| Message ID | 20220803111831.387506-1-lee@kernel.org (mailing list archive) |
|---|---|
| State | Mainlined |
| Commit | cd11d1a6114bd4bc6450ae59f6e110ec47362126 |
| Delegated to: | Jiri Kosina |
| Headers | show |
| Series | [RESEND] HID: steam: Prevent NULL pointer dereference in steam_{recv,send}_report | expand |
On Wed, 03 Aug 2022, Lee Jones wrote: > It is possible for a malicious device to forgo submitting a Feature > Report. The HID Steam driver presently makes no prevision for this > and de-references the 'struct hid_report' pointer obtained from the > HID devices without first checking its validity. Let's change that. This patch has been floating around since the beginning of July. It fixes a real issue which was found by creating a virtual (software based) malicious device and registering it as a HID device. There is nothing preventing a real attacker from creating a H/W version of the device in order to instigate an out-of-bounds read, potentially leading to a data leak. Would someone be kind enough to review please? > Cc: Jiri Kosina <jikos@kernel.org> > Cc: Benjamin Tissoires <benjamin.tissoires@redhat.com> > Cc: linux-input@vger.kernel.org > Fixes: c164d6abf3841 ("HID: add driver for Valve Steam Controller") > Signed-off-by: Lee Jones <lee@kernel.org> > --- > drivers/hid/hid-steam.c | 10 ++++++++++ > 1 file changed, 10 insertions(+) > > diff --git a/drivers/hid/hid-steam.c b/drivers/hid/hid-steam.c > index a3b151b29bd71..fc616db4231bb 100644 > --- a/drivers/hid/hid-steam.c > +++ b/drivers/hid/hid-steam.c > @@ -134,6 +134,11 @@ static int steam_recv_report(struct steam_device *steam, > int ret; > > r = steam->hdev->report_enum[HID_FEATURE_REPORT].report_id_hash[0]; > + if (!r) { > + hid_err(steam->hdev, "No HID_FEATURE_REPORT submitted - nothing to read\n"); > + return -EINVAL; > + } > + > if (hid_report_len(r) < 64) > return -EINVAL; > > @@ -165,6 +170,11 @@ static int steam_send_report(struct steam_device *steam, > int ret; > > r = steam->hdev->report_enum[HID_FEATURE_REPORT].report_id_hash[0]; > + if (!r) { > + hid_err(steam->hdev, "No HID_FEATURE_REPORT submitted - nothing to read\n"); > + return -EINVAL; > + } > + > if (hid_report_len(r) < 64) > return -EINVAL; >
Hi Lee Jones <lee@kernel.org> wrote: > On Wed, 03 Aug 2022, Lee Jones wrote: > > > It is possible for a malicious device to forgo submitting a Feature > > Report. The HID Steam driver presently makes no prevision for this > > and de-references the 'struct hid_report' pointer obtained from the > > HID devices without first checking its validity. Let's change that. > > This patch has been floating around since the beginning of July. > > It fixes a real issue which was found by creating a virtual > (software based) malicious device and registering it as a HID device. > > There is nothing preventing a real attacker from creating a H/W > version of the device in order to instigate an out-of-bounds read, > potentially leading to a data leak. > > Would someone be kind enough to review please? AFACT this patch has been applied by Jiri on the 25th of August already. Is a review still needed in this case? Cheers, Silvan > > > Cc: Jiri Kosina <jikos@kernel.org> > > Cc: Benjamin Tissoires <benjamin.tissoires@redhat.com> > > Cc: linux-input@vger.kernel.org > > Fixes: c164d6abf3841 ("HID: add driver for Valve Steam Controller") > > Signed-off-by: Lee Jones <lee@kernel.org> > > --- > > drivers/hid/hid-steam.c | 10 ++++++++++ > > 1 file changed, 10 insertions(+) > > > > diff --git a/drivers/hid/hid-steam.c b/drivers/hid/hid-steam.c > > index a3b151b29bd71..fc616db4231bb 100644 > > --- a/drivers/hid/hid-steam.c > > +++ b/drivers/hid/hid-steam.c > > @@ -134,6 +134,11 @@ static int steam_recv_report(struct steam_device *steam, > > int ret; > > > > r = steam->hdev->report_enum[HID_FEATURE_REPORT].report_id_hash[0]; > > + if (!r) { > > + hid_err(steam->hdev, "No HID_FEATURE_REPORT submitted - nothing to read\n"); > > + return -EINVAL; > > + } > > + > > if (hid_report_len(r) < 64) > > return -EINVAL; > > > > @@ -165,6 +170,11 @@ static int steam_send_report(struct steam_device *steam, > > int ret; > > > > r = steam->hdev->report_enum[HID_FEATURE_REPORT].report_id_hash[0]; > > + if (!r) { > > + hid_err(steam->hdev, "No HID_FEATURE_REPORT submitted - nothing to read\n"); > > + return -EINVAL; > > + } > > + > > if (hid_report_len(r) < 64) > > return -EINVAL; > >
On Mon, 12 Sep 2022, Silvan Jegen wrote: > Hi > > Lee Jones <lee@kernel.org> wrote: > > On Wed, 03 Aug 2022, Lee Jones wrote: > > > > > It is possible for a malicious device to forgo submitting a Feature > > > Report. The HID Steam driver presently makes no prevision for this > > > and de-references the 'struct hid_report' pointer obtained from the > > > HID devices without first checking its validity. Let's change that. > > > > This patch has been floating around since the beginning of July. > > > > It fixes a real issue which was found by creating a virtual > > (software based) malicious device and registering it as a HID device. > > > > There is nothing preventing a real attacker from creating a H/W > > version of the device in order to instigate an out-of-bounds read, > > potentially leading to a data leak. > > > > Would someone be kind enough to review please? > > AFACT this patch has been applied by Jiri on the 25th of August already. Ah, I missed his reply to the original patch. > Is a review still needed in this case? Certainly not. Thank you for your reply.
diff --git a/drivers/hid/hid-steam.c b/drivers/hid/hid-steam.c index a3b151b29bd71..fc616db4231bb 100644 --- a/drivers/hid/hid-steam.c +++ b/drivers/hid/hid-steam.c @@ -134,6 +134,11 @@ static int steam_recv_report(struct steam_device *steam, int ret; r = steam->hdev->report_enum[HID_FEATURE_REPORT].report_id_hash[0]; + if (!r) { + hid_err(steam->hdev, "No HID_FEATURE_REPORT submitted - nothing to read\n"); + return -EINVAL; + } + if (hid_report_len(r) < 64) return -EINVAL; @@ -165,6 +170,11 @@ static int steam_send_report(struct steam_device *steam, int ret; r = steam->hdev->report_enum[HID_FEATURE_REPORT].report_id_hash[0]; + if (!r) { + hid_err(steam->hdev, "No HID_FEATURE_REPORT submitted - nothing to read\n"); + return -EINVAL; + } + if (hid_report_len(r) < 64) return -EINVAL;
It is possible for a malicious device to forgo submitting a Feature Report. The HID Steam driver presently makes no prevision for this and de-references the 'struct hid_report' pointer obtained from the HID devices without first checking its validity. Let's change that. Cc: Jiri Kosina <jikos@kernel.org> Cc: Benjamin Tissoires <benjamin.tissoires@redhat.com> Cc: linux-input@vger.kernel.org Fixes: c164d6abf3841 ("HID: add driver for Valve Steam Controller") Signed-off-by: Lee Jones <lee@kernel.org> --- drivers/hid/hid-steam.c | 10 ++++++++++ 1 file changed, 10 insertions(+)