From patchwork Tue Dec 16 00:50:15 2014
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Peter Wu <peter@lekensteyn.nl>
X-Patchwork-Id: 5498891
X-Patchwork-Delegate: jikos@jikos.cz
Return-Path: <linux-input-owner@kernel.org>
X-Original-To: patchwork-linux-input@patchwork.kernel.org
Delivered-To: patchwork-parsemail@patchwork1.web.kernel.org
Received: from mail.kernel.org (mail.kernel.org [198.145.19.201])
	by patchwork1.web.kernel.org (Postfix) with ESMTP id ABD219F1CD
	for <patchwork-linux-input@patchwork.kernel.org>;
	Tue, 16 Dec 2014 00:50:38 +0000 (UTC)
Received: from mail.kernel.org (localhost [127.0.0.1])
	by mail.kernel.org (Postfix) with ESMTP id BB6BD2099B
	for <patchwork-linux-input@patchwork.kernel.org>;
	Tue, 16 Dec 2014 00:50:37 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.kernel.org (Postfix) with ESMTP id 226FD20993
	for <patchwork-linux-input@patchwork.kernel.org>;
	Tue, 16 Dec 2014 00:50:36 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1751447AbaLPAue (ORCPT
	<rfc822;patchwork-linux-input@patchwork.kernel.org>);
	Mon, 15 Dec 2014 19:50:34 -0500
Received: from lekensteyn.nl ([178.21.112.251]:59213 "EHLO lekensteyn.nl"
	rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
	id S1750796AbaLPAud (ORCPT <rfc822;linux-input@vger.kernel.org>);
	Mon, 15 Dec 2014 19:50:33 -0500
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
	d=lekensteyn.nl; s=s2048-2014-q3;
	h=References:In-Reply-To:Message-Id:Date:Subject:Cc:To:From;
	bh=le4U+k9SBZAOnDYgHdt6edJfyHrDHjkGmRPojWZQ974=;
	b=CeKRUHypc2Fb7lbFz6aV5llw/zyEjRHGpsg1mU3sunLgrD1qJclwFTx6MUvJhhWOZuqHHC4V0MaqnEWJhDjoYjbmdS7JgHZoKgVG+qxWZ2G1hxAu1iQ5IrNplLx4EIjqWRUA+i4uMSkUTBKxAT4IuhRvZ6BujYCfxagbQscS0sqmmCuQlnDnUXdbe0RBd5bfs5NgYnMJcQ/i+uwKiKYdqKEs/xps2e8A7fbTevspW8SVIjYdZcpr1dn74FYIds80TRU4ScknJgnvuOhWISUQNsX8BnjYznAAMeOl3dNIFNOGGYL388sH4uvPi1wfefKzMITXN4WnZU++4VVzxNVrlw==;
Received: by lekensteyn.nl with esmtpsa (TLS1.2:RSA_AES_128_CBC_SHA256:128)
	(Exim 4.80) (envelope-from <peter@lekensteyn.nl>)
	id 1Y0gLI-0006lu-L9; Tue, 16 Dec 2014 01:50:24 +0100
From: Peter Wu <peter@lekensteyn.nl>
To: Jiri Kosina <jkosina@suse.cz>,
	Benjamin Tissoires <benjamin.tissoires@redhat.com>,
	Nestor Lopez Casado <nlopezcasad@logitech.com>
Cc: linux-input@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: [PATCH 2/3] HID: logitech-{dj,hidpp}: check report length
Date: Tue, 16 Dec 2014 01:50:15 +0100
Message-Id: <1418691016-30681-3-git-send-email-peter@lekensteyn.nl>
X-Mailer: git-send-email 2.1.3
In-Reply-To: <1418691016-30681-1-git-send-email-peter@lekensteyn.nl>
References: <1418691016-30681-1-git-send-email-peter@lekensteyn.nl>
X-Spam-Score: 0.0 (/)
X-Spam-Status: No, score=-6.8 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	RCVD_IN_DNSWL_HI,T_DKIM_INVALID,T_RP_MATCHES_RCVD,UNPARSEABLE_RELAY
	autolearn=unavailable version=3.3.1
Sender: linux-input-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-input.vger.kernel.org>
X-Mailing-List: linux-input@vger.kernel.org
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

Malicious USB devices can send bogus reports smaller than the expected
buffer size. Ensure that the length is valid to avoid reading out of
bounds.

For the old WTP, I do not have a HID descriptor so just check for the
minimum length in hidpp_raw_event (this can be changed to an inequality
later).

Signed-off-by: Peter Wu <peter@lekensteyn.nl>
---
Hi,

If you know that the WTP report (ID 2) has a length of 2, then you can change
"<" to "!=" and remove the paragraph from the commit message.

Kind regards,
Peter
---
 drivers/hid/hid-logitech-dj.c    | 16 +++++++++++++++-
 drivers/hid/hid-logitech-hidpp.c | 12 +++++++++---
 2 files changed, 24 insertions(+), 4 deletions(-)

diff --git a/drivers/hid/hid-logitech-dj.c b/drivers/hid/hid-logitech-dj.c
index c917ab6..5bc6d80 100644
--- a/drivers/hid/hid-logitech-dj.c
+++ b/drivers/hid/hid-logitech-dj.c
@@ -962,10 +962,24 @@ static int logi_dj_raw_event(struct hid_device *hdev,
 
 	switch (data[0]) {
 	case REPORT_ID_DJ_SHORT:
+		if (size != DJREPORT_SHORT_LENGTH) {
+			dev_err(&hdev->dev, "DJ report of bad size (%d)", size);
+			return false;
+		}
 		return logi_dj_dj_event(hdev, report, data, size);
 	case REPORT_ID_HIDPP_SHORT:
-		/* intentional fallthrough */
+		if (size != HIDPP_REPORT_SHORT_LENGTH) {
+			dev_err(&hdev->dev,
+				"Short HID++ report of bad size (%d)", size);
+			return false;
+		}
+		return logi_dj_hidpp_event(hdev, report, data, size);
 	case REPORT_ID_HIDPP_LONG:
+		if (size != HIDPP_REPORT_LONG_LENGTH) {
+			dev_err(&hdev->dev,
+				"Long HID++ report of bad size (%d)", size);
+			return false;
+		}
 		return logi_dj_hidpp_event(hdev, report, data, size);
 	}
 
diff --git a/drivers/hid/hid-logitech-hidpp.c b/drivers/hid/hid-logitech-hidpp.c
index ae23dec..2315358 100644
--- a/drivers/hid/hid-logitech-hidpp.c
+++ b/drivers/hid/hid-logitech-hidpp.c
@@ -992,11 +992,17 @@ static int hidpp_raw_event(struct hid_device *hdev, struct hid_report *report,
 			return 1;
 		}
 		return hidpp_raw_hidpp_event(hidpp, data, size);
+	case 0x02:
+		if (size < 2) {
+			hid_err(hdev, "Received HID report of bad size (%d)",
+				size);
+			return 1;
+		}
+		if (hidpp->quirks & HIDPP_QUIRK_CLASS_WTP)
+			return wtp_raw_event(hdev, data, size);
+		return 1;
 	}
 
-	if (hidpp->quirks & HIDPP_QUIRK_CLASS_WTP)
-		return wtp_raw_event(hdev, data, size);
-
 	return 0;
 }