Received: by 2002:a05:6a10:22f:0:0:0:0 with SMTP id 15csp4141817pxk;
        Tue, 8 Sep 2020 11:42:57 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJxIs5fWESvRyuzaNCR3Xg5tqCh7McMCXGHOjy3KR/bN382qcvXNcoRJ9eQ1O6Lam0HiP85O
X-Received: by 2002:a05:6402:1694:: with SMTP id a20mr355695edv.286.1599590577147;
        Tue, 08 Sep 2020 11:42:57 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1599590577; cv=none;
        d=google.com; s=arc-20160816;
        b=D+//f+S+SqZi9gAGL3Sn5KmioP4gr6YNvZBQ15rqjTqiDBo09MvZQ7pd9Tc6coPi5n
         BaX2/bKmaNAC+nNFtHIERsoskAinLQhSZOVE9rFO8cvHsEWfdDvQkhPCjW8zAjdP0h6n
         apvNvkP90iXeEtylGtTKWJ4dazV5C+dg78eOo9ZsizV8pJrxgL5eNcSWwUS4/jR7CcFu
         ZVyJSvMB8IHHL+f3Xc8VBQycsdVuyZmg7zQym1ut3Ej0siAOZjsB9laVZBBU2vXQHDn6
         V9J14BzA3Qc8W0T3lec50pbKml+x93PCV2VazZZUJXEBcby00fcbpJOWIecp9e4jN0Cj
         swSA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=F7I4pVflm27y9Vj2tVTbZ2B3ghpIHD42jrNauulQ/ls=;
        b=zwqyCSct44aLPpWt/DcdlxMM9DsgrvoEx1CK+n/iUKxEQz9uA10OpCmJjb8DDlDXWW
         mdpq3CwtFMyQgG7Vy40v9ap2XmbGZy2SCcvxWBg9ytlFaWm6MFWtjSiK2CQOKOl3em+s
         D//uEXMFepxHOvQUeXQev2mDlPMFTCTpLvrZhYVf/6SDHm/meUAthN65uh0KLbnrAwX9
         kWhK7/O6znS/p2wcJtpIhUU6YKWnp4aBH8A3CNJgn+UN3fjh9oMyziaWHesGhhsQoNv1
         JNEwqFV/wdCiGYmguyWAnkqpmLjGBEbKXdlh0F9geyRVQECkTkTXg9VterXzVWlH69y1
         6gFg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=BR2kI9up;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id l27si4975473eja.9.2020.09.08.11.42.34;
        Tue, 08 Sep 2020 11:42:57 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=BR2kI9up;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1731962AbgIHSks (ORCPT <rfc822;dexuan.linux@gmail.com>
        + 99 others); Tue, 8 Sep 2020 14:40:48 -0400
Received: from mail.kernel.org ([198.145.29.99]:52176 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1731211AbgIHQIC (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 8 Sep 2020 12:08:02 -0400
Received: from localhost (83-86-74-64.cable.dynamic.v4.ziggo.nl [83.86.74.64])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by mail.kernel.org (Postfix) with ESMTPSA id E8DE523ECF;
        Tue,  8 Sep 2020 15:47:29 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=default; t=1599580050;
        bh=HIels2xaM95JxAYzkcpSe0vmR3lhNMI/XaUw8mYvcQ4=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=BR2kI9up5OadJTQMnCiqhjV5p9ZTCVtwB8FKzCQnRjqPCCPSrX7gklsIrUHmccjfL
         BII3jzVC9gbj4BEXLYUVWBFHDZt2+59WivJ/dRdcR1F+YiVoeyHWhvP9PN3m5NTGyw
         XXVdTPGMWM/FvXU4smmKdP1BZae6n9RLZISC1E48=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Marc Zyngier <maz@kernel.org>,
        Benjamin Tissoires <benjamin.tissoires@gmail.com>
Subject: [PATCH 4.19 02/88] HID: core: Sanitize event code and type when mapping input
Date:   Tue,  8 Sep 2020 17:25:03 +0200
Message-Id: <20200908152221.209662874@linuxfoundation.org>
X-Mailer: git-send-email 2.28.0
In-Reply-To: <20200908152221.082184905@linuxfoundation.org>
References: <20200908152221.082184905@linuxfoundation.org>
User-Agent: quilt/0.66
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Marc Zyngier <maz@kernel.org>

commit 35556bed836f8dc07ac55f69c8d17dce3e7f0e25 upstream.

