From 687e89c1dc11db2aa34b6c2a1d2923f98b0bac96 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Tue, 4 Feb 2025 18:50:45 +0100 Subject: [PATCH] 5.15-stable patches added patches: hid-core-fix-assumption-that-resolution-multipliers-must-be-in-logical-collections.patch --- ...liers-must-be-in-logical-collections.patch | 60 +++++++++++++++++++ 1 file changed, 60 insertions(+) create mode 100644 queue-5.15/hid-core-fix-assumption-that-resolution-multipliers-must-be-in-logical-collections.patch diff --git a/queue-5.15/hid-core-fix-assumption-that-resolution-multipliers-must-be-in-logical-collections.patch b/queue-5.15/hid-core-fix-assumption-that-resolution-multipliers-must-be-in-logical-collections.patch new file mode 100644 index 0000000000..299f1768f1 --- /dev/null +++ b/queue-5.15/hid-core-fix-assumption-that-resolution-multipliers-must-be-in-logical-collections.patch @@ -0,0 +1,60 @@ +From 64f2657b579343cf923aa933f08074e6258eb07b Mon Sep 17 00:00:00 2001 +From: Alan Stern +Date: Tue, 31 Dec 2024 14:23:12 -0500 +Subject: HID: core: Fix assumption that Resolution Multipliers must be in Logical Collections + +From: Alan Stern + +commit 64f2657b579343cf923aa933f08074e6258eb07b upstream. + +A report in 2019 by the syzbot fuzzer was found to be connected to two +errors in the HID core associated with Resolution Multipliers. One of +the errors was fixed by commit ea427a222d8b ("HID: core: Fix deadloop +in hid_apply_multiplier."), but the other has not been fixed. + +This error arises because hid_apply_multipler() assumes that every +Resolution Multiplier control is contained in a Logical Collection, +i.e., there's no way the routine can ever set multiplier_collection to +NULL. This is in spite of the fact that the function starts with a +big comment saying: + + * "The Resolution Multiplier control must be contained in the same + * Logical Collection as the control(s) to which it is to be applied. + ... + * If no Logical Collection is + * defined, the Resolution Multiplier is associated with all + * controls in the report." + * HID Usage Table, v1.12, Section 4.3.1, p30 + * + * Thus, search from the current collection upwards until we find a + * logical collection... + +The comment and the code overlook the possibility that none of the +collections found may be a Logical Collection. + +The fix is to set the multiplier_collection pointer to NULL if the +collection found isn't a Logical Collection. + +Reported-by: syzbot+ec5f884c4a135aa0dbb9@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/all/000000000000109c040597dc5843@google.com/ +Signed-off-by: Alan Stern +Cc: Peter Hutterer +Fixes: 5a4abb36f312 ("HID: core: process the Resolution Multiplier") +Cc: stable@vger.kernel.org +Signed-off-by: Jiri Kosina +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hid/hid-core.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/hid/hid-core.c ++++ b/drivers/hid/hid-core.c +@@ -1124,6 +1124,8 @@ static void hid_apply_multiplier(struct + while (multiplier_collection->parent_idx != -1 && + multiplier_collection->type != HID_COLLECTION_LOGICAL) + multiplier_collection = &hid->collection[multiplier_collection->parent_idx]; ++ if (multiplier_collection->type != HID_COLLECTION_LOGICAL) ++ multiplier_collection = NULL; + + effective_multiplier = hid_calculate_multiplier(hid, multiplier); + -- 2.47.2