef48aa58261464b621@syzkaller.appspotmail.com > > Signed-off-by: Alan Stern > > CC: > > Thanks for hunting this down Alan. Applied. I just noticed this code: u8 *hid_alloc_report_buf(struct hid_report *report, gfp_t flags) { /* * 7 extra bytes are necessary to achieve proper functionality * of implement() working on 8 byte chunks */ u32 len = hid_report_len(report) + 7; return kmalloc(len, flags); } Does this indicate that the upper limit on a report length should really be HID_MAX_BUFFER_SIZE - 8 instead of HID_MAX_BUFFER_SIZE - 1? Alan Stern