It is possible for a malicious device to forgo submitting a Feature
Report. The HID Steam driver presently makes no prevision for this
and de-references the 'struct hid_report' pointer obtained from the
HID devices without first checking its validity. Let's change that.
Cc: Jiri Kosina <[email protected]>
Cc: Benjamin Tissoires <[email protected]>
Cc: [email protected]
Fixes: c164d6abf3841 ("HID: add driver for Valve Steam Controller")
Signed-off-by: Lee Jones <[email protected]>
---
drivers/hid/hid-steam.c | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/drivers/hid/hid-steam.c b/drivers/hid/hid-steam.c
index a3b151b29bd71..fc616db4231bb 100644
--- a/drivers/hid/hid-steam.c
+++ b/drivers/hid/hid-steam.c
@@ -134,6 +134,11 @@ static int steam_recv_report(struct steam_device *steam,
int ret;
r = steam->hdev->report_enum[HID_FEATURE_REPORT].report_id_hash[0];
+ if (!r) {
+ hid_err(steam->hdev, "No HID_FEATURE_REPORT submitted - nothing to read\n");
+ return -EINVAL;
+ }
+
if (hid_report_len(r) < 64)
return -EINVAL;
@@ -165,6 +170,11 @@ static int steam_send_report(struct steam_device *steam,
int ret;
r = steam->hdev->report_enum[HID_FEATURE_REPORT].report_id_hash[0];
+ if (!r) {
+ hid_err(steam->hdev, "No HID_FEATURE_REPORT submitted - nothing to read\n");
+ return -EINVAL;
+ }
+
if (hid_report_len(r) < 64)
return -EINVAL;
--
2.37.1.455.g008518b4e5-goog
On Wed, 03 Aug 2022, Lee Jones wrote:
> It is possible for a malicious device to forgo submitting a Feature
> Report. The HID Steam driver presently makes no prevision for this
> and de-references the 'struct hid_report' pointer obtained from the
> HID devices without first checking its validity. Let's change that.
This patch has been floating around since the beginning of July.
It fixes a real issue which was found by creating a virtual
(software based) malicious device and registering it as a HID device.
There is nothing preventing a real attacker from creating a H/W
version of the device in order to instigate an out-of-bounds read,
potentially leading to a data leak.
Would someone be kind enough to review please?
> Cc: Jiri Kosina <[email protected]>
> Cc: Benjamin Tissoires <[email protected]>
> Cc: [email protected]
> Fixes: c164d6abf3841 ("HID: add driver for Valve Steam Controller")
> Signed-off-by: Lee Jones <[email protected]>
> ---
> drivers/hid/hid-steam.c | 10 ++++++++++
> 1 file changed, 10 insertions(+)
>
> diff --git a/drivers/hid/hid-steam.c b/drivers/hid/hid-steam.c
> index a3b151b29bd71..fc616db4231bb 100644
> --- a/drivers/hid/hid-steam.c
> +++ b/drivers/hid/hid-steam.c
> @@ -134,6 +134,11 @@ static int steam_recv_report(struct steam_device *steam,
> int ret;
>
> r = steam->hdev->report_enum[HID_FEATURE_REPORT].report_id_hash[0];
> + if (!r) {
> + hid_err(steam->hdev, "No HID_FEATURE_REPORT submitted - nothing to read\n");
> + return -EINVAL;
> + }
> +
> if (hid_report_len(r) < 64)
> return -EINVAL;
>
> @@ -165,6 +170,11 @@ static int steam_send_report(struct steam_device *steam,
> int ret;
>
> r = steam->hdev->report_enum[HID_FEATURE_REPORT].report_id_hash[0];
> + if (!r) {
> + hid_err(steam->hdev, "No HID_FEATURE_REPORT submitted - nothing to read\n");
> + return -EINVAL;
> + }
> +
> if (hid_report_len(r) < 64)
> return -EINVAL;
>
--
Lee Jones [李琼斯]
Hi
Lee Jones <[email protected]> wrote:
> On Wed, 03 Aug 2022, Lee Jones wrote:
>
> > It is possible for a malicious device to forgo submitting a Feature
> > Report. The HID Steam driver presently makes no prevision for this
> > and de-references the 'struct hid_report' pointer obtained from the
> > HID devices without first checking its validity. Let's change that.
>
> This patch has been floating around since the beginning of July.
>
> It fixes a real issue which was found by creating a virtual
> (software based) malicious device and registering it as a HID device.
>
> There is nothing preventing a real attacker from creating a H/W
> version of the device in order to instigate an out-of-bounds read,
> potentially leading to a data leak.
>
> Would someone be kind enough to review please?
AFACT this patch has been applied by Jiri on the 25th of August already.
Is a review still needed in this case?
Cheers,
Silvan
>
> > Cc: Jiri Kosina <[email protected]>
> > Cc: Benjamin Tissoires <[email protected]>
> > Cc: [email protected]
> > Fixes: c164d6abf3841 ("HID: add driver for Valve Steam Controller")
> > Signed-off-by: Lee Jones <[email protected]>
> > ---
> > drivers/hid/hid-steam.c | 10 ++++++++++
> > 1 file changed, 10 insertions(+)
> >
> > diff --git a/drivers/hid/hid-steam.c b/drivers/hid/hid-steam.c
> > index a3b151b29bd71..fc616db4231bb 100644
> > --- a/drivers/hid/hid-steam.c
> > +++ b/drivers/hid/hid-steam.c
> > @@ -134,6 +134,11 @@ static int steam_recv_report(struct steam_device *steam,
> > int ret;
> >
> > r = steam->hdev->report_enum[HID_FEATURE_REPORT].report_id_hash[0];
> > + if (!r) {
> > + hid_err(steam->hdev, "No HID_FEATURE_REPORT submitted - nothing to read\n");
> > + return -EINVAL;
> > + }
> > +
> > if (hid_report_len(r) < 64)
> > return -EINVAL;
> >
> > @@ -165,6 +170,11 @@ static int steam_send_report(struct steam_device *steam,
> > int ret;
> >
> > r = steam->hdev->report_enum[HID_FEATURE_REPORT].report_id_hash[0];
> > + if (!r) {
> > + hid_err(steam->hdev, "No HID_FEATURE_REPORT submitted - nothing to read\n");
> > + return -EINVAL;
> > + }
> > +
> > if (hid_report_len(r) < 64)
> > return -EINVAL;
> >
On Mon, 12 Sep 2022, Silvan Jegen wrote:
> Hi
>
> Lee Jones <[email protected]> wrote:
> > On Wed, 03 Aug 2022, Lee Jones wrote:
> >
> > > It is possible for a malicious device to forgo submitting a Feature
> > > Report. The HID Steam driver presently makes no prevision for this
> > > and de-references the 'struct hid_report' pointer obtained from the
> > > HID devices without first checking its validity. Let's change that.
> >
> > This patch has been floating around since the beginning of July.
> >
> > It fixes a real issue which was found by creating a virtual
> > (software based) malicious device and registering it as a HID device.
> >
> > There is nothing preventing a real attacker from creating a H/W
> > version of the device in order to instigate an out-of-bounds read,
> > potentially leading to a data leak.
> >
> > Would someone be kind enough to review please?
>
> AFACT this patch has been applied by Jiri on the 25th of August already.
Ah, I missed his reply to the original patch.
> Is a review still needed in this case?
Certainly not. Thank you for your reply.
--
Lee Jones [李琼斯]