git.ipfire.org Git - thirdparty/kernel/stable.git/commit

HID: usbhid: Eliminate recurrent out-of-bounds bug in usbhid_parse()

commit fe7f7ac8e0c708446ff017453add769ffc15deed upstream.

Update struct hid_descriptor to better reflect the mandatory and
optional parts of the HID Descriptor as per USB HID 1.11 specification.
Note: the kernel currently does not parse any optional HID class
descriptors, only the mandatory report descriptor.

Update all references to member element desc[0] to rpt_desc.

Add test to verify bLength and bNumDescriptors values are valid.

Replace the for loop with direct access to the mandatory HID class
descriptor member for the report descriptor. This eliminates the
possibility of getting an out-of-bounds fault.

Add a warning message if the HID descriptor contains any unsupported
optional HID class descriptors.

Reported-by: syzbot+c52569baf0c843f35495@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=c52569baf0c843f35495
Fixes: f043bfc98c19 ("HID: usbhid: fix out-of-bounds bug")
Cc: stable@vger.kernel.org
Signed-off-by: Terry Junge <linuxhid@cosmicgizmosystems.com>
Reviewed-by: Michael Kelley <mhklinux@outlook.com>
Signed-off-by: Jiri Kosina <jkosina@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

author	Terry Junge <linuxhid@cosmicgizmosystems.com>
	Wed, 12 Mar 2025 22:23:31 +0000 (15:23 -0700)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Thu, 19 Jun 2025 13:32:34 +0000 (15:32 +0200)
commit	74388368927e9c52a69524af5bbd6c55eb4690de
tree	54c7270e9a85abee3e7665e3958de619584d8a06	tree \| snapshot
parent	84e9f0a2c253d793fb24b8efdfdbfb3530f15f31	commit \| diff

drivers/hid/hid-hyperv.c		diff \| blob \| blame \| history
drivers/hid/usbhid/hid-core.c		diff \| blob \| blame \| history
drivers/usb/gadget/function/f_hid.c		diff \| blob \| blame \| history
include/linux/hid.h		diff \| blob \| blame \| history