HID: i2c-hid: fix potential buffer overflow in i2c_hid_get_report()

`i2c_hid_xfer` is used to read `recv_len + sizeof(__le16)` bytes of data
into `ihid->rawbuf`.

The former can come from the userspace in the hidraw driver and is only
bounded by HID_MAX_BUFFER_SIZE(16384) by default (unless we also set
`max_buffer_size` field of `struct hid_ll_driver` which we do not).

The latter has size determined at runtime by the maximum size of
different report types you could receive on any particular device and
can be a much smaller value.

Fix this by truncating `recv_len` to `ihid->bufsize - sizeof(__le16)`.

The impact is low since access to hidraw devices requires root.

Signed-off-by: Kwok Kin Ming <kenkinming2002@gmail.com>
Signed-off-by: Benjamin Tissoires <bentiss@kernel.org>

diff --git a/drivers/hid/i2c-hid/i2c-hid-core.c b/drivers/hid/i2c-hid/i2c-hid-core.c
index 63f46a2e57882f812cc1d00055f0cd4de4dbef1e..5a183af3d5c6a6093c724043785be00f0677ab85 100644 (file)
--- a/drivers/hid/i2c-hid/i2c-hid-core.c
+++ b/drivers/hid/i2c-hid/i2c-hid-core.c
@@ -286,6 +286,7 @@ static int i2c_hid_get_report(struct i2c_hid *ihid,
         * In addition to report data device will supply data length
         * in the first 2 bytes of the response, so adjust .
         */
+       recv_len = min(recv_len, ihid->bufsize - sizeof(__le16));
        error = i2c_hid_xfer(ihid, ihid->cmdbuf, length,
                             ihid->rawbuf, recv_len + sizeof(__le16));
        if (error) {