When calling into hid_map_usage(), the passed event code is
blindly stored as is, even if it doesn't fit in the associated bitmap.

This event code can come from a variety of sources, including devices
masquerading as input devices, only a bit more "programmable".

Instead of taking the event code at face value, check that it actually
fits the corresponding bitmap, and if it doesn't:
- spit out a warning so that we know which device is acting up
- NULLify the bitmap pointer so that we catch unexpected uses

Code paths that can make use of untrusted inputs can now check
that the mapping was indeed correct and bail out if not.

Cc: stable@vger.kernel.org
Signed-off-by: Marc Zyngier <maz@kernel.org>
Signed-off-by: Benjamin Tissoires <benjamin.tissoires@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/hid/hid-input.c      |    4 ++++
 drivers/hid/hid-multitouch.c |    2 ++
 include/linux/hid.h          |   42 +++++++++++++++++++++++++++++-------------
 3 files changed, 35 insertions(+), 13 deletions(-)

--- a/drivers/hid/hid-input.c
+++ b/drivers/hid/hid-input.c
@@ -1125,6 +1125,10 @@ static void hidinput_configure_usage(str
 	}
 
 mapped:
+	/* Mapping failed, bail out */
+	if (!bit)
+		return;
+
 	if (device->driver->input_mapped &&
 	    device->driver->input_mapped(device, hidinput, field, usage,
 					 &bit, &max) < 0) {
--- a/drivers/hid/hid-multitouch.c
+++ b/drivers/hid/hid-multitouch.c
@@ -841,6 +841,8 @@ static int mt_touch_input_mapping(struct
 			code = BTN_0  + ((usage->hid - 1) & HID_USAGE);
 
 		hid_map_usage(hi, usage, bit, max, EV_KEY, code);
+		if (!*bit)
+			return -1;
 		input_set_capability(hi->input, EV_KEY, code);
 		return 1;
 
--- a/include/linux/hid.h
+++ b/include/linux/hid.h
@@ -956,34 +956,49 @@ static inline void hid_device_io_stop(st
  * @max: maximal valid usage->code to consider later (out parameter)
  * @type: input event type (EV_KEY, EV_REL, ...)
  * @c: code which corresponds to this usage and type
+ *
+ * The value pointed to by @bit will be set to NULL if either @type is
+ * an unhandled event type, or if @c is out of range for @type. This
+ * can be used as an error condition.
  */
 static inline void hid_map_usage(struct hid_input *hidinput,
 		struct hid_usage *usage, unsigned long **bit, int *max,
-		__u8 type, __u16 c)
+		__u8 type, unsigned int c)
 {
 	struct input_dev *input = hidinput->input;
-
-	usage->type = type;
-	usage->code = c;
+	unsigned long *bmap = NULL;
+	unsigned int limit = 0;
 
 	switch (type) {
 	case EV_ABS:
-		*bit = input->absbit;
-		*max = ABS_MAX;
+		bmap = input->absbit;
+		limit = ABS_MAX;
 		break;
 	case EV_REL:
-		*bit = input->relbit;
-		*max = REL_MAX;
+		bmap = input->relbit;
+		limit = REL_MAX;
 		break;
 	case EV_KEY:
-		*bit = input->keybit;
-		*max = KEY_MAX;
+		bmap = input->keybit;
+		limit = KEY_MAX;
 		break;
 	case EV_LED:
-		*bit = input->ledbit;
-		*max = LED_MAX;
+		bmap = input->ledbit;
+		limit = LED_MAX;
 		break;
 	}
+
+	if (unlikely(c > limit || !bmap)) {
+		pr_warn_ratelimited("%s: Invalid code %d type %d\n",
+				    input->name, c, type);
+		*bit = NULL;
+		return;
+	}
+
+	usage->type = type;
+	usage->code = c;
+	*max = limit;
+	*bit = bmap;
 }
 
 /**
@@ -997,7 +1012,8 @@ static inline void hid_map_usage_clear(s
 		__u8 type, __u16 c)
 {
 	hid_map_usage(hidinput, usage, bit, max, type, c);
-	clear_bit(c, *bit);
+	if (*bit)
+		clear_bit(usage->code, *bit);
 }
 
 /**