From patchwork Tue Nov 26 07:02:10 2013
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Ben Hutchings <ben@decadent.org.uk>
X-Patchwork-Id: 3236801
X-Patchwork-Delegate: jikos@jikos.cz
Return-Path: <linux-input-owner@kernel.org>
X-Original-To: patchwork-linux-input@patchwork.kernel.org
Delivered-To: patchwork-parsemail@patchwork1.web.kernel.org
Received: from mail.kernel.org (mail.kernel.org [198.145.19.201])
	by patchwork1.web.kernel.org (Postfix) with ESMTP id 8D07D9F3A0
	for <patchwork-linux-input@patchwork.kernel.org>;
	Tue, 26 Nov 2013 07:02:21 +0000 (UTC)
Received: from mail.kernel.org (localhost [127.0.0.1])
	by mail.kernel.org (Postfix) with ESMTP id A4E4720381
	for <patchwork-linux-input@patchwork.kernel.org>;
	Tue, 26 Nov 2013 07:02:20 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.kernel.org (Postfix) with ESMTP id 8F2462037B
	for <patchwork-linux-input@patchwork.kernel.org>;
	Tue, 26 Nov 2013 07:02:19 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1753698Ab3KZHCS (ORCPT
	<rfc822;patchwork-linux-input@patchwork.kernel.org>);
	Tue, 26 Nov 2013 02:02:18 -0500
Received: from shadbolt.e.decadent.org.uk ([88.96.1.126]:33300 "EHLO
	shadbolt.e.decadent.org.uk" rhost-flags-OK-OK-OK-OK)
	by vger.kernel.org with ESMTP id S1753007Ab3KZHCS (ORCPT
	<rfc822;linux-input@vger.kernel.org>);
	Tue, 26 Nov 2013 02:02:18 -0500
Received: from [192.168.4.212] (helo=deadeye.wl.decadent.org.uk)
	by shadbolt.decadent.org.uk with esmtps
	(TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.80)
	(envelope-from <ben@decadent.org.uk>)
	id 1VlCf1-00025S-7w; Tue, 26 Nov 2013 07:02:15 +0000
Received: from ben by deadeye.wl.decadent.org.uk with local (Exim 4.80)
	(envelope-from <ben@decadent.org.uk>)
	id 1VlCf1-0005BZ-GW; Tue, 26 Nov 2013 07:02:15 +0000
Message-ID: <1385449330.23855.46.camel@deadeye.wl.decadent.org.uk>
Subject: [PATCH] uhid: Pad short UHID_CREATE writes from compat tasks
From: Ben Hutchings <ben@decadent.org.uk>
To: David Herrmann <dh.herrmann@googlemail.com>
Cc: linux-input@vger.kernel.org
Date: Tue, 26 Nov 2013 07:02:10 +0000
X-Mailer: Evolution 3.8.5-2+b1 
Mime-Version: 1.0
X-SA-Exim-Connect-IP: 192.168.4.212
X-SA-Exim-Mail-From: ben@decadent.org.uk
X-SA-Exim-Scanned: No (on shadbolt.decadent.org.uk);
	SAEximRunCond expanded to false
Sender: linux-input-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-input.vger.kernel.org>
X-Mailing-List: linux-input@vger.kernel.org
X-Spam-Status: No, score=-6.9 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_HI,
	RP_MATCHES_RCVD, T_TVD_MIME_EPI,
	UNPARSEABLE_RELAY autolearn=ham version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

Short event writes are normally padded with zeroes, but the compat
fixup for UHID_CREATE didn't ensure this.  This appears to allow an
information leak.

Compile-tested only.

Fixes: befde0226a59 ('HID: uhid: make creating devices work on 64/32 systems')
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Cc: stable@vger.kernel.org
---
I have no familiarity with uhid so I haven't written a test for this.
It looks like it would be possible to write a UHID_CREATE event that
only covers fields up to rd_size, and the following data on the heap
would be copied to the HID device metadata and be readable that way.

Ben.

 drivers/hid/uhid.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/hid/uhid.c b/drivers/hid/uhid.c
index 5bf2fb7..579a7115 100644
--- a/drivers/hid/uhid.c
+++ b/drivers/hid/uhid.c
@@ -298,6 +298,9 @@ static int uhid_event_from_user(const char __user *buffer, size_t len,
 				kfree(compat);
 				return -EFAULT;
 			}
+			if (len < sizeof(*compat))
+				memset((char *)buffer + len, 0,
+				       sizeof(*compat) - len);
 
 			/* Shuffle the data over to proper structure */
 			event->type = type;