From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Anirudh Rayabharam <mail@anirudhrb.com>,
syzbot+7c2bb71996f95a82524c@syzkaller.appspotmail.com,
Benjamin Tissoires <benjamin.tissoires@redhat.com>,
Jiri Kosina <jkosina@suse.cz>, Sasha Levin <sashal@kernel.org>
Subject: [PATCH 4.14 04/88] HID: usbhid: fix info leak in hid_submit_ctrl
Date: Mon, 28 Jun 2021 10:35:04 -0400 [thread overview]
Message-ID: <20210628143628.33342-5-sashal@kernel.org> (raw)
In-Reply-To: <20210628143628.33342-1-sashal@kernel.org>
From: Anirudh Rayabharam <mail@anirudhrb.com>
[ Upstream commit 6be388f4a35d2ce5ef7dbf635a8964a5da7f799f ]
In hid_submit_ctrl(), the way of calculating the report length doesn't
take into account that report->size can be zero. When running the
syzkaller reproducer, a report of size 0 causes hid_submit_ctrl) to
calculate transfer_buffer_length as 16384. When this urb is passed to
the usb core layer, KMSAN reports an info leak of 16384 bytes.
To fix this, first modify hid_report_len() to account for the zero
report size case by using DIV_ROUND_UP for the division. Then, call it
from hid_submit_ctrl().
Reported-by: syzbot+7c2bb71996f95a82524c@syzkaller.appspotmail.com
Signed-off-by: Anirudh Rayabharam <mail@anirudhrb.com>
Acked-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/hid/usbhid/hid-core.c | 2 +-
include/linux/hid.h | 3 +--
2 files changed, 2 insertions(+), 3 deletions(-)
diff --git a/drivers/hid/usbhid/hid-core.c b/drivers/hid/usbhid/hid-core.c
index 98916fb4191a..46b8f4c353de 100644
--- a/drivers/hid/usbhid/hid-core.c
+++ b/drivers/hid/usbhid/hid-core.c
@@ -373,7 +373,7 @@ static int hid_submit_ctrl(struct hid_device *hid)
raw_report = usbhid->ctrl[usbhid->ctrltail].raw_report;
dir = usbhid->ctrl[usbhid->ctrltail].dir;
- len = ((report->size - 1) >> 3) + 1 + (report->id > 0);
+ len = hid_report_len(report);
if (dir == USB_DIR_OUT) {
usbhid->urbctrl->pipe = usb_sndctrlpipe(hid_to_usb_dev(hid), 0);
usbhid->urbctrl->transfer_buffer_length = len;
diff --git a/include/linux/hid.h b/include/linux/hid.h
index d07fe33a9045..5a2c55ed33fa 100644
--- a/include/linux/hid.h
+++ b/include/linux/hid.h
@@ -1114,8 +1114,7 @@ static inline void hid_hw_wait(struct hid_device *hdev)
*/
static inline u32 hid_report_len(struct hid_report *report)
{
- /* equivalent to DIV_ROUND_UP(report->size, 8) + !!(report->id > 0) */
- return ((report->size - 1) >> 3) + 1 + (report->id > 0);
+ return DIV_ROUND_UP(report->size, 8) + (report->id > 0);
}
int hid_report_raw_event(struct hid_device *hid, int type, u8 *data, u32 size,
--
2.30.2
next prev parent reply other threads:[~2021-06-28 15:05 UTC|newest]
Thread overview: 92+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-06-28 14:35 [PATCH 4.14 00/88] 4.14.238-rc1 review Sasha Levin
2021-06-28 14:35 ` [PATCH 4.14 01/88] net: ieee802154: fix null deref in parse dev addr Sasha Levin
2021-06-28 14:35 ` [PATCH 4.14 02/88] HID: hid-sensor-hub: Return error for hid_set_field() failure Sasha Levin
