Received: by 2002:a6b:500f:0:0:0:0:0 with SMTP id e15csp4642013iob;
        Sun, 8 May 2022 20:18:24 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJxOyZae2IU381dAoy1982+WSDC+iZj3qq0K8WmH13AZE7KOoYld1y//yaqvLTPE4aTziTKJ
X-Received: by 2002:a17:90b:1bc7:b0:1dc:9781:85be with SMTP id oa7-20020a17090b1bc700b001dc978185bemr24108766pjb.1.1652066304206;
        Sun, 08 May 2022 20:18:24 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1652066304; cv=none;
        d=google.com; s=arc-20160816;
        b=Lew59G3biWgPjp84pXRB5wuf6E7IsczXU+BUDtmni26EaP3yWN9Q+N96CDX1LKv/Xj
         vpr8ORpycHprXOmlUIBTh/PusGBujjCBsnwQKDqNV3PKfi7htoqksphjEjfVWAJvlPKJ
         DxnuFAnH2eO7frUKMfgTfkqqPaGhZHuzssA1l181uUG+TrceB/V0M9//Y5SaPgDhk9sG
         F+EtT7QiQglGu5RUBgHJit7JBoYJlbQQlCvuewjg2IlkWeVJ/DeCGOMhX7PRqtU3CCUe
         9TBqMHTuxg398KrPMdLMi6nrSu+LfSPUlDm7ZqNarbvtwa7gslWjJIaIzlRBFwGFyvNX
         vHaQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:mime-version:user-agent:references:message-id
         :in-reply-to:subject:cc:to:from:date:dkim-signature;
        bh=TplQCFmdFxo4wW4uYAdAh7bvIsfnpdfJpE8Q69R4+FY=;
        b=mbc1H8t7Ena/TNn55XktGIC0TwrWxtBnYWOB8shZjC8jhWD9NMSl+qhPXVOXZtLG07
         kqS/qSWMo6oR9PXagkxwyEEMqp4OW2yQ+Osv7+CnEy1uUwjSio+PFLBldgA8qEljF+8Z
         JWk0HwHeo2THhSlrhZE03gqiAW3nyXrnazY1lk1NxA+PIdGYDEItCb2rFILCIYZen3Aa
         gQwTICEuItWnFQrQ9hMhuC9+Yk5a3WfIqd0XZJKNFuaJejva35QJVGds/dqTVtQ9WNWX
         wwETIiZjljVy+dtG9Wr9G86Vfx7Yfzmi1rNPu1kTQm5mcegtPMuZry3eb8uFKgK6h9/9
         q3wQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=k20201202 header.b=AOXgbloB;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [2620:137:e000::1:18])
        by mx.google.com with ESMTPS id c3-20020a170902724300b00158b5b65721si8223035pll.321.2022.05.08.20.18.23
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Sun, 08 May 2022 20:18:24 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) client-ip=2620:137:e000::1:18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=k20201202 header.b=AOXgbloB;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by lindbergh.monkeyblade.net (Postfix) with ESMTP id 87BC49419F;
	Sun,  8 May 2022 20:16:54 -0700 (PDT)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1386628AbiEFG6D (ORCPT <rfc822;anthony.2lannoy@gmail.com>
        + 99 others); Fri, 6 May 2022 02:58:03 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:47696 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S242356AbiEFG6B (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 6 May 2022 02:58:01 -0400
Received: from ams.source.kernel.org (ams.source.kernel.org [145.40.68.75])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 3A6CA66C97;
        Thu,  5 May 2022 23:54:19 -0700 (PDT)
Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by ams.source.kernel.org (Postfix) with ESMTPS id B1D8BB833ED;
        Fri,  6 May 2022 06:53:47 +0000 (UTC)
Received: by smtp.kernel.org (Postfix) with ESMTPSA id DBEE4C385AA;
        Fri,  6 May 2022 06:53:44 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=k20201202; t=1651820026;
        bh=RDAFgC/kLKVa48KVPSFQKH5qA2Q3DdLdg22SA13WBkU=;
        h=Date:From:To:cc:Subject:In-Reply-To:References:From;
        b=AOXgbloBscUEk/HUdnXLTZ2ScyHSV5kypj6P/Q+LUZNVp6vhyzo3N5ypy4uemW5Xv
         wD2lot3lvtVrVJfEeigqyoc26bX2wpI6g9LxC6dutn0u027EsdYmxzvAQQYN6nWmwX
         SeTwZuLUAuPEQquDlp8vao16Kjy4eAisupQEoxYcnEo0z8MvrLviYBNj/4+vHA3XuZ
         bSC4ipaKB30BX/ogWs5rMYOQa0TnT6hP27NznZAqEEY1DaywRqBv8gMEsDHck4tWOI
         m3WN6NcvYObhNYU/dsx2uinvcrqxVDhBRYTGVmFqbtXF1QlVSBJoPH5BxHB4lZDoAy
         NU9KqwOhbuGVA==
Date:   Fri, 6 May 2022 08:53:42 +0200 (CEST)
From:   Jiri Kosina <jikos@kernel.org>
To:     Dongliang Mu <dzm91@hust.edu.cn>
cc:     Benjamin Tissoires <benjamin.tissoires@redhat.com>,
        Dongliang Mu <mudongliangabcd@gmail.com>,
        syzkaller <syzkaller@googlegroups.com>,
        linux-input@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH] HID: bigben: fix slab-out-of-bounds Write in
 bigben_probe
In-Reply-To: <20220506053740.1113415-1-dzm91@hust.edu.cn>
Message-ID: <nycvar.YFH.7.76.2205060852300.28985@cbobk.fhfr.pm>
References: <20220506053740.1113415-1-dzm91@hust.edu.cn>
User-Agent: Alpine 2.21 (LSU 202 2017-01-01)
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
X-Spam-Status: No, score=-2.9 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,
	DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,MAILING_LIST_MULTI,
	RDNS_NONE,SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE autolearn=unavailable
	autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
	lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Fri, 6 May 2022, Dongliang Mu wrote:

> From: Dongliang Mu <mudongliangabcd@gmail.com>
> 
> There is a slab-out-of-bounds Write bug in hid-bigbenff driver.
> The problem is the driver assumes the device must have an input but
> some malicious devices violate this assumption.
> 
> Fix this by checking hid_device's input is non-empty before its usage.
> 
> Reported-by: syzkaller <syzkaller@googlegroups.com>
> Signed-off-by: Dongliang Mu <mudongliangabcd@gmail.com>
> ---
>  drivers/hid/hid-bigbenff.c | 5 +++++
>  1 file changed, 5 insertions(+)
> 
> diff --git a/drivers/hid/hid-bigbenff.c b/drivers/hid/hid-bigbenff.c
> index 74ad8bf98bfd..c14d1774101d 100644
> --- a/drivers/hid/hid-bigbenff.c
> +++ b/drivers/hid/hid-bigbenff.c
> @@ -347,6 +347,11 @@ static int bigben_probe(struct hid_device *hid,
>  	bigben->report = list_entry(report_list->next,
>  		struct hid_report, list);
>  
> +	if (list_empty(&hid->inputs)) {
> +		hid_err(hid, "no inputs found\n");
> +		return -ENODEV;
> +	}
> +

Thanks for the fix. It doesn't seemt o be fully correct though -- as you'd 
be returning -ENODEV here in the situation when hid_hw_start() has already 
happened. So I believe better thing to do here is to do error = -ENODEV; 
goto error_hw_stop;

Could you please fix that up and resend? Thanks,

-- 
Jiri Kosina
SUSE Labs