Message ID | 20240730234242.256598-1-cam.alvarez.i@gmail.com (mailing list archive) |
---|---|
State | Mainlined |
Commit | a6e9c391d45b5865b61e569146304cff72821a5d |
Delegated to: | Jiri Kosina |
Headers | show |
Series | usb: fix slab-out-of-bounds Read in cougar_report_fixup | expand |
On Tue, Jul 30, 2024 at 07:42:43PM -0400, Camila Alvarez wrote: > report_fixup for the Cougar 500k Gaming Keyboard was not verifying > that the report descriptor size was correct before accessing it > > Reported-by: syzbot+24c0361074799d02c452@syzkaller.appspotmail.com > Closes: https://syzkaller.appspot.com/bug?extid=24c0361074799d02c452 > Signed-off-by: Camila Alvarez <cam.alvarez.i@gmail.com> > --- > drivers/hid/hid-cougar.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) This LGTM! Reviewed-by: Silvan Jegen <s.jegen@gmail.com> > > diff --git a/drivers/hid/hid-cougar.c b/drivers/hid/hid-cougar.c > index cb8bd8aae15b..0fa785f52707 100644 > --- a/drivers/hid/hid-cougar.c > +++ b/drivers/hid/hid-cougar.c > @@ -106,7 +106,7 @@ static void cougar_fix_g6_mapping(void) > static __u8 *cougar_report_fixup(struct hid_device *hdev, __u8 *rdesc, > unsigned int *rsize) > { > - if (rdesc[2] == 0x09 && rdesc[3] == 0x02 && > + if (*rsize >= 117 && rdesc[2] == 0x09 && rdesc[3] == 0x02 && > (rdesc[115] | rdesc[116] << 8) >= HID_MAX_USAGES) { > hid_info(hdev, > "usage count exceeds max: fixing up report descriptor\n"); > -- > 2.34.1 > >
On Tue, 30 Jul 2024, Camila Alvarez wrote: > report_fixup for the Cougar 500k Gaming Keyboard was not verifying > that the report descriptor size was correct before accessing it > > Reported-by: syzbot+24c0361074799d02c452@syzkaller.appspotmail.com > Closes: https://syzkaller.appspot.com/bug?extid=24c0361074799d02c452 > Signed-off-by: Camila Alvarez <cam.alvarez.i@gmail.com> Applied, thanks.
On Thu, 1 Aug 2024, Jiri Kosina wrote: > On Tue, 30 Jul 2024, Camila Alvarez wrote: > >> report_fixup for the Cougar 500k Gaming Keyboard was not verifying >> that the report descriptor size was correct before accessing it >> >> Reported-by: syzbot+24c0361074799d02c452@syzkaller.appspotmail.com >> Closes: https://syzkaller.appspot.com/bug?extid=24c0361074799d02c452 >> Signed-off-by: Camila Alvarez <cam.alvarez.i@gmail.com> > > Applied, thanks. > Thank you! > -- > Jiri Kosina > SUSE Labs > >
diff --git a/drivers/hid/hid-cougar.c b/drivers/hid/hid-cougar.c index cb8bd8aae15b..0fa785f52707 100644 --- a/drivers/hid/hid-cougar.c +++ b/drivers/hid/hid-cougar.c @@ -106,7 +106,7 @@ static void cougar_fix_g6_mapping(void) static __u8 *cougar_report_fixup(struct hid_device *hdev, __u8 *rdesc, unsigned int *rsize) { - if (rdesc[2] == 0x09 && rdesc[3] == 0x02 && + if (*rsize >= 117 && rdesc[2] == 0x09 && rdesc[3] == 0x02 && (rdesc[115] | rdesc[116] << 8) >= HID_MAX_USAGES) { hid_info(hdev, "usage count exceeds max: fixing up report descriptor\n");
report_fixup for the Cougar 500k Gaming Keyboard was not verifying that the report descriptor size was correct before accessing it Reported-by: syzbot+24c0361074799d02c452@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=24c0361074799d02c452 Signed-off-by: Camila Alvarez <cam.alvarez.i@gmail.com> --- drivers/hid/hid-cougar.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)