diff mbox

[02/14] HID: i2c-hid: fix memory corruption due to missing hid declaration

Message ID 1354634875-5182-3-git-send-email-benjamin.tissoires@gmail.com (mailing list archive)
State New, archived
Delegated to: Jiri Kosina
Headers show

Commit Message

Benjamin Tissoires Dec. 4, 2012, 3:27 p.m. UTC
HID descriptors contains 4 bytes of reserved field.
The previous implementation was overriding the next fields in struct i2c_hid.

Signed-off-by: Benjamin Tissoires <benjamin.tissoires@gmail.com>
---
 drivers/hid/i2c-hid/i2c-hid.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

Comments

Jean Delvare Dec. 4, 2012, 9:42 p.m. UTC | #1
On Tue,  4 Dec 2012 16:27:43 +0100, Benjamin Tissoires wrote:
> HID descriptors contains 4 bytes of reserved field.
> The previous implementation was overriding the next fields in struct i2c_hid.
> 
> Signed-off-by: Benjamin Tissoires <benjamin.tissoires@gmail.com>
> ---
>  drivers/hid/i2c-hid/i2c-hid.c | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
> 
> diff --git a/drivers/hid/i2c-hid/i2c-hid.c b/drivers/hid/i2c-hid/i2c-hid.c
> index 0fbb229..ad771a7 100644
> --- a/drivers/hid/i2c-hid/i2c-hid.c
> +++ b/drivers/hid/i2c-hid/i2c-hid.c
> @@ -68,6 +68,7 @@ struct i2c_hid_desc {
>  	__le16 wVendorID;
>  	__le16 wProductID;
>  	__le16 wVersionID;
> +	__le32 reserved;
>  } __packed;
>  
>  struct i2c_hid_cmd {
> @@ -778,7 +779,7 @@ static int __devinit i2c_hid_fetch_hid_descriptor(struct i2c_hid *ihid)
>  	}
>  
>  	dsize = le16_to_cpu(hdesc->wHIDDescLength);
> -	if (!dsize || dsize > HID_MAX_DESCRIPTOR_SIZE) {
> +	if (!dsize || dsize > sizeof(struct i2c_hid_desc)) {

Shouldn't !dsize rather be dsize < 4? You're reading hdesc->bcdVersion,
which is only defined if dsize >= 4 if I understand the code correctly.

>  		dev_err(&client->dev, "weird size of HID descriptor (%u)\n",
>  			dsize);
>  		return -ENODEV;
Benjamin Tissoires Dec. 5, 2012, 10:10 a.m. UTC | #2
On Tue, Dec 4, 2012 at 10:42 PM, Jean Delvare <khali@linux-fr.org> wrote:
> On Tue,  4 Dec 2012 16:27:43 +0100, Benjamin Tissoires wrote:
>> HID descriptors contains 4 bytes of reserved field.
>> The previous implementation was overriding the next fields in struct i2c_hid.
>>
>> Signed-off-by: Benjamin Tissoires <benjamin.tissoires@gmail.com>
>> ---
>>  drivers/hid/i2c-hid/i2c-hid.c | 3 ++-
>>  1 file changed, 2 insertions(+), 1 deletion(-)
>>
>> diff --git a/drivers/hid/i2c-hid/i2c-hid.c b/drivers/hid/i2c-hid/i2c-hid.c
>> index 0fbb229..ad771a7 100644
>> --- a/drivers/hid/i2c-hid/i2c-hid.c
>> +++ b/drivers/hid/i2c-hid/i2c-hid.c
>> @@ -68,6 +68,7 @@ struct i2c_hid_desc {
>>       __le16 wVendorID;
>>       __le16 wProductID;
>>       __le16 wVersionID;
>> +     __le32 reserved;
>>  } __packed;
>>
>>  struct i2c_hid_cmd {
>> @@ -778,7 +779,7 @@ static int __devinit i2c_hid_fetch_hid_descriptor(struct i2c_hid *ihid)
>>       }
>>
>>       dsize = le16_to_cpu(hdesc->wHIDDescLength);
>> -     if (!dsize || dsize > HID_MAX_DESCRIPTOR_SIZE) {
>> +     if (!dsize || dsize > sizeof(struct i2c_hid_desc)) {
>
> Shouldn't !dsize rather be dsize < 4? You're reading hdesc->bcdVersion,
> which is only defined if dsize >= 4 if I understand the code correctly.