2021-06-28 14:35 ` [PATCH 4.14 03/88] HID: Add BUS_VIRTUAL to hid_connect logging Sasha Levin
2021-06-28 14:35 ` Sasha Levin [this message]
2021-06-28 14:35 ` [PATCH 4.14 05/88] ARM: OMAP2+: Fix build warning when mmc_omap is not built Sasha Levin
2021-06-28 14:35 ` [PATCH 4.14 06/88] HID: gt683r: add missing MODULE_DEVICE_TABLE Sasha Levin
2021-06-28 14:35 ` [PATCH 4.14 07/88] gfs2: Fix use-after-free in gfs2_glock_shrink_scan Sasha Levin
2021-06-28 14:35 ` [PATCH 4.14 08/88] scsi: target: core: Fix warning on realtime kernels Sasha Levin
2021-06-28 14:35 ` [PATCH 4.14 09/88] ethernet: myri10ge: Fix missing error code in myri10ge_probe() Sasha Levin
2021-06-28 14:35 ` [PATCH 4.14 10/88] nvme-loop: reset queue count to 1 in nvme_loop_destroy_io_queues() Sasha Levin
2021-06-28 14:35 ` [PATCH 4.14 11/88] nvme-loop: clear NVME_LOOP_Q_LIVE when nvme_loop_configure_admin_queue() fails Sasha Levin
2021-06-28 14:35 ` [PATCH 4.14 12/88] nvme-loop: check for NVME_LOOP_Q_LIVE in nvme_loop_destroy_admin_queue() Sasha Levin
2021-06-28 14:35 ` [PATCH 4.14 13/88] net: ipconfig: Don't override command-line hostnames or domains Sasha Levin
2021-06-28 14:35 ` [PATCH 4.14 14/88] rtnetlink: Fix missing error code in rtnl_bridge_notify() Sasha Levin
2021-06-28 14:35 ` [PATCH 4.14 15/88] net/x25: Return the correct errno code Sasha Levin
2021-06-28 14:35 ` [PATCH 4.14 16/88] net: " Sasha Levin
2021-06-28 14:35 ` [PATCH 4.14 17/88] fib: " Sasha Levin
2021-06-28 14:35 ` [PATCH 4.14 18/88] dmaengine: ALTERA_MSGDMA depends on HAS_IOMEM Sasha Levin
2021-06-28 14:35 ` [PATCH 4.14 19/88] dmaengine: QCOM_HIDMA_MGMT " Sasha Levin
2021-06-28 14:35 ` [PATCH 4.14 20/88] dmaengine: stedma40: add missing iounmap() on error in d40_probe() Sasha Levin
2021-06-28 14:35 ` [PATCH 4.14 21/88] mm/memory-failure: make sure wait for page writeback in memory_failure Sasha Levin
2021-06-28 14:35 ` [PATCH 4.14 22/88] batman-adv: Avoid WARN_ON timing related checks Sasha Levin
2021-06-28 14:35 ` [PATCH 4.14 23/88] net: ipv4: fix memory leak in netlbl_cipsov4_add_std Sasha Levin
2021-06-28 14:35 ` [PATCH 4.14 24/88] net: rds: fix memory leak in rds_recvmsg Sasha Levin
2021-06-28 14:35 ` [PATCH 4.14 25/88] udp: fix race between close() and udp_abort() Sasha Levin
2021-06-28 14:35 ` [PATCH 4.14 26/88] rtnetlink: Fix regression in bridge VLAN configuration Sasha Levin
2021-06-28 14:35 ` [PATCH 4.14 27/88] netfilter: synproxy: Fix out of bounds when parsing TCP options Sasha Levin
2021-06-28 14:35 ` [PATCH 4.14 28/88] alx: Fix an error handling path in 'alx_probe()' Sasha Levin
2021-06-28 14:35 ` [PATCH 4.14 29/88] net: stmmac: dwmac1000: Fix extended MAC address registers definition Sasha Levin
2021-06-28 14:35 ` [PATCH 4.14 30/88] qlcnic: Fix an error handling path in 'qlcnic_probe()' Sasha Levin
2021-06-28 14:35 ` [PATCH 4.14 31/88] netxen_nic: Fix an error handling path in 'netxen_nic_probe()' Sasha Levin
2021-06-28 14:35 ` [PATCH 4.14 32/88] net: cdc_ncm: switch to eth%d interface naming Sasha Levin
