From patchwork Mon Sep 18 02:40:59 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ma Ke X-Patchwork-Id: 13388758 X-Patchwork-Delegate: jikos@jikos.cz Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 483C8CD13CF for ; Mon, 18 Sep 2023 02:57:49 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235866AbjIRC5V (ORCPT ); Sun, 17 Sep 2023 22:57:21 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:57870 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234194AbjIRC47 (ORCPT ); Sun, 17 Sep 2023 22:56:59 -0400 X-Greylist: delayed 912 seconds by postgrey-1.37 at lindbergh.monkeyblade.net; Sun, 17 Sep 2023 19:56:53 PDT Received: from m15.mail.163.com (m15.mail.163.com [45.254.50.219]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 6BA4211F for ; Sun, 17 Sep 2023 19:56:53 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=163.com; s=s110527; h=From:Subject:Date:Message-Id:MIME-Version; bh=2HdTC UBvpLlpMB3PMEX1V4mDEdN68Oo+7a3vX8ad2ZA=; b=Jbffn4QRC+Cfe9t45SoyJ ukHb70Hm9Gdzd8E+ZIYGZAPQSqie2L3ggaIfYBvI1cvT1mumQNisDy7aFn5WaxGQ 6XGAzkNLM7+QCyFxwWqErOcdT2noLtcIkmmVfgVCURVKB10SxoTYNvNQDqR56UpF R/F1V5C1wQkE7ba/D+mbmc= Received: from icess-ProLiant-DL380-Gen10.. (unknown [183.174.60.14]) by zwqz-smtp-mta-g0-2 (Coremail) with SMTP id _____wA3bWy_uAdlpWpEAg--.246S4; Mon, 18 Sep 2023 10:41:16 +0800 (CST) From: Ma Ke To: jikos@kernel.org, benjamin.tissoires@redhat.com Cc: linux-input@vger.kernel.org, linux-kernel@vger.kernel.org, Ma Ke Subject: [PATCH] HID: holtek: fix slab-out-of-bounds Write in holtek_kbd_input_event Date: Mon, 18 Sep 2023 10:40:59 +0800 Message-Id: <20230918024059.3472762-1-make_ruc2021@163.com> X-Mailer: git-send-email 2.37.2 MIME-Version: 1.0 X-CM-TRANSID: _____wA3bWy_uAdlpWpEAg--.246S4 X-Coremail-Antispam: 1Uf129KBjvdXoWrZF17CF47tF1DGrWUXrWfAFb_yoWfKFc_ua 48urZ7JFsrKFZayrnFgw13Zryrtw48Xa97ZF4xt3sxJry7XF43uayDZ3Z8Xa43GrWkW3Wk Xr1vgr1fZrnFkjkaLaAFLSUrUUUUUb8apTn2vfkv8UJUUUU8Yxn0WfASr-VFAUDa7-sFnT 9fnUUvcSsGvfC2KfnxnUUI43ZEXa7sRWHq7JUUUUU== X-Originating-IP: [183.174.60.14] X-CM-SenderInfo: 5pdnvshuxfjiisr6il2tof0z/1tbiVxruC1etsXsBmQAAsA Precedence: bulk List-ID: X-Mailing-List: linux-input@vger.kernel.org There is a slab-out-of-bounds Write bug in hid-holtek-kbd driver. The problem is the driver assumes the device must have an input but some malicious devices violate this assumption. Fix this by checking hid_device's input is non-empty before its usage. Signed-off-by: Ma Ke --- drivers/hid/hid-holtek-kbd.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/drivers/hid/hid-holtek-kbd.c b/drivers/hid/hid-holtek-kbd.c index 403506b9697e..b346d68a06f5 100644 --- a/drivers/hid/hid-holtek-kbd.c +++ b/drivers/hid/hid-holtek-kbd.c @@ -130,6 +130,10 @@ static int holtek_kbd_input_event(struct input_dev *dev, unsigned int type, return -ENODEV; boot_hid = usb_get_intfdata(boot_interface); + if (list_empty(&boot_hid->inputs)) { + hid_err(hid, "no inputs found\n"); + return -ENODEV; + } boot_hid_input = list_first_entry(&boot_hid->inputs, struct hid_input, list);