Yes, you are right. Thanks.

Jiri, this patch is a prerequisite for "[PATCH 10/14] HID: i2c-hid:
reorder allocation/free of buffers".
could you please what for a v2 before applying 10/14?

Cheers,
Benjamin

>
>>               dev_err(&client->dev, "weird size of HID descriptor (%u)\n",
>>                       dsize);
>>               return -ENODEV;
>
>
> --
> Jean Delvare
--
To unsubscribe from this list: send the line "unsubscribe linux-input" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Jiri Kosina Dec. 5, 2012, 10:13 a.m. UTC | #3
On Wed, 5 Dec 2012, Benjamin Tissoires wrote:

> > On Tue,  4 Dec 2012 16:27:43 +0100, Benjamin Tissoires wrote:
> >> HID descriptors contains 4 bytes of reserved field.
> >> The previous implementation was overriding the next fields in struct i2c_hid.
> >>
> >> Signed-off-by: Benjamin Tissoires <benjamin.tissoires@gmail.com>
> >> ---
> >>  drivers/hid/i2c-hid/i2c-hid.c | 3 ++-
> >>  1 file changed, 2 insertions(+), 1 deletion(-)
> >>
> >> diff --git a/drivers/hid/i2c-hid/i2c-hid.c b/drivers/hid/i2c-hid/i2c-hid.c
> >> index 0fbb229..ad771a7 100644
> >> --- a/drivers/hid/i2c-hid/i2c-hid.c
> >> +++ b/drivers/hid/i2c-hid/i2c-hid.c
> >> @@ -68,6 +68,7 @@ struct i2c_hid_desc {
> >>       __le16 wVendorID;
> >>       __le16 wProductID;
> >>       __le16 wVersionID;
> >> +     __le32 reserved;
> >>  } __packed;
> >>
> >>  struct i2c_hid_cmd {
> >> @@ -778,7 +779,7 @@ static int __devinit i2c_hid_fetch_hid_descriptor(struct i2c_hid *ihid)
> >>       }
> >>
> >>       dsize = le16_to_cpu(hdesc->wHIDDescLength);
> >> -     if (!dsize || dsize > HID_MAX_DESCRIPTOR_SIZE) {
> >> +     if (!dsize || dsize > sizeof(struct i2c_hid_desc)) {
> >
> > Shouldn't !dsize rather be dsize < 4? You're reading hdesc->bcdVersion,
> > which is only defined if dsize >= 4 if I understand the code correctly.
> 
> Yes, you are right. Thanks.
> 
> Jiri, this patch is a prerequisite for "[PATCH 10/14] HID: i2c-hid:
> reorder allocation/free of buffers".
> could you please what for a v2 before applying 10/14?

Absolutely. I still have to review 9, 10, 11, 12, 13, 14, so am dropping 2 
and 10 from my attention for now.
diff mbox

Patch

diff --git a/drivers/hid/i2c-hid/i2c-hid.c b/drivers/hid/i2c-hid/i2c-hid.c
index 0fbb229..ad771a7 100644
--- a/drivers/hid/i2c-hid/i2c-hid.c
+++ b/drivers/hid/i2c-hid/i2c-hid.c
@@ -68,6 +68,7 @@  struct i2c_hid_desc {
 	__le16 wVendorID;
 	__le16 wProductID;
 	__le16 wVersionID;
+	__le32 reserved;
 } __packed;
 
 struct i2c_hid_cmd {
@@ -778,7 +779,7 @@  static int __devinit i2c_hid_fetch_hid_descriptor(struct i2c_hid *ihid)
 	}
 
 	dsize = le16_to_cpu(hdesc->wHIDDescLength);
-	if (!dsize || dsize > HID_MAX_DESCRIPTOR_SIZE) {
+	if (!dsize || dsize > sizeof(struct i2c_hid_desc)) {
 		dev_err(&client->dev, "weird size of HID descriptor (%u)\n",
 			dsize);
 		return -ENODEV;