Input: ims-pcu - fix potential infinite loop in CDC union descriptor parsing

The driver parses CDC union descriptors in ims_pcu_get_cdc_union_desc()
by iterating through the extra descriptor data. However, it does not
verify that the bLength of each descriptor is at least 2. A malicious
device could provide a descriptor with bLength = 0, leading to an
infinite loop in the driver.

Add a check to ensure bLength is at least 2 before proceeding with
parsing.

Fixes: 628329d52474 (Input: add IMS Passenger Control Unit driver)
Cc: stable@vger.kernel.org
Assisted-by: Gemini:gemini-3.1-pro
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>

diff --git a/drivers/input/misc/ims-pcu.c b/drivers/input/misc/ims-pcu.c
index a730cc2690d5385f3fed64fc6469409ac476a9f7..b1ff8c70877fedb8985e77547e295668c7d87bb6 100644 (file)
--- a/drivers/input/misc/ims-pcu.c
+++ b/drivers/input/misc/ims-pcu.c
@@ -1709,8 +1709,9 @@ ims_pcu_get_cdc_union_desc(struct usb_interface *intf)
        while (buflen >= sizeof(*union_desc)) {
                union_desc = (struct usb_cdc_union_desc *)buf;
 
-               if (union_desc->bLength > buflen) {
-                       dev_err(&intf->dev, "Too large descriptor\n");
+               if (union_desc->bLength < 2 || union_desc->bLength > buflen) {
+                       dev_err(&intf->dev, "Invalid descriptor length: %d\n",
+                               union_desc->bLength);
                        return NULL;
                }