Received: by 2002:a05:6a10:22f:0:0:0:0 with SMTP id 15csp4152950pxk; Tue, 8 Sep 2020 12:02:43 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzhiulzdq2lBya7/m7t8vsHJxRfxc+Mokpo3B3Wrnjh0Kg+9R7fhj145JJt4dJaR+k0A3lo X-Received: by 2002:a17:906:2a17:: with SMTP id j23mr16176514eje.146.1599591762794; Tue, 08 Sep 2020 12:02:42 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1599591762; cv=none; d=google.com; s=arc-20160816; b=xLhxi4oCKaSplufuiqmvXu1/jC8ojLoWnY7PCkl94LRKdh4TI2cZtwDHRrZrqgcESO mwOq2X/rOJTWqUnCtfBGNv+p+ImOiVgFiuaua7SOsBxNwdch9/4tXOqLLfbFbsGwTcm2 1z1s1MrTicaDsDvJap6O6MQhXVTrv7Bsi+//RrT58+NtFoyxDt9xcrc73Ekrea7Ao9/v Q5rLpDqu5lQO/SaLS//V8nQE3zL9w5tSkvaJL1PG593b536h/pYC2MJrzX582u9Qdqqi MNKoBxCXC9p1vk+Sk8Ub5TPRKZIoCrQafI7Q0l9T0BbeJJp7sel1sbDvx4Ij/YCFEz7x 2UvQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=RnFMV0iJymr2AGbu+WKef+0WJt7A70lD0YC/nJAwfik=; b=X/e3tth/IGJ8e5Yd8Zu3W1f2NubTUcGHymprKFoCPNgVSut3WnAoN3CfkqmdaZ0Hdq 7vBYGLWCOjz/bQ80Sr3M7y41A74b9MgBR6q3LdbJmv1hJx8j47ivtRRuf/vV0Ni4OCxF 2jApwlJ0lYIdJxp+5GXScfaIKF3YJ+43uJrPQjzOhgGBrujx+ScIveFv49pOZ3kpF/ia VA3q/kfaiz0D7RsitNBfiaVraf8u8bX8CYTaz5wJumBZrXvlF0ZSp+wXmHRzcLxX5VbC XD71kzMu0AoUhptMXPmh3opdHfoX7o2oa4ip0GMG6YD5vObyGFaqhULW2BGtE5U74xrq RDHQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=cOMu+pkZ; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id j7si12513743ejn.639.2020.09.08.12.02.20; Tue, 08 Sep 2020 12:02:42 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=cOMu+pkZ; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731362AbgIHTBA (ORCPT + 99 others); Tue, 8 Sep 2020 15:01:00 -0400 Received: from mail.kernel.org ([198.145.29.99]:52180 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1731201AbgIHQIC (ORCPT ); Tue, 8 Sep 2020 12:08:02 -0400 Received: from localhost (83-86-74-64.cable.dynamic.v4.ziggo.nl [83.86.74.64]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 5191D23EB3; Tue, 8 Sep 2020 15:47:25 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1599580045; bh=jRAfFpWjDzSiVLWJ/01vaQ66oeAPndpYE2EnvInALxo=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=cOMu+pkZxzwDQB5jvHCNFRJCkK7BNLtyErS9bgS3jjRs8XNrUE+y2gBnOoeD5UNGZ nVuEvFRvbQp1vp7w0LYQJKCqUGpucm40tnT5nBRatmbp0VuxXj6IYhIfJuCnm6jABs 3F8BFYsirB2QWVeLWgreAN3GNB8VWMDqCfttlIuM= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Marc Zyngier , Benjamin Tissoires Subject: [PATCH 4.19 01/88] HID: core: Correctly handle ReportSize being zero Date: Tue, 8 Sep 2020 17:25:02 +0200 Message-Id: <20200908152221.161126100@linuxfoundation.org> X-Mailer: git-send-email 2.28.0 In-Reply-To: <20200908152221.082184905@linuxfoundation.org> References: <20200908152221.082184905@linuxfoundation.org> User-Agent: quilt/0.66 X-stable: review X-Patchwork-Hint: ignore MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Marc Zyngier commit bce1305c0ece3dc549663605e567655dd701752c upstream. It appears that a ReportSize value of zero is legal, even if a bit non-sensical. Most of the HID code seems to handle that gracefully, except when computing the total size in bytes. When fed as input to memset, this leads to some funky outcomes. Detect the corner case and correctly compute the size. Cc: stable@vger.kernel.org Signed-off-by: Marc Zyngier Signed-off-by: Benjamin Tissoires Signed-off-by: Greg Kroah-Hartman --- drivers/hid/hid-core.c | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) --- a/drivers/hid/hid-core.c +++ b/drivers/hid/hid-core.c @@ -1426,6 +1426,17 @@ static void hid_output_field(const struc } /* + * Compute the size of a report. + */ +static size_t hid_compute_report_size(struct hid_report *report) +{ + if (report->size) + return ((report->size - 1) >> 3) + 1; + + return 0; +} + +/* * Create a report. 'data' has to be allocated using * hid_alloc_report_buf() so that it has proper size. */ @@ -1437,7 +1448,7 @@ void hid_output_report(struct hid_report if (report->id > 0) *data++ = report->id; - memset(data, 0, ((report->size - 1) >> 3) + 1); + memset(data, 0, hid_compute_report_size(report)); for (n = 0; n < report->maxfield; n++) hid_output_field(report->device, report->field[n], data); } @@ -1564,7 +1575,7 @@ int hid_report_raw_event(struct hid_devi csize--; } - rsize = ((report->size - 1) >> 3) + 1; + rsize = hid_compute_report_size(report); if (report_enum->numbered && rsize >= HID_MAX_BUFFER_SIZE) rsize = HID_MAX_BUFFER_SIZE - 1;