Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751724AbdITPut (ORCPT ); Wed, 20 Sep 2017 11:50:49 -0400 Received: from iolanthe.rowland.org ([192.131.102.54]:44534 "HELO iolanthe.rowland.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with SMTP id S1751602AbdITPur (ORCPT ); Wed, 20 Sep 2017 11:50:47 -0400 Date: Wed, 20 Sep 2017 11:50:46 -0400 (EDT) From: Alan Stern X-X-Sender: stern@iolanthe.rowland.org To: Kim Jaejoong cc: Andrey Konovalov , Jiri Kosina , Benjamin Tissoires , USB list , , LKML , syzkaller , Dmitry Vyukov , Kostya Serebryany Subject: Re: usb/hid: slab-out-of-bounds read in usbhid_parse In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1083 Lines: 32 On Wed, 20 Sep 2017, Kim Jaejoong wrote: > To. usb & input guys. > > While dig this report, i was wondering about bNumDescriptors in HID descriptor. > HID document from usb.org said, 'this number must be at least one (1) > as a Report descriptor will always be present.' > > There is no mention of the order of class descriptors. Suppose you > have a HID device with a report descriptor and a physical descriptor. > > If you have the following hid descriptor in this case, > HID descriptor > bLength: 12 > bDescriptor Type: HID > .. skip > bNumDescriptors: 2 > bDescriptorType: physical > bDescriptorLength: any > bDescriptorType: Report > bDescriptorLength: any > > If the order of the report descriptor is the second as above, > usbhid_parse () will fail because my patch is only check the first > bDescriptor Type. > But If the order of the report descriptor is always first, there is no > problem. How do you think this? The descriptors can appear in any order. You should not assume that the report descriptor will always come first. Alan Stern