Received: by 2002:a05:6500:2018:b0:1fb:9675:f89d with SMTP id t24csp312238lqh; Fri, 31 May 2024 02:00:11 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCXWrFubHe58gpAeLtIEdEe6GEZ5si0Jy8bx/XLImc+fXx2y5SPDUpPGeyWESFfv3gyg03OGfpfwTZjPJtXZCu9x2gEyllLW6WsiPMIq7Q== X-Google-Smtp-Source: AGHT+IF+jx92DpuX+zbn6YgJeJBUbFt9r7bbBTvhzdTDDQ5MXkN7+j0/5kCQhGaSVav3a915Tw/m X-Received: by 2002:a05:6a00:4388:b0:702:2c1e:53c0 with SMTP id d2e1a72fcca58-702478c70c4mr1259886b3a.26.1717146010696; Fri, 31 May 2024 02:00:10 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1717146010; cv=pass; d=google.com; s=arc-20160816; b=tK/8Lf/FhiAJHdgHcbRn+ieZJhoPtPVXSApBux6E+5mXfBOSht1sSjaYt3cq61j8nP 2zule60cCdhyp2bDuOCxqHL7/WjquVDBoCdaYi+wkX6uZMfaYkDzvwtQo1Qyyu+pJF6I JSxiIHjEzYaLFypMv3qP2hOI8wh4yOGmOoNkHs+FonfeoT9MK3r45LK+XTZZgkKXflJZ Mpn5T9FAMdWLd1q+CnJUFjhuwXbYObQmdu7zWKyKHBl/OxrojN8nCJoJp99MJUj1eSRh ljBQXwJep2Lr9Z55BOY/eHlCX/BbyrvkpOaamcJnDK/cPH/WTlMPbzsWo7ca8DYgmz47 0XTw== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=in-reply-to:content-disposition:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:references:message-id:subject:cc :to:from:date:dkim-signature; bh=AEAJOPIhEWOmImkEnnoVh+jLPad4uMXeH/NY3H2GRI0=; fh=p75Yg26oEKYkJO1u3LQatQgielrJeQGjBYiVmNzIL38=; b=cp2tfnnVnY8Qwy+FP3eRICraQSuyL1d9jBtd0OZJCHXXoauKgd83x5u72MCgcLbAYl GIMDEN/PgpfF5Nzat1JAIAC5RbB0KotPmbKkJ3mhjWS7xGXS/+N9TYvgdtbrcceElLpU BvhdrcinNOWf98ZSTI10VjfSgOUtAktP/Hk0ciBsnzw9RPAKrjS1mXcHhTuauy4OBwY0 OyyjZHgIoQDOUAUTpvwgxwobdf+yWZazund0f9wR/dGed7ZIZ24p6x9B8Drps1UNDiQw JZ2rTsqsTm1wX7g6Tgy8EEB4tg6FO9gWf5QIp6JiMp1gxsXCANoOx2iuDauZkOYnbp9+ OHzg==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b="MP/0lW7Z"; arc=pass (i=1 spf=pass spfdomain=linaro.org dkim=pass dkdomain=linaro.org dmarc=pass fromdomain=linaro.org); spf=pass (google.com: domain of linux-kernel+bounces-196527-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-196527-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org. [2604:1380:45e3:2400::1]) by mx.google.com with ESMTPS id d2e1a72fcca58-70243d15ffdsi1118481b3a.189.2024.05.31.02.00.10 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 31 May 2024 02:00:10 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-196527-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) client-ip=2604:1380:45e3:2400::1; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b="MP/0lW7Z"; arc=pass (i=1 spf=pass spfdomain=linaro.org dkim=pass dkdomain=linaro.org dmarc=pass fromdomain=linaro.org); spf=pass (google.com: domain of linux-kernel+bounces-196527-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-196527-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sv.mirrors.kernel.org (Postfix) with ESMTPS id 0375B28D716 for ; Fri, 31 May 2024 09:00:09 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id EAF79156241; Fri, 31 May 2024 08:59:47 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=linaro.org