| Message ID | 1418745323-17133-1-git-send-email-peter@lekensteyn.nl (mailing list archive) |
|---|---|
| State | New, archived |
| Delegated to: | Jiri Kosina |
| Headers | show |
On Tue, Dec 16, 2014 at 10:55 AM, Peter Wu <peter@lekensteyn.nl> wrote: > Malicious USB devices can send bogus reports smaller than the expected > buffer size. Ensure that the length is valid to avoid reading out of > bounds. > > Signed-off-by: Peter Wu <peter@lekensteyn.nl> > --- > v1: patch 2/3 HID: logitech-{dj,hidpp}: check report length > v2: splitted original report length check patch > --- Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com> Cheers, Benjamin > drivers/hid/hid-logitech-dj.c | 16 +++++++++++++++- > 1 file changed, 15 insertions(+), 1 deletion(-) > > diff --git a/drivers/hid/hid-logitech-dj.c b/drivers/hid/hid-logitech-dj.c > index c917ab6..5bc6d80 100644 > --- a/drivers/hid/hid-logitech-dj.c > +++ b/drivers/hid/hid-logitech-dj.c > @@ -962,10 +962,24 @@ static int logi_dj_raw_event(struct hid_device *hdev, > > switch (data[0]) { > case REPORT_ID_DJ_SHORT: > + if (size != DJREPORT_SHORT_LENGTH) { > + dev_err(&hdev->dev, "DJ report of bad size (%d)", size); > + return false; > + } > return logi_dj_dj_event(hdev, report, data, size); > case REPORT_ID_HIDPP_SHORT: > - /* intentional fallthrough */ > + if (size != HIDPP_REPORT_SHORT_LENGTH) { > + dev_err(&hdev->dev, > + "Short HID++ report of bad size (%d)", size); > + return false; > + } > + return logi_dj_hidpp_event(hdev, report, data, size); > case REPORT_ID_HIDPP_LONG: > + if (size != HIDPP_REPORT_LONG_LENGTH) { > + dev_err(&hdev->dev, > + "Long HID++ report of bad size (%d)", size); > + return false; > + } > return logi_dj_hidpp_event(hdev, report, data, size); > } > > -- > 2.1.3 > > -- > To unsubscribe from this list: send the line "unsubscribe linux-input" in > the body of a message to majordomo@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html -- To unsubscribe from this list: send the line "unsubscribe linux-input" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On Tue, 16 Dec 2014, Peter Wu wrote: > Malicious USB devices can send bogus reports smaller than the expected > buffer size. Ensure that the length is valid to avoid reading out of > bounds. > > Signed-off-by: Peter Wu <peter@lekensteyn.nl> > --- > v1: patch 2/3 HID: logitech-{dj,hidpp}: check report length > v2: splitted original report length check patch Applied to for-3.19/upstream-fixes.
diff --git a/drivers/hid/hid-logitech-dj.c b/drivers/hid/hid-logitech-dj.c index c917ab6..5bc6d80 100644 --- a/drivers/hid/hid-logitech-dj.c +++ b/drivers/hid/hid-logitech-dj.c @@ -962,10 +962,24 @@ static int logi_dj_raw_event(struct hid_device *hdev, switch (data[0]) { case REPORT_ID_DJ_SHORT: + if (size != DJREPORT_SHORT_LENGTH) { + dev_err(&hdev->dev, "DJ report of bad size (%d)", size); + return false; + } return logi_dj_dj_event(hdev, report, data, size); case REPORT_ID_HIDPP_SHORT: - /* intentional fallthrough */ + if (size != HIDPP_REPORT_SHORT_LENGTH) { + dev_err(&hdev->dev, + "Short HID++ report of bad size (%d)", size); + return false; + } + return logi_dj_hidpp_event(hdev, report, data, size); case REPORT_ID_HIDPP_LONG: + if (size != HIDPP_REPORT_LONG_LENGTH) { + dev_err(&hdev->dev, + "Long HID++ report of bad size (%d)", size); + return false; + } return logi_dj_hidpp_event(hdev, report, data, size); }
Malicious USB devices can send bogus reports smaller than the expected buffer size. Ensure that the length is valid to avoid reading out of bounds. Signed-off-by: Peter Wu <peter@lekensteyn.nl> --- v1: patch 2/3 HID: logitech-{dj,hidpp}: check report length v2: splitted original report length check patch --- drivers/hid/hid-logitech-dj.c | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-)