Received: by 2002:a05:6a10:a0d1:0:0:0:0 with SMTP id j17csp2970241pxa; Tue, 18 Aug 2020 03:04:02 -0700 (PDT) X-Google-Smtp-Source: ABdhPJw01nFQWCe5oQqP3jqGmRUs3jceXYTpCMbqV3v/9wMEJBeh1cW3Qo0HJweRu6N+DTZ9GKg4 X-Received: by 2002:a17:907:2119:: with SMTP id qn25mr19140020ejb.278.1597745042644; Tue, 18 Aug 2020 03:04:02 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1597745042; cv=none; d=google.com; s=arc-20160816; b=BCHsY/ls9OlkX9u08reo1mZzpjdaD5BcClhy2KZNU0n5TrTAkP+8BP0ma2mLOLeZ8T rleb1yHTpAhejspfZwFATgkMRmTV/kV391eBhMgNMVjmaea+6HQXkFR5RU0BI0UvaUWm Zy4S+zizr6qbuE8mUPzvK1QCkPlY3JAC5rzmxnUQh9pbd6uY2c5hSHCRNhe3XHjaUOXh HGmAK3ghq6achtyIuo1A5pvbB/esiGFw/Rvyfan+je95Zw4UM6ROQu55IarO6/8GDEL1 ylUAsC5I1sE/89KZ9zrIyOx7geu61ydN4nTaKwTMpd49BGdBlbNsZ6x1i5zAF0jlxwbH 6kfw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date :dkim-signature; bh=OOenSclepS0MABruprKXkVZk2CmkqltRlMtrV3FqKk0=; b=HlSzhCWe6YTrcprgGch8UGXbTDvt92P7MNIBRbVCMpk13BOpsFLQFAXBszbRD8syMZ DaY+sYgur5be9jzYiqofll/N6dAVbkBrDlDIg8Oykk5XKlzfnfTjz0dnAZ/7GN95zUqh QduKQg0rKrqen2fZN45QVZl1wC5OO6aAoTN8raIiedlpeG7/sxUkcEuLzFszthrtdiD2 YJ0g/AuHIy4CqbAJ9vphrHmh4FF4D6TxKv59QseHm0hxHnb61V5psIFHO3lN6L09WulW hOSnEZcxgihCDSco5kH56R65EOivTVEr2vkDkWAaZyYvqtakiO7n4G0/X1qsFOxbBZ/I IaLA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=c3C8yFsQ; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id co5si7348438edb.210.2020.08.18.03.03.38; Tue, 18 Aug 2020 03:04:02 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=c3C8yFsQ; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726588AbgHRKAW (ORCPT + 99 others); Tue, 18 Aug 2020 06:00:22 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:37294 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726145AbgHRKAU (ORCPT ); Tue, 18 Aug 2020 06:00:20 -0400 Received: from mail-pf1-x442.google.com (mail-pf1-x442.google.com [IPv6:2607:f8b0:4864:20::442]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id D8502C061389; Tue, 18 Aug 2020 03:00:19 -0700 (PDT) Received: by mail-pf1-x442.google.com with SMTP id 74so9700573pfx.13; Tue, 18 Aug 2020 03:00:19 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to; bh=OOenSclepS0MABruprKXkVZk2CmkqltRlMtrV3FqKk0=; b=c3C8yFsQurPTAqZp5ro2DQU9RyvdO3D6JEMGO6BND1O8fmHvaNLwU0BXpPovPyleiI +vXOUOIV5DPz3DG4vLwFMIsz6T+xgq2IwLiRgPhPy4d8v9wY4s62RXr9TvMn8LmGjuTS f+SrIXoOW/F3EGG9vAeSK0TtVfVl2PQJIy/QrFu2HVHmqlOjlGQJXUOskcapulDRaI5O a6gAL2n/0Avbc9kKN1Zn/lYdzgZufygWn6HNwT4RXxKrxX39/OepzkCw8LKuyhlTdtGm XHC5by/+f1aRJKJaqbbQrRwpDZi5tLFx1hcZsiLUBqiS3xHFUykRSDW0dj7Axmyx3f+k JXOQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to; bh=OOenSclepS0MABruprKXkVZk2CmkqltRlMtrV3FqKk0=; b=Kif4EUl0NjIj9coTGg6YFiGMuFXAp3jmp8fkgaWVYcXBMz4D75wgaq2XV7MOEOFSi7 4Lbly1msef+9u7fm00xxYe174PTQsCB7tNAX+S+0q3ITIE4pmJygDmB9Nme41mB3/o6p +2YHjOR4Hbl1hf3BjQX5aRpjsh70BWtSERv1lxmpxuOuB66LHosbs46zIvEpkNWO2PjY grzFQfolA8nk+PyShi0f4js3Ttw7rzSTUWQv4eyrXVYvi1Eyrg28jqMO2m/4XbSIHp8K 3VoOfJZ0iSTW7Ax2FeeN45kIkOqszWrHmWXWKSNOOrWWG7KNEoiq9Xvwrd6l9aesQYZe 15gg== X-Gm-Message-State: AOAM533A/B1B/5w6KOrDb5FWwH3LhkiZg7FGzv72P1xNzuQ52uiPKCrW kCtiEwWKea/DyfvG/MdADw== X-Received: by 2002:a62:1ad0:: with SMTP id a199mr15047482pfa.56.1597744818002; Tue, 18 Aug 2020 03:00:18 -0700 (PDT) Received: from PWN ([221.124.243.27]) by smtp.gmail.com with ESMTPSA id j5sm24157839pfg.80.2020.08.18.03.00.15 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 18 Aug 2020 03:00:17 -0700 (PDT) Date: Tue, 18 Aug 2020 06:00:08 -0400 From: Peilin Ye To: Jiri Kosina Cc: Benjamin Tissoires , Dan Carpenter , Greg Kroah-Hartman , syzkaller-bugs@googlegroups.com, linux-kernel-mentees@lists.linuxfoundation.org, linux-usb@vger.kernel.org, linux-input@vger.kernel.org, linux-kernel@vger.kernel.org Subject: Re: [Linux-kernel-mentees] [PATCH v2 RESEND] usbhid: Fix slab-out-of-bounds write in hiddev_ioctl_usage() Message-ID: <20200818100008.GA2135@PWN> References: <20200718231218.170730-1-yepeilin.cs@gmail.com> <20200729113712.8097-1-yepeilin.cs@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Aug 17, 2020 at 12:21:41PM +0200, Jiri Kosina wrote: > On Wed, 29 Jul 2020, Peilin Ye wrote: > > > `uref->usage_index` is not always being properly checked, causing > > hiddev_ioctl_usage() to go out of bounds under some cases. Fix it. > > > > Reported-by: syzbot+34ee1b45d88571c2fa8b@syzkaller.appspotmail.com > > Link: https://syzkaller.appspot.com/bug?id=f2aebe90b8c56806b050a20b36f51ed6acabe802 > > Reviewed-by: Dan Carpenter > > Signed-off-by: Peilin Ye > > --- > > Change in v2: > > - Add the same check for the `HIDIOCGUSAGE` case. (Suggested by > > Dan Carpenter ) > > Applied, thanks. Thank you for reviewing the patch! Peilin Ye