From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Andrey Konovalov <andreyknvl@google.com>,
Dmitry Torokhov <dmitry.torokhov@gmail.com>
Subject: [PATCH 4.4 10/20] Input: gtco - fix potential out-of-bound access
Date: Tue, 31 Oct 2017 10:55:26 +0100 [thread overview]
Message-ID: <20171031095510.706625629@linuxfoundation.org> (raw)
In-Reply-To: <20171031095510.079198256@linuxfoundation.org>
4.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
commit a50829479f58416a013a4ccca791336af3c584c7 upstream.
parse_hid_report_descriptor() has a while (i < length) loop, which
only guarantees that there's at least 1 byte in the buffer, but the
loop body can read multiple bytes which causes out-of-bounds access.
Reported-by: Andrey Konovalov <andreyknvl@google.com>
Reviewed-by: Andrey Konovalov <andreyknvl@google.com>
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/input/tablet/gtco.c | 17 ++++++++++-------
1 file changed, 10 insertions(+), 7 deletions(-)
--- a/drivers/input/tablet/gtco.c
+++ b/drivers/input/tablet/gtco.c
@@ -231,13 +231,17 @@ static void parse_hid_report_descriptor(
/* Walk this report and pull out the info we need */
while (i < length) {
- prefix = report[i];
-
- /* Skip over prefix */
- i++;
+ prefix = report[i++];
/* Determine data size and save the data in the proper variable */
- size = PREF_SIZE(prefix);
+ size = (1U << PREF_SIZE(prefix)) >> 1;
+ if (i + size > length) {
+ dev_err(ddev,
+ "Not enough data (need %d, have %d)\n",
+ i + size, length);
+ break;
+ }
+
switch (size) {
case 1:
data = report[i];
@@ -245,8 +249,7 @@ static void parse_hid_report_descriptor(
case 2:
data16 = get_unaligned_le16(&report[i]);
break;
- case 3:
- size = 4;
+ case 4:
data32 = get_unaligned_le32(&report[i]);
break;
}
next prev parent reply other threads:[~2017-10-31 9:55 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-10-31 9:55 [PATCH 4.4 00/20] 4.4.96-stable review Greg Kroah-Hartman
2017-10-31 9:55 ` [PATCH 4.4 01/20] workqueue: replace pool->manager_arb mutex with a flag Greg Kroah-Hartman
2017-10-31 9:55 ` [PATCH 4.4 02/20] ALSA: hda/realtek - Add support for ALC236/ALC3204 Greg Kroah-Hartman
2017-10-31 9:55 ` [PATCH 4.4 03/20] ALSA: hda - fix headset mic problem for Dell machines with alc236 Greg Kroah-Hartman
2017-10-31 9:55 ` [PATCH 4.4 04/20] ceph: unlock dangling spinlock in try_flush_caps() Greg Kroah-Hartman
2017-10-31 9:55 ` [PATCH 4.4 05/20] usb: xhci: Handle error condition in xhci_stop_device() Greg Kroah-Hartman
2017-10-31 9:55 ` [PATCH 4.4 06/20] spi: uapi: spidev: add missing ioctl header Greg Kroah-Hartman
2017-10-31 9:55 ` [PATCH 4.4 07/20] fuse: fix READDIRPLUS skipping an entry Greg Kroah-Hartman
2017-10-31 9:55 ` [PATCH 4.4 08/20] xen/gntdev: avoid out of bounds access in case of partial gntdev_mmap() Greg Kroah-Hartman
2017-10-31 9:55 ` [PATCH 4.4 09/20] Input: elan_i2c - add ELAN0611 to the ACPI table Greg Kroah-Hartman
2017-10-31 9:55 ` Greg Kroah-Hartman [this message]
2017-10-31 9:55 ` [PATCH 4.4 11/20] assoc_array: Fix a buggy node-splitting case Greg Kroah-Hartman
2017-10-31 9:55 ` [PATCH 4.4 12/20] scsi: zfcp: fix erp_action use-before-initialize in REC action trace Greg Kroah-Hartman
2017-10-31 9:55 ` [PATCH 4.4 13/20] scsi: sg: Re-fix off by one in sg_fill_request_table() Greg Kroah-Hartman
2017-10-31 9:55 ` [PATCH 4.4 14/20] can: sun4i: fix loopback mode Greg Kroah-Hartman
2017-10-31 9:55 ` [PATCH 4.4 15/20] can: kvaser_usb: Correct return value in printout Greg Kroah-Hartman
2017-10-31 9:55 ` [PATCH 4.4 16/20] can: kvaser_usb: Ignore CMD_FLUSH_QUEUE_REPLY messages Greg Kroah-Hartman
2017-10-31 9:55 ` [PATCH 4.4 17/20] regulator: fan53555: fix I2C device ids Greg Kroah-Hartman
2017-10-31 9:55 ` [PATCH 4.4 18/20] x86/microcode/intel: Disable late loading on model 79 Greg Kroah-Hartman
2017-10-31 9:55 ` [PATCH 4.4 19/20] ecryptfs: fix dereference of NULL user_key_payload Greg Kroah-Hartman
2017-10-31 9:55 ` [PATCH 4.4 20/20] [PATCH] Revert "drm: bridge: add DT bindings for TI ths8135" Greg Kroah-Hartman
2017-10-31 17:19 ` [PATCH 4.4 00/20] 4.4.96-stable review Guenter Roeck
2017-10-31 20:04 ` Shuah Khan
2017-10-31 21:33 ` Tom Gall
2017-11-01 15:22 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20171031095510.706625629@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=andreyknvl@google.com \
--cc=dmitry.torokhov@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).