Received: by 2002:a05:6a10:d5a5:0:0:0:0 with SMTP id gn37csp3964590pxb; Mon, 4 Oct 2021 13:52:17 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwETMdX45Oz3aCT1tIccUpIca8TPrOc9tQDd+UeOZDhcwL5FAppO1pvqF/rbYudFLKKjcTR X-Received: by 2002:a17:907:628d:: with SMTP id nd13mr20475435ejc.7.1633380737278; Mon, 04 Oct 2021 13:52:17 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1633380737; cv=none; d=google.com; s=arc-20160816; b=ckGKbnKoOYXC9tUtvfVz81omXQctAkQ5qQMqKvBzrJAtj9L+rdZUfjj3WFuLlhBW8m CU3GXUXMqVzI7MjDkPOx17pP6ewqiO+fWgHUZ8A+UrLvPkrW73Rt+UpUrqEB7xUIw29z L7v3eftd3yagbDCSKFWqzRrebdSuDpIMD5D67pa5wvobE1WL4FMQrqVO9j1lDT1+HFFk nQUuz8XP5oUBRxr+i3zUemCodfKV56gqZhyB3yIWPLzwCT8+yyCXq8ST+vcDkv/iv92n GHV5WvvG1ikF2u425CKxWKtAjjLRPRfw91Io1mG+xZEtYTgLxyZWCkcpdPVfN0FdZV5T oqXQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=2FxquR2PWlsXJdVjGWs4TGCZ43Hb3dSxGuXk24uUCm4=; b=AA6L2QosM+0sfJgNNsjOgm0dPLOKqeKdxDFBfaxgxRJwG2cak4bbnCrCHQD3GNDoZv reXYTCjudn3BbxZWXouE+rLtiGcYrIrdnQ5hN+pH5UwT3TJhkv7tGZA1DhvPEPtyAIfj FpwQmv2ivZGeh8hfXNiodKHwkiO0C4as/oMqKsWVCN5KYBmqhPzKHLbtnnelZyMwRKYM CkwzNK0h/cwx8ezkQKzXKkWDDch5yrqMntVDdBKj1l72OWi8P1x54A6kH+Oh7L8Aa/Np gjIQT8R/UpbktigAxzpf24VNsx3tk9DcGqnKfZC4zMz4QVJsQNKyiDhwCMy4t/TIH78g 0/dw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=afChxSbg; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id u18si13857656edb.156.2021.10.04.13.51.53; Mon, 04 Oct 2021 13:52:17 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=afChxSbg; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S238768AbhJDNml (ORCPT + 99 others); Mon, 4 Oct 2021 09:42:41 -0400 Received: from mail.kernel.org ([198.145.29.99]:55400 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S238582AbhJDNkr (ORCPT ); Mon, 4 Oct 2021 09:40:47 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 634056324A; Mon, 4 Oct 2021 13:18:48 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1633353528; bh=/OPIkO0iQKyLqA5RPHPn66O/nq6y776p2R2o0amDLlQ=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=afChxSbgUOvEmbwpzkxBjyu6apZu5cV6V6MKIm+kwyn+wZJO3g+lPa2s4i7FHNz49 2Zeh3nGuSjWtuMcXbZpnBqQQDt7wD+xiYQT7IzjAsXPn5WQFUW9EfX63tRbdAhNveA rMmNa7CNqFDV9eL66pBEs8k+p478yxUqAFE0Vw/E= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, syzbot+07efed3bc5a1407bd742@syzkaller.appspotmail.com, "F.A. SULAIMAN" , Pavel Skripkin , Jiri Kosina Subject: [PATCH 5.14 163/172] HID: betop: fix slab-out-of-bounds Write in betop_probe Date: Mon, 4 Oct 2021 14:53:33 +0200 Message-Id: <20211004125050.237485747@linuxfoundation.org> X-Mailer: git-send-email 2.33.0 In-Reply-To: <20211004125044.945314266@linuxfoundation.org> References: <20211004125044.945314266@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: F.A.Sulaiman commit 1e4ce418b1cb1a810256b5fb3fd33d22d1325993 upstream. Syzbot reported slab-out-of-bounds Write bug in hid-betopff driver. The problem is the driver assumes the device must have an input report but some malicious devices violate this assumption. So this patch checks hid_device's input is non empty before it's been used. Reported-by: syzbot+07efed3bc5a1407bd742@syzkaller.appspotmail.com Signed-off-by: F.A. SULAIMAN Reviewed-by: Pavel Skripkin Signed-off-by: Jiri Kosina Signed-off-by: Greg Kroah-Hartman --- drivers/hid/hid-betopff.c | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) --- a/drivers/hid/hid-betopff.c +++ b/drivers/hid/hid-betopff.c @@ -56,15 +56,22 @@ static int betopff_init(struct hid_devic { struct betopff_device *betopff; struct hid_report *report; - struct hid_input *hidinput = - list_first_entry(&hid->inputs, struct hid_input, list); + struct hid_input *hidinput; struct list_head *report_list = &hid->report_enum[HID_OUTPUT_REPORT].report_list; - struct input_dev *dev = hidinput->input; + struct input_dev *dev; int field_count = 0; int error; int i, j; + if (list_empty(&hid->inputs)) { + hid_err(hid, "no inputs found\n"); + return -ENODEV; + } + + hidinput = list_first_entry(&hid->inputs, struct hid_input, list); + dev = hidinput->input; + if (list_empty(report_list)) { hid_err(hid, "no output reports found\n"); return -ENODEV;