2021-06-28 14:35 ` [PATCH 4.14 33/88] net: usb: fix possible use-after-free in smsc75xx_bind Sasha Levin
2021-06-28 14:35 ` [PATCH 4.14 34/88] net: ipv4: fix memory leak in ip_mc_add1_src Sasha Levin
2021-06-28 14:35 ` [PATCH 4.14 35/88] net/af_unix: fix a data-race in unix_dgram_sendmsg / unix_release_sock Sasha Levin
2021-06-28 14:35 ` [PATCH 4.14 36/88] be2net: Fix an error handling path in 'be_probe()' Sasha Levin
2021-06-28 14:35 ` [PATCH 4.14 37/88] net: hamradio: fix memory leak in mkiss_close Sasha Levin
2021-06-28 14:35 ` [PATCH 4.14 38/88] net: cdc_eem: fix tx fixup skb leak Sasha Levin
2021-06-28 14:35 ` [PATCH 4.14 39/88] icmp: don't send out ICMP messages with a source address of 0.0.0.0 Sasha Levin
2021-06-28 14:35 ` [PATCH 4.14 40/88] net: ethernet: fix potential use-after-free in ec_bhf_remove Sasha Levin
2021-06-28 14:35 ` [PATCH 4.14 41/88] radeon: use memcpy_to/fromio for UVD fw upload Sasha Levin
2021-06-28 14:35 ` [PATCH 4.14 42/88] hwmon: (scpi-hwmon) shows the negative temperature properly Sasha Levin
2021-06-28 14:35 ` [PATCH 4.14 43/88] can: bcm: fix infoleak in struct bcm_msg_head Sasha Levin
2021-06-28 14:35 ` [PATCH 4.14 44/88] can: mcba_usb: fix memory leak in mcba_usb Sasha Levin
2021-06-28 14:35 ` [PATCH 4.14 45/88] usb: core: hub: Disable autosuspend for Cypress CY7C65632 Sasha Levin
2021-06-28 14:35 ` [PATCH 4.14 46/88] tracing: Do not stop recording cmdlines when tracing is off Sasha Levin
2021-06-28 14:35 ` [PATCH 4.14 47/88] tracing: Do not stop recording comms if the trace file is being read Sasha Levin
2021-06-28 14:35 ` [PATCH 4.14 48/88] tracing: Do no increment trace_clock_global() by one Sasha Levin
2021-06-28 14:35 ` [PATCH 4.14 49/88] PCI: Mark TI C667X to avoid bus reset Sasha Levin
2021-06-28 14:35 ` [PATCH 4.14 50/88] PCI: Mark some NVIDIA GPUs " Sasha Levin
2021-06-28 14:35 ` [PATCH 4.14 51/88] PCI: Add ACS quirk for Broadcom BCM57414 NIC Sasha Levin
2021-06-28 14:35 ` [PATCH 4.14 52/88] PCI: Work around Huawei Intelligent NIC VF FLR erratum Sasha Levin
2021-06-28 14:35 ` [PATCH 4.14 53/88] ARCv2: save ABI registers across signal handling Sasha Levin
2021-06-28 14:35 ` [PATCH 4.14 54/88] dmaengine: pl330: fix wrong usage of spinlock flags in dma_cyclc Sasha Levin
2021-06-28 14:35 ` [PATCH 4.14 55/88] net: bridge: fix vlan tunnel dst null pointer dereference Sasha Levin
2021-06-28 14:35 ` [PATCH 4.14 56/88] net: bridge: fix vlan tunnel dst refcnt when egressing Sasha Levin
2021-06-28 14:35 ` [PATCH 4.14 57/88] mm/slub.c: include swab.h Sasha Levin
2021-06-28 14:35 ` [PATCH 4.14 58/88] net: fec_ptp: add clock rate zero check Sasha Levin
2021-06-28 14:35 ` [PATCH 4.14 59/88] can: bcm/raw/isotp: use per module netdevice notifier Sasha Levin
2021-06-28 14:36 ` [PATCH 4.14 60/88] inet: use bigger hash table for IP ID generation Sasha Levin
2021-06-28 14:36 ` [PATCH 4.14 61/88] usb: dwc3: core: fix kernel panic when do reboot Sasha Levin
2021-06-28 14:36 ` [PATCH 4.14 62/88] kernfs: deal with kernfs_fill_super() failures Sasha Levin
