From: Adrian Salido <[email protected]>
The buffer allocation is not currently accounting for an extra byte for
the report id. This can cause an out of bounds access in function
i2c_hid_set_or_send_report() with reportID > 15.
Signed-off-by: Guenter Roeck <[email protected]>
Signed-off-by: Dmitry Torokhov <[email protected]>
---
drivers/hid/i2c-hid/i2c-hid.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/hid/i2c-hid/i2c-hid.c b/drivers/hid/i2c-hid/i2c-hid.c
index 77396145d2d0..9145c2129a96 100644
--- a/drivers/hid/i2c-hid/i2c-hid.c
+++ b/drivers/hid/i2c-hid/i2c-hid.c
@@ -543,7 +543,8 @@ static int i2c_hid_alloc_buffers(struct i2c_hid *ihid, size_t report_size)
{
/* the worst case is computed from the set_report command with a
* reportID > 15 and the maximum report length */
- int args_len = sizeof(__u8) + /* optional ReportID byte */
+ int args_len = sizeof(__u8) + /* ReportID */
+ sizeof(__u8) + /* optional ReportID byte */
sizeof(__u16) + /* data register */
sizeof(__u16) + /* size of the report */
report_size; /* report */
--
2.14.1.581.gf28d330327-goog
--
Dmitry
On Fri, 8 Sep 2017, Dmitry Torokhov wrote:
> From: Adrian Salido <[email protected]>
>
> The buffer allocation is not currently accounting for an extra byte for
> the report id. This can cause an out of bounds access in function
> i2c_hid_set_or_send_report() with reportID > 15.
>
> Signed-off-by: Guenter Roeck <[email protected]>
> Signed-off-by: Dmitry Torokhov <[email protected]>
Missing signoff from the patch author?
Also, I think this should have Cc: stable, right?
Thanks,
--
Jiri Kosina
SUSE Labs
On Wed, Sep 13, 2017 at 07:02:05AM -0700, Jiri Kosina wrote:
> On Fri, 8 Sep 2017, Dmitry Torokhov wrote:
>
> > From: Adrian Salido <[email protected]>
> >
> > The buffer allocation is not currently accounting for an extra byte for
> > the report id. This can cause an out of bounds access in function
> > i2c_hid_set_or_send_report() with reportID > 15.
> >
> > Signed-off-by: Guenter Roeck <[email protected]>
> > Signed-off-by: Dmitry Torokhov <[email protected]>
>
> Missing signoff from the patch author?
Oops, I must have cut it off on accident while removing ChromeOS
specific tags, the original commit is here:
https://chromium-review.googlesource.com/c/chromiumos/third_party/kernel/+/475212
>
> Also, I think this should have Cc: stable, right?
I usually let maintainers decide, but yes.
Thanks.
--
Dmitry
On Wed, 13 Sep 2017, Dmitry Torokhov wrote:
> > > From: Adrian Salido <[email protected]>
> > >
> > > The buffer allocation is not currently accounting for an extra byte for
> > > the report id. This can cause an out of bounds access in function
> > > i2c_hid_set_or_send_report() with reportID > 15.
> > >
> > > Signed-off-by: Guenter Roeck <[email protected]>
> > > Signed-off-by: Dmitry Torokhov <[email protected]>
> >
> > Missing signoff from the patch author?
>
> Oops, I must have cut it off on accident while removing ChromeOS
> specific tags, the original commit is here:
>
> https://chromium-review.googlesource.com/c/chromiumos/third_party/kernel/+/475212
Ok, thanks, will use that one. How about
Reviewed-by: Benson Leung <[email protected]>
which is missing in the mail you've sent, but is there in the above
reference commit?
> > Also, I think this should have Cc: stable, right?
>
> I usually let maintainers decide, but yes.
I'll be adding it. Thanks,
--
Jiri Kosina
SUSE Labs
Hi Jiri,
On Wed, Sep 13, 2017 at 07:52:20AM -0700, Jiri Kosina wrote:
> > Oops, I must have cut it off on accident while removing ChromeOS
> > specific tags, the original commit is here:
> >
> > https://chromium-review.googlesource.com/c/chromiumos/third_party/kernel/+/475212
>
> Ok, thanks, will use that one. How about
>
> Reviewed-by: Benson Leung <[email protected]>
>
> which is missing in the mail you've sent, but is there in the above
> reference commit?
Submission looks good to me. Go ahead and add.
Reviewed-by: Benson Leung <[email protected]>
Thanks,
Benson
--
Benson Leung
Staff Software Engineer
Chrome OS Kernel
Google Inc.
[email protected]
Chromium OS Project
[email protected]
On Fri, 8 Sep 2017, Dmitry Torokhov wrote:
> From: Adrian Salido <[email protected]>
>
> The buffer allocation is not currently accounting for an extra byte for
> the report id. This can cause an out of bounds access in function
> i2c_hid_set_or_send_report() with reportID > 15.
>
> Signed-off-by: Guenter Roeck <[email protected]>
> Signed-off-by: Dmitry Torokhov <[email protected]>
I've added the missing tags and applied to for-4.14/upstream-fixes
--
Jiri Kosina
SUSE Labs