Received: by 2002:a25:8b91:0:0:0:0:0 with SMTP id j17csp5029677ybl; Tue, 14 Jan 2020 02:15:36 -0800 (PST) X-Google-Smtp-Source: APXvYqwEzcXI6+YGHN23ELGEW3LMdRdOfCyBYvDV4HGs7OGL8iG/Om6iHyTKnWzLdKcFOy5oaokd X-Received: by 2002:aca:1309:: with SMTP id e9mr16201099oii.7.1578996936078; Tue, 14 Jan 2020 02:15:36 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1578996936; cv=none; d=google.com; s=arc-20160816; b=DmX08u9Ett33C4UpFiEGhJIBlDeHlQotdWz7ZLUeUWL1J7deWXvKRBAUHALRTTSXfc kN3Zx6TiGfv8KqHh71GohfBEXz3Ucc4HlVZYWJdfIBcugAtO0QIBrFPcm/him3Nlrfww h0D+LS3Zsgb3pepHPb2JTJ3kBuslMZwzNvltu9qCMA4v0lw51LwcLlBNZ6H18ueYpxf8 z6YGkDdm4E912J4Xx+0Eywwp+/yTYkrZRQjwc6v6+ejAjh25sMOmRgulZEoOXQoYLBSs hu3Ae8Ukq1A97k8IuDdqU5a9p+ooytvwpHUI/Em2MoKs8woVRzuXHxkPB716HVFxKnAA M80Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=2erFMkdHxPVXqNQ7pTaZ/UhXWGgpohmOhr7nA8jUfAg=; b=uCaO/9L3aEQZgkuPVNgllTFm0lIlWqdfER8IESUmKUpH3nD3nzMnxP6b0yUYoK8SXH knG2hVaS2wYPokhXnlwN229CT3/xgNyCGvWvBaIvXsEjLqeCQW8fMHIY93c+JUN6jzua 3dETaHXqM3zNrVscy2j3UwM+XjQqBhJ4tKUUUXXJv3ORmM68z8yfvsQb9dR7hE0/j0Ll 3coL/zuC5Gh/+mpusFbLJXzNLc6Ds9TYaH5JFY0+khPevLZUjhqqXhFzIfWTE/wCPyxs sEdrBIhDqd3Rwm6971fo9g5Az+PxKOY1RE79A2qMHz1Jwabbp6dwbGN90VlXfKJHFJEt QemQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=stahU4UY; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id l3si8747462otq.40.2020.01.14.02.15.25; Tue, 14 Jan 2020 02:15:36 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=stahU4UY; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1733101AbgANKMp (ORCPT + 99 others); Tue, 14 Jan 2020 05:12:45 -0500 Received: from mail.kernel.org ([198.145.29.99]:49350 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1731337AbgANKMn (ORCPT ); Tue, 14 Jan 2020 05:12:43 -0500 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 50F4C207FF; Tue, 14 Jan 2020 10:12:42 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1578996762; bh=YK3CJYZemEg2rQGzQFkQQ62C9aHq0ZvdV48ceFQasXs=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=stahU4UYbRw8e+ZPo94Hbp4OB52ikCtW80M5ws45VwPJVsUy7kJLzvFqaLd/HSRbl GSiUxWQnV2TmnLpsrVrJTF390JedbpdUvAdOlkA6zryf1phIefd4BAh9hcLyuoe5xi SHApGer9q8gmUWUXOmDPdhqNJprC/XTdd0M3Np2U= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Alan Stern , Jiri Kosina , syzbot+09ef48aa58261464b621@syzkaller.appspotmail.com Subject: [PATCH 4.4 07/28] HID: Fix slab-out-of-bounds read in hid_field_extract Date: Tue, 14 Jan 2020 11:02:09 +0100 Message-Id: <20200114094340.971996952@linuxfoundation.org> X-Mailer: git-send-email 2.24.1 In-Reply-To: <20200114094336.845958665@linuxfoundation.org> References: <20200114094336.845958665@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Alan Stern commit 8ec321e96e056de84022c032ffea253431a83c3c upstream. The syzbot fuzzer found a slab-out-of-bounds bug in the HID report handler. The bug was caused by a report descriptor which included a field with size 12 bits and count 4899, for a total size of 7349 bytes. The usbhid driver uses at most a single-page 4-KB buffer for reports. In the test there wasn't any problem about overflowing the buffer, since only one byte was received from the device. Rather, the bug occurred when the HID core tried to extract the data from the report fields, which caused it to try reading data beyond the end of the allocated buffer. This patch fixes the problem by rejecting any report whose total length exceeds the HID_MAX_BUFFER_SIZE limit (minus one byte to allow for a possible report index). In theory a device could have a report longer than that, but if there was such a thing we wouldn't handle it correctly anyway. Reported-and-tested-by: syzbot+09ef48aa58261464b621@syzkaller.appspotmail.com Signed-off-by: Alan Stern CC: Signed-off-by: Jiri Kosina Signed-off-by: Greg Kroah-Hartman --- drivers/hid/hid-core.c | 6 ++++++ 1 file changed, 6 insertions(+) --- a/drivers/hid/hid-core.c +++ b/drivers/hid/hid-core.c @@ -269,6 +269,12 @@ static int hid_add_field(struct hid_pars offset = report->size; report->size += parser->global.report_size * parser->global.report_count; + /* Total size check: Allow for possible report index byte */ + if (report->size > (HID_MAX_BUFFER_SIZE - 1) << 3) { + hid_err(parser->device, "report is too long\n"); + return -1; + } + if (!parser->local.usage_index) /* Ignore padding fields */ return 0;