]> git.ipfire.org Git - thirdparty/kernel/stable.git/commit
HID: Fix slab-out-of-bounds read in hid_field_extract
authorAlan Stern <stern@rowland.harvard.edu>
Tue, 10 Dec 2019 21:26:11 +0000 (16:26 -0500)
committerBen Hutchings <ben@decadent.org.uk>
Tue, 28 Apr 2020 18:02:51 +0000 (19:02 +0100)
commit5475bdfed8c45c8323f17059589b44ac18caee29
treee01ce772904b5072fcab241e95345c02780d4654
parenta3c7856434a682d52fe106991dc2ffff6f80241d
HID: Fix slab-out-of-bounds read in hid_field_extract

commit 8ec321e96e056de84022c032ffea253431a83c3c upstream.

The syzbot fuzzer found a slab-out-of-bounds bug in the HID report
handler.  The bug was caused by a report descriptor which included a
field with size 12 bits and count 4899, for a total size of 7349
bytes.

The usbhid driver uses at most a single-page 4-KB buffer for reports.
In the test there wasn't any problem about overflowing the buffer,
since only one byte was received from the device.  Rather, the bug
occurred when the HID core tried to extract the data from the report
fields, which caused it to try reading data beyond the end of the
allocated buffer.

This patch fixes the problem by rejecting any report whose total
length exceeds the HID_MAX_BUFFER_SIZE limit (minus one byte to allow
for a possible report index).  In theory a device could have a report
longer than that, but if there was such a thing we wouldn't handle it
correctly anyway.

Reported-and-tested-by: syzbot+09ef48aa58261464b621@syzkaller.appspotmail.com
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
drivers/hid/hid-core.c