| Message ID | 20180102173006.506-1-aaron.ma@canonical.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
Hi Aaron, There are quite some changes I'd like to see in this patch. See below. On Tue, Jan 2, 2018 at 6:30 PM, Aaron Ma <aaron.ma@canonical.com> wrote: > When convert char array with signed int, if the inbuf[x] is negative then > upper bits will be set to 1. Fix this by using u8 instead of char. > > ret_size has to be at least 3, hid_input_report use it after minus 2 bytes. > > size should be more than 0 to keep memset safe. > > Cc: stable@vger.kernel.org > Signed-off-by: Aaron Ma <aaron.ma@canonical.com> > --- > drivers/hid/hid-core.c | 4 ++-- > drivers/hid/i2c-hid/i2c-hid.c | 10 +++++----- I'd like to have this patch at least split in 2. One for hid-core, one for i2c-hid. Both files are not targeting the same issue, so it would make sense to not have them in the same patch. > 2 files changed, 7 insertions(+), 7 deletions(-) > > diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c > index 0c3f608131cf..992547771d96 100644 > --- a/drivers/hid/hid-core.c > +++ b/drivers/hid/hid-core.c > @@ -1506,7 +1506,7 @@ int hid_report_raw_event(struct hid_device *hid, int type, u8 *data, int size, > if (rsize > HID_MAX_BUFFER_SIZE) > rsize = HID_MAX_BUFFER_SIZE; > > - if (csize < rsize) { > + if ((csize < rsize) && (csize > 0)) { I would think a call to this function with a csize <= 0 is a reason to fail. And actually, I think an other thing we shouold do is changing the prototype to have an unsigned int for size instead of a simple int. Tracking the impact of such change might involve a bigger patch than a simple check here, but we should be able to at least have the compiler complaining if some driver starts using negative values. > dbg_hid("report %d is too short, (%d < %d)\n", report->id, > csize, rsize); > memset(cdata + csize, 0, rsize - csize); > @@ -1566,7 +1566,7 @@ int hid_input_report(struct hid_device *hid, int type, u8 *data, int size, int i > report_enum = hid->report_enum + type; > hdrv = hid->driver; > > - if (!size) { > + if (size <= 0) { This should also be solved by changing the prototype of the function. > dbg_hid("empty report\n"); > ret = -1; > goto unlock; > diff --git a/drivers/hid/i2c-hid/i2c-hid.c b/drivers/hid/i2c-hid/i2c-hid.c > index e054ee43c1e2..09404ffdb08b 100644 > --- a/drivers/hid/i2c-hid/i2c-hid.c > +++ b/drivers/hid/i2c-hid/i2c-hid.c > @@ -144,10 +144,10 @@ struct i2c_hid { > * register of the HID > * descriptor. */ > unsigned int bufsize; /* i2c buffer size */ > - char *inbuf; /* Input buffer */ > - char *rawbuf; /* Raw Input buffer */ > - char *cmdbuf; /* Command buffer */ > - char *argsbuf; /* Command arguments buffer */ > + u8 *inbuf; /* Input buffer */ > + u8 *rawbuf; /* Raw Input buffer */ > + u8 *cmdbuf; /* Command buffer */ > + u8 *argsbuf; /* Command arguments buffer */ > > unsigned long flags; /* device flags */ > unsigned long quirks; /* Various quirks */ > @@ -473,7 +473,7 @@ static void i2c_hid_get_input(struct i2c_hid *ihid) > > ret_size = ihid->inbuf[0] | ihid->inbuf[1] << 8; > > - if (!ret_size) { > + if (ret_size <= 2) { Please do a separate case, after this one. RESET is acked by a size of 0, a size of 1 or 2 is a bug that needs to be fixed from the HW point of view. Cheers, Benjamin > /* host or device initiated RESET completed */ > if (test_and_clear_bit(I2C_HID_RESET_PENDING, &ihid->flags)) > wake_up(&ihid->wait); > -- > 2.14.3 > -- To unsubscribe from this list: send the line "unsubscribe linux-input" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
I will follow your advice and send V2. Thanks, Aaron -- To unsubscribe from this list: send the line "unsubscribe linux-input" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Hi Aaron, On Wed, Jan 03, 2018 at 01:30:05AM +0800, Aaron Ma wrote: > When convert char array with signed int, if the inbuf[x] is negative then > upper bits will be set to 1. Fix this by using u8 instead of char. > > ret_size has to be at least 3, hid_input_report use it after minus 2 bytes. At least 2? hid_input_report() checks (!size) > > size should be more than 0 to keep memset safe. > > Cc: stable@vger.kernel.org > Signed-off-by: Aaron Ma <aaron.ma@canonical.com> > --- > drivers/hid/hid-core.c | 4 ++-- > drivers/hid/i2c-hid/i2c-hid.c | 10 +++++----- > 2 files changed, 7 insertions(+), 7 deletions(-) > > diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c > index 0c3f608131cf..992547771d96 100644 > --- a/drivers/hid/hid-core.c > +++ b/drivers/hid/hid-core.c > @@ -1506,7 +1506,7 @@ int hid_report_raw_event(struct hid_device *hid, int type, u8 *data, int size, > if (rsize > HID_MAX_BUFFER_SIZE) > rsize = HID_MAX_BUFFER_SIZE; > > - if (csize < rsize) { > + if ((csize < rsize) && (csize > 0)) { > dbg_hid("report %d is too short, (%d < %d)\n", report->id, > csize, rsize); > memset(cdata + csize, 0, rsize - csize); > @@ -1566,7 +1566,7 @@ int hid_input_report(struct hid_device *hid, int type, u8 *data, int size, int i > report_enum = hid->report_enum + type; > hdrv = hid->driver; > > - if (!size) { > + if (size <= 0) { All code that is using hid_input_report() seems to check that no negative size is provided. If we want this check, maybe we should consider making size unsigned instead? > dbg_hid("empty report\n"); > ret = -1; > goto unlock; > diff --git a/drivers/hid/i2c-hid/i2c-hid.c b/drivers/hid/i2c-hid/i2c-hid.c > index e054ee43c1e2..09404ffdb08b 100644 > --- a/drivers/hid/i2c-hid/i2c-hid.c > +++ b/drivers/hid/i2c-hid/i2c-hid.c > @@ -144,10 +144,10 @@ struct i2c_hid { > * register of the HID > * descriptor. */ > unsigned int bufsize; /* i2c buffer size */ > - char *inbuf; /* Input buffer */ > - char *rawbuf; /* Raw Input buffer */ > - char *cmdbuf; /* Command buffer */ > - char *argsbuf; /* Command arguments buffer */ > + u8 *inbuf; /* Input buffer */ > + u8 *rawbuf; /* Raw Input buffer */ > + u8 *cmdbuf; /* Command buffer */ > + u8 *argsbuf; /* Command arguments buffer */ Looks good > > unsigned long flags; /* device flags */ > unsigned long quirks; /* Various quirks */ > @@ -473,7 +473,7 @@ static void i2c_hid_get_input(struct i2c_hid *ihid) > > ret_size = ihid->inbuf[0] | ihid->inbuf[1] << 8; > > - if (!ret_size) { > + if (ret_size <= 2) { if (ret_size < 2) ? > /* host or device initiated RESET completed */ > if (test_and_clear_bit(I2C_HID_RESET_PENDING, &ihid->flags)) > wake_up(&ihid->wait); > -- > 2.14.3 Best regards Marcus Folkesson
Hi Marcus: This patch is replaced by v2 patches you just reviewed. Thanks, Aaron -- To unsubscribe from this list: send the line "unsubscribe linux-input" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c index 0c3f608131cf..992547771d96 100644 --- a/drivers/hid/hid-core.c +++ b/drivers/hid/hid-core.c @@ -1506,7 +1506,7 @@ int hid_report_raw_event(struct hid_device *hid, int type, u8 *data, int size, if (rsize > HID_MAX_BUFFER_SIZE) rsize = HID_MAX_BUFFER_SIZE; - if (csize < rsize) { + if ((csize < rsize) && (csize > 0)) { dbg_hid("report %d is too short, (%d < %d)\n", report->id, csize, rsize); memset(cdata + csize, 0, rsize - csize); @@ -1566,7 +1566,7 @@ int hid_input_report(struct hid_device *hid, int type, u8 *data, int size, int i report_enum = hid->report_enum + type; hdrv = hid->driver; - if (!size) { + if (size <= 0) { dbg_hid("empty report\n"); ret = -1; goto unlock; diff --git a/drivers/hid/i2c-hid/i2c-hid.c b/drivers/hid/i2c-hid/i2c-hid.c index e054ee43c1e2..09404ffdb08b 100644 --- a/drivers/hid/i2c-hid/i2c-hid.c +++ b/drivers/hid/i2c-hid/i2c-hid.c @@ -144,10 +144,10 @@ struct i2c_hid { * register of the HID * descriptor. */ unsigned int bufsize; /* i2c buffer size */ - char *inbuf; /* Input buffer */ - char *rawbuf; /* Raw Input buffer */ - char *cmdbuf; /* Command buffer */ - char *argsbuf; /* Command arguments buffer */ + u8 *inbuf; /* Input buffer */ + u8 *rawbuf; /* Raw Input buffer */ + u8 *cmdbuf; /* Command buffer */ + u8 *argsbuf; /* Command arguments buffer */ unsigned long flags; /* device flags */ unsigned long quirks; /* Various quirks */ @@ -473,7 +473,7 @@ static void i2c_hid_get_input(struct i2c_hid *ihid) ret_size = ihid->inbuf[0] | ihid->inbuf[1] << 8; - if (!ret_size) { + if (ret_size <= 2) { /* host or device initiated RESET completed */ if (test_and_clear_bit(I2C_HID_RESET_PENDING, &ihid->flags)) wake_up(&ihid->wait);
When convert char array with signed int, if the inbuf[x] is negative then upper bits will be set to 1. Fix this by using u8 instead of char. ret_size has to be at least 3, hid_input_report use it after minus 2 bytes. size should be more than 0 to keep memset safe. Cc: stable@vger.kernel.org Signed-off-by: Aaron Ma <aaron.ma@canonical.com> --- drivers/hid/hid-core.c | 4 ++-- drivers/hid/i2c-hid/i2c-hid.c | 10 +++++----- 2 files changed, 7 insertions(+), 7 deletions(-)