| Message ID | 20210824150730.9118-1-asha.16@itfac.mrt.ac.lk (mailing list archive) |
|---|---|
| State | Mainlined |
| Commit | 1e4ce418b1cb1a810256b5fb3fd33d22d1325993 |
| Delegated to: | Jiri Kosina |
| Headers | show |
| Series | [v3] HID: betop: fix slab-out-of-bounds Write in betop_probe | expand |
On 8/24/21 6:07 PM, F.A.Sulaiman wrote: > Syzbot reported slab-out-of-bounds Write bug in hid-betopff driver. > The problem is the driver assumes the device must have an input report but > some malicious devices violate this assumption. > > So this patch checks hid_device's input is non empty before it's been used. > > Reported-by: syzbot+07efed3bc5a1407bd742@syzkaller.appspotmail.com > Signed-off-by: F.A. SULAIMAN <asha.16@itfac.mrt.ac.lk> Reviewed-by: Pavel Skripkin <paskripkin@gmail.com> > --- > drivers/hid/hid-betopff.c | 13 ++++++++++--- > 1 file changed, 10 insertions(+), 3 deletions(-) > > diff --git a/drivers/hid/hid-betopff.c b/drivers/hid/hid-betopff.c > index 0790fbd3fc9a..467d789f9bc2 100644 > --- a/drivers/hid/hid-betopff.c > +++ b/drivers/hid/hid-betopff.c > @@ -56,15 +56,22 @@ static int betopff_init(struct hid_device *hid) > { > struct betopff_device *betopff; > struct hid_report *report; > - struct hid_input *hidinput = > - list_first_entry(&hid->inputs, struct hid_input, list); > + struct hid_input *hidinput; > struct list_head *report_list = > &hid->report_enum[HID_OUTPUT_REPORT].report_list; > - struct input_dev *dev = hidinput->input; > + struct input_dev *dev; > int field_count = 0; > int error; > int i, j; > > + if (list_empty(&hid->inputs)) { > + hid_err(hid, "no inputs found\n"); > + return -ENODEV; > + } > + > + hidinput = list_first_entry(&hid->inputs, struct hid_input, list); > + dev = hidinput->input; > + > if (list_empty(report_list)) { > hid_err(hid, "no output reports found\n"); > return -ENODEV; >
On Tue, 24 Aug 2021, F.A.Sulaiman wrote: > Syzbot reported slab-out-of-bounds Write bug in hid-betopff driver. > The problem is the driver assumes the device must have an input report but > some malicious devices violate this assumption. > > So this patch checks hid_device's input is non empty before it's been used. > > Reported-by: syzbot+07efed3bc5a1407bd742@syzkaller.appspotmail.com > Signed-off-by: F.A. SULAIMAN <asha.16@itfac.mrt.ac.lk> Applied, thanks.
diff --git a/drivers/hid/hid-betopff.c b/drivers/hid/hid-betopff.c index 0790fbd3fc9a..467d789f9bc2 100644 --- a/drivers/hid/hid-betopff.c +++ b/drivers/hid/hid-betopff.c @@ -56,15 +56,22 @@ static int betopff_init(struct hid_device *hid) { struct betopff_device *betopff; struct hid_report *report; - struct hid_input *hidinput = - list_first_entry(&hid->inputs, struct hid_input, list); + struct hid_input *hidinput; struct list_head *report_list = &hid->report_enum[HID_OUTPUT_REPORT].report_list; - struct input_dev *dev = hidinput->input; + struct input_dev *dev; int field_count = 0; int error; int i, j; + if (list_empty(&hid->inputs)) { + hid_err(hid, "no inputs found\n"); + return -ENODEV; + } + + hidinput = list_first_entry(&hid->inputs, struct hid_input, list); + dev = hidinput->input; + if (list_empty(report_list)) { hid_err(hid, "no output reports found\n"); return -ENODEV;
Syzbot reported slab-out-of-bounds Write bug in hid-betopff driver. The problem is the driver assumes the device must have an input report but some malicious devices violate this assumption. So this patch checks hid_device's input is non empty before it's been used. Reported-by: syzbot+07efed3bc5a1407bd742@syzkaller.appspotmail.com Signed-off-by: F.A. SULAIMAN <asha.16@itfac.mrt.ac.lk> --- drivers/hid/hid-betopff.c | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-)