| Message ID | 20170908175527.GA19720@dtor-ws (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
On Fri, 8 Sep 2017, Dmitry Torokhov wrote: > From: Adrian Salido <salidoa@google.com> > > The buffer allocation is not currently accounting for an extra byte for > the report id. This can cause an out of bounds access in function > i2c_hid_set_or_send_report() with reportID > 15. > > Signed-off-by: Guenter Roeck <groeck@chromium.org> > Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com> Missing signoff from the patch author? Also, I think this should have Cc: stable, right? Thanks,
On Wed, Sep 13, 2017 at 07:02:05AM -0700, Jiri Kosina wrote: > On Fri, 8 Sep 2017, Dmitry Torokhov wrote: > > > From: Adrian Salido <salidoa@google.com> > > > > The buffer allocation is not currently accounting for an extra byte for > > the report id. This can cause an out of bounds access in function > > i2c_hid_set_or_send_report() with reportID > 15. > > > > Signed-off-by: Guenter Roeck <groeck@chromium.org> > > Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com> > > Missing signoff from the patch author? Oops, I must have cut it off on accident while removing ChromeOS specific tags, the original commit is here: https://chromium-review.googlesource.com/c/chromiumos/third_party/kernel/+/475212 > > Also, I think this should have Cc: stable, right? I usually let maintainers decide, but yes. Thanks.
On Wed, 13 Sep 2017, Dmitry Torokhov wrote: > > > From: Adrian Salido <salidoa@google.com> > > > > > > The buffer allocation is not currently accounting for an extra byte for > > > the report id. This can cause an out of bounds access in function > > > i2c_hid_set_or_send_report() with reportID > 15. > > > > > > Signed-off-by: Guenter Roeck <groeck@chromium.org> > > > Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com> > > > > Missing signoff from the patch author? > > Oops, I must have cut it off on accident while removing ChromeOS > specific tags, the original commit is here: > > https://chromium-review.googlesource.com/c/chromiumos/third_party/kernel/+/475212 Ok, thanks, will use that one. How about Reviewed-by: Benson Leung <bleung@chromium.org> which is missing in the mail you've sent, but is there in the above reference commit? > > Also, I think this should have Cc: stable, right? > > I usually let maintainers decide, but yes. I'll be adding it. Thanks,
Hi Jiri, On Wed, Sep 13, 2017 at 07:52:20AM -0700, Jiri Kosina wrote: > > Oops, I must have cut it off on accident while removing ChromeOS > > specific tags, the original commit is here: > > > > https://chromium-review.googlesource.com/c/chromiumos/third_party/kernel/+/475212 > > Ok, thanks, will use that one. How about > > Reviewed-by: Benson Leung <bleung@chromium.org> > > which is missing in the mail you've sent, but is there in the above > reference commit? Submission looks good to me. Go ahead and add. Reviewed-by: Benson Leung <bleung@chromium.org> Thanks, Benson
On Fri, 8 Sep 2017, Dmitry Torokhov wrote: > From: Adrian Salido <salidoa@google.com> > > The buffer allocation is not currently accounting for an extra byte for > the report id. This can cause an out of bounds access in function > i2c_hid_set_or_send_report() with reportID > 15. > > Signed-off-by: Guenter Roeck <groeck@chromium.org> > Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com> I've added the missing tags and applied to for-4.14/upstream-fixes
diff --git a/drivers/hid/i2c-hid/i2c-hid.c b/drivers/hid/i2c-hid/i2c-hid.c index 77396145d2d0..9145c2129a96 100644 --- a/drivers/hid/i2c-hid/i2c-hid.c +++ b/drivers/hid/i2c-hid/i2c-hid.c @@ -543,7 +543,8 @@ static int i2c_hid_alloc_buffers(struct i2c_hid *ihid, size_t report_size) { /* the worst case is computed from the set_report command with a * reportID > 15 and the maximum report length */ - int args_len = sizeof(__u8) + /* optional ReportID byte */ + int args_len = sizeof(__u8) + /* ReportID */ + sizeof(__u8) + /* optional ReportID byte */ sizeof(__u16) + /* data register */ sizeof(__u16) + /* size of the report */ report_size; /* report */