From 32a31e0087fe88df12fdb8e7dcd309d17c569f38 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Wed, 3 Dec 2025 14:31:49 +0100 Subject: [PATCH] 6.1-stable patches added patches: hid-core-harden-s32ton-against-conversion-to-0-bits.patch --- ...-s32ton-against-conversion-to-0-bits.patch | 55 +++++++++++++++++++ queue-6.1/series | 1 + 2 files changed, 56 insertions(+) create mode 100644 queue-6.1/hid-core-harden-s32ton-against-conversion-to-0-bits.patch diff --git a/queue-6.1/hid-core-harden-s32ton-against-conversion-to-0-bits.patch b/queue-6.1/hid-core-harden-s32ton-against-conversion-to-0-bits.patch new file mode 100644 index 0000000000..c8258cd2d8 --- /dev/null +++ b/queue-6.1/hid-core-harden-s32ton-against-conversion-to-0-bits.patch @@ -0,0 +1,55 @@ +From stable+bounces-198191-greg=kroah.com@vger.kernel.org Wed Dec 3 12:35:57 2025 +From: jetlan9@163.com +Date: Wed, 3 Dec 2025 11:24:50 +0000 +Subject: HID: core: Harden s32ton() against conversion to 0 bits +To: stable@vger.kernel.org +Cc: Alan Stern , syzbot+b63d677d63bcac06cf90@syzkaller.appspotmail.com, Benjamin Tissoires , Wenshan Lan +Message-ID: <20251203112450.4314-1-jetlan9@163.com> + +From: Alan Stern + +[ Upstream commit a6b87bfc2ab5bccb7ad953693c85d9062aef3fdd ] + +Testing by the syzbot fuzzer showed that the HID core gets a +shift-out-of-bounds exception when it tries to convert a 32-bit +quantity to a 0-bit quantity. Ideally this should never occur, but +there are buggy devices and some might have a report field with size +set to zero; we shouldn't reject the report or the device just because +of that. + +Instead, harden the s32ton() routine so that it returns a reasonable +result instead of crashing when it is called with the number of bits +set to 0 -- the same as what snto32() does. + +Signed-off-by: Alan Stern +Reported-by: syzbot+b63d677d63bcac06cf90@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/linux-usb/68753a08.050a0220.33d347.0008.GAE@google.com/ +Tested-by: syzbot+b63d677d63bcac06cf90@syzkaller.appspotmail.com +Fixes: dde5845a529f ("[PATCH] Generic HID layer - code split") +Cc: stable@vger.kernel.org +Link: https://patch.msgid.link/613a66cd-4309-4bce-a4f7-2905f9bce0c9@rowland.harvard.edu +Signed-off-by: Benjamin Tissoires +[ s32ton() was moved by c653ffc28340 ("HID: stop exporting hid_snto32()"). + Minor context change fixed. ] +Signed-off-by: Wenshan Lan +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hid/hid-core.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/drivers/hid/hid-core.c ++++ b/drivers/hid/hid-core.c +@@ -1354,7 +1354,12 @@ EXPORT_SYMBOL_GPL(hid_snto32); + + static u32 s32ton(__s32 value, unsigned n) + { +- s32 a = value >> (n - 1); ++ s32 a; ++ if (!value || !n) ++ return 0; ++ ++ a = value >> (n - 1); ++ + if (a && a != -1) + return value < 0 ? 1 << (n - 1) : (1 << (n - 1)) - 1; + return value & ((1 << n) - 1); diff --git a/queue-6.1/series b/queue-6.1/series index 2975c8f79f..3d8a9d2e07 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -565,3 +565,4 @@ usb-udc-add-trace-event-for-usb_gadget_set_state.patch usb-gadget-udc-fix-use-after-free-in-usb_gadget_state_work.patch scsi-pm80xx-set-phy-enable_completion-only-when-we.patch i2c-xgene-slimpro-migrate-to-use-generic-pcc-shmem-related-macros.patch +hid-core-harden-s32ton-against-conversion-to-0-bits.patch -- 2.47.3