From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Thu, 1 Sep 2022 11:11:07 +0000 (+0200)
Subject: 5.4-stable patches
X-Git-Tag: v4.9.327~43
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=bcb18400fe9b1ab103604c7114ab2188e5c864c9;p=thirdparty%2Fkernel%2Fstable-queue.git

5.4-stable patches

added patches:
	hid-steam-prevent-null-pointer-dereference-in-steam_-recv-send-_report.patch
---

diff --git a/queue-5.4/hid-steam-prevent-null-pointer-dereference-in-steam_-recv-send-_report.patch b/queue-5.4/hid-steam-prevent-null-pointer-dereference-in-steam_-recv-send-_report.patch
new file mode 100644
index 00000000000..6f1ed22b689
--- /dev/null
+++ b/queue-5.4/hid-steam-prevent-null-pointer-dereference-in-steam_-recv-send-_report.patch
@@ -0,0 +1,51 @@
+From cd11d1a6114bd4bc6450ae59f6e110ec47362126 Mon Sep 17 00:00:00 2001
+From: Lee Jones <lee.jones@linaro.org>
+Date: Fri, 8 Jul 2022 08:40:09 +0100
+Subject: HID: steam: Prevent NULL pointer dereference in steam_{recv,send}_report
+
+From: Lee Jones <lee.jones@linaro.org>
+
+commit cd11d1a6114bd4bc6450ae59f6e110ec47362126 upstream.
+
+It is possible for a malicious device to forgo submitting a Feature
+Report.  The HID Steam driver presently makes no prevision for this
+and de-references the 'struct hid_report' pointer obtained from the
+HID devices without first checking its validity.  Let's change that.
+
+Cc: Jiri Kosina <jikos@kernel.org>
+Cc: Benjamin Tissoires <benjamin.tissoires@redhat.com>
+Cc: linux-input@vger.kernel.org
+Fixes: c164d6abf3841 ("HID: add driver for Valve Steam Controller")
+Signed-off-by: Lee Jones <lee.jones@linaro.org>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/hid/hid-steam.c |   10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+--- a/drivers/hid/hid-steam.c
++++ b/drivers/hid/hid-steam.c
+@@ -134,6 +134,11 @@ static int steam_recv_report(struct stea
+ 	int ret;
+ 
+ 	r = steam->hdev->report_enum[HID_FEATURE_REPORT].report_id_hash[0];
++	if (!r) {
++		hid_err(steam->hdev, "No HID_FEATURE_REPORT submitted -  nothing to read\n");
++		return -EINVAL;
++	}
++
+ 	if (hid_report_len(r) < 64)
+ 		return -EINVAL;
+ 
+@@ -165,6 +170,11 @@ static int steam_send_report(struct stea
+ 	int ret;
+ 
+ 	r = steam->hdev->report_enum[HID_FEATURE_REPORT].report_id_hash[0];
++	if (!r) {
++		hid_err(steam->hdev, "No HID_FEATURE_REPORT submitted -  nothing to read\n");
++		return -EINVAL;
++	}
++
+ 	if (hid_report_len(r) < 64)
+ 		return -EINVAL;
+ 
diff --git a/queue-5.4/series b/queue-5.4/series
index ff4ec61e59b..d56551faefc 100644
--- a/queue-5.4/series
+++ b/queue-5.4/series
@@ -51,3 +51,4 @@ s390-mm-do-not-trigger-write-fault-when-vma-does-not-allow-vm_write.patch
 x86-bugs-add-unknown-reporting-for-mmio-stale-data.patch
 kbuild-fix-include-path-in-scripts-makefile.modpost.patch
 bluetooth-l2cap-fix-build-errors-in-some-archs.patch
+hid-steam-prevent-null-pointer-dereference-in-steam_-recv-send-_report.patch