2021-06-28 14:36 ` [PATCH 4.14 63/88] unfuck sysfs_mount() Sasha Levin
2021-06-28 14:36 ` [PATCH 4.14 64/88] x86/fpu: Reset state for all signal restore failures Sasha Levin
2021-06-28 14:36 ` [PATCH 4.14 65/88] drm/nouveau: wait for moving fence after pinning v2 Sasha Levin
2021-06-28 14:36 ` [PATCH 4.14 66/88] drm/radeon: wait for moving fence after pinning Sasha Levin
2021-06-28 14:36 ` [PATCH 4.14 67/88] ARM: 9081/1: fix gcc-10 thumb2-kernel regression Sasha Levin
2021-06-28 14:36 ` [PATCH 4.14 68/88] Makefile: Move -Wno-unused-but-set-variable out of GCC only block Sasha Levin
2021-06-28 14:36 ` [PATCH 4.14 69/88] MIPS: generic: Update node names to avoid unit addresses Sasha Levin
2021-06-28 14:36 ` [PATCH 4.14 70/88] arm64: perf: Disable PMU while processing counter overflows Sasha Levin
2021-06-28 14:36 ` [PATCH 4.14 71/88] Revert "PCI: PM: Do not read power state in pci_enable_device_flags()" Sasha Levin
2021-06-28 14:36 ` [PATCH 4.14 72/88] mac80211: remove warning in ieee80211_get_sband() Sasha Levin
2021-06-28 14:36 ` [PATCH 4.14 73/88] cfg80211: call cfg80211_leave_ocb when switching away from OCB Sasha Levin
2021-06-28 14:36 ` [PATCH 4.14 74/88] mac80211: drop multicast fragments Sasha Levin
2021-06-28 14:36 ` [PATCH 4.14 75/88] ping: Check return value of function 'ping_queue_rcv_skb' Sasha Levin
2021-06-28 14:36 ` [PATCH 4.14 76/88] inet: annotate date races around sk->sk_txhash Sasha Levin
2021-06-28 14:36 ` [PATCH 4.14 77/88] net: caif: fix memory leak in ldisc_open Sasha Levin
2021-06-28 14:36 ` [PATCH 4.14 78/88] net/packet: annotate accesses to po->bind Sasha Levin
2021-06-28 14:36 ` [PATCH 4.14 79/88] net/packet: annotate accesses to po->ifindex Sasha Levin
2021-06-28 14:36 ` [PATCH 4.14 80/88] r8152: Avoid memcpy() over-reading of ETH_SS_STATS Sasha Levin
2021-06-28 14:36 ` [PATCH 4.14 81/88] sh_eth: " Sasha Levin
2021-06-28 14:36 ` [PATCH 4.14 82/88] r8169: " Sasha Levin
2021-06-28 14:36 ` [PATCH 4.14 83/88] net: qed: Fix memcpy() overflow of qed_dcbx_params() Sasha Levin
2021-06-28 14:36 ` [PATCH 4.14 84/88] net: ll_temac: Avoid ndo_start_xmit returning NETDEV_TX_BUSY Sasha Levin
2021-06-28 14:36 ` [PATCH 4.14 85/88] pinctrl: stm32: fix the reported number of GPIO lines per bank Sasha Levin
2021-06-28 14:36 ` [PATCH 4.14 86/88] nilfs2: fix memory leak in nilfs_sysfs_delete_device_group Sasha Levin
2021-06-28 14:36 ` [PATCH 4.14 87/88] i2c: robotfuzz-osif: fix control-request directions Sasha Levin
2021-06-28 14:36 ` [PATCH 4.14 88/88] Linux 4.14.238-rc1 Sasha Levin
2021-06-29 11:42 ` [PATCH 4.14 00/88] 4.14.238-rc1 review Naresh Kamboju
2021-06-29 18:19 ` Guenter Roeck
2021-06-30 6:19 ` Samuel Zou
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210628143628.33342-5-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=benjamin.tissoires@redhat.com \
--cc=jkosina@suse.cz \
--cc=linux-kernel@vger.kernel.org \
--cc=mail@anirudhrb.com \
--cc=stable@vger.kernel.org \
--cc=syzbot+7c2bb71996f95a82524c@syzkaller.appspotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).