header.i=@linaro.org header.b="MP/0lW7Z" Received: from mail-ed1-f47.google.com (mail-ed1-f47.google.com [209.85.208.47]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 85FF915575F for ; Fri, 31 May 2024 08:59:45 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.208.47 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1717145987; cv=none; b=AvBegitdI516qgSDuGCaZjRGR9nsQ87Kz07lnXsUB7Y623cDGaum+4Hjp1DGU6CNB0AEck7ZIFWoCXdVTMO5epNKb7Kq7fDljibSbBvjRs3e/PpFPb/XG7uJkkj9+cwpadxYvuKYDuHmiIN6S9czG/rLCmEphkprF2XnG4xNqFo= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1717145987; c=relaxed/simple; bh=jOivSIzkd4jtGmFStyLd/I4XqpFlRP41SuJUQMMG2sU=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=eHKVzqxSu+JKyfJDn2BBK5fc6SDNrp1vcbbPMZMj1KkTxB7Stv8PZXI2jfiWqodqJFGYQnEEHaTzfhXld12O8qfDAHnkMbAOwWsMjTc8BWM5UXNqHjbFDcpg04Gxc7mmBfDYs3J+puPX9cUBazcXK9WB40P6wEMKNmhN3vXKNV8= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linaro.org; spf=pass smtp.mailfrom=linaro.org; dkim=pass (2048-bit key) header.d=linaro.org header.i=@linaro.org header.b=MP/0lW7Z; arc=none smtp.client-ip=209.85.208.47 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linaro.org Received: by mail-ed1-f47.google.com with SMTP id 4fb4d7f45d1cf-579fa270e53so2178584a12.3 for ; Fri, 31 May 2024 01:59:45 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1717145984; x=1717750784; darn=vger.kernel.org; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:from:to:cc:subject:date:message-id:reply-to; bh=AEAJOPIhEWOmImkEnnoVh+jLPad4uMXeH/NY3H2GRI0=; b=MP/0lW7Z7Gx7/lw/h/sW3uhHQB3eVQSX9BbobHhUfN4vFm6oIzytGz1b+7N/9Zx6AV r5d4UMWjKYoqik4cmwDKP78Hv1HaZgj2K8HJ9a+VFmpovr1RTDc3MWdVWmWKD7x3J+fH FuP//KfOjqJR7PvUVxnrXQnVrp42Y6ch5tv4SVhDp+jB5bqGQpF8v/Jh6zG4r34mv72h /6wXe4WD1kHBhAM4mxuSo/GK1gNxPvhWWCwpPkJXP04V1Mt/3g1gEGK6OYvaTlwRDxt6 S73FtD+MLwj83nyRNMVd9pSXUwwNdV7jY3t3w5khU3Ql2f7+uXcTeh6uSpBToPfl0Hcy 4z2w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1717145984; x=1717750784; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=AEAJOPIhEWOmImkEnnoVh+jLPad4uMXeH/NY3H2GRI0=; b=mEAJKaVyRh2QMKUnZrzmbix60G0XjRubZJTOHYQSkxESEF6+dW/S9A5mDmvs85ztA5 kZu2ZJ5Z5ToMVMK7y1NYk3hwPJnHTTegWw5P1hUETtcVZXEsEtz23gjbWA05vui0V1bp d5T8P2X7AK83cnvo2y7xQfbFiAuikxr97o73Da7KKPZxuVQcSvBsGs/ud2P3SKnW0UIk nHoVHRWezww+WTaNfKxrbtjFZ8qNz7pdb48ajDpCwVExObLNzOayyCdfqr1vtWM1Xfo/ oXKfYoRnl1YOCIVbHoU72GoYSMmRxwDGGePVCzKeahV9w5yx/BBqu94rN79AuwnHVBt9 HOqQ== X-Forwarded-Encrypted: i=1; AJvYcCVCmL2RwOsCSu4UEb7LCgOOVPpzukSTCFbAxI/PtLdC8pGo2lDN03ISiCaBG6LAtpQIwkYjP35wDK2uBmYVYxRDG0XGupBy5tkuHvov X-Gm-Message-State: AOJu0YwtmLIE135fw4kWRh5Gbzp8E+q+jWP5xqOjaZ/9bd7T20GK9WVM AX5rnLNxQoWKFFnxHdrVn1BxozRdNxzXo6vTnf3QV6jAhR6rWMBBe4mO8o2vpY8= X-Received: by 2002:a50:a414:0:b0:579:7b6c:5ab3 with SMTP id 4fb4d7f45d1cf-57a364e3615mr984027a12.22.1717145983629; Fri, 31 May 2024 01:59:43 -0700 (PDT) Received: from localhost ([102.222.70.76]) by smtp.gmail.com with ESMTPSA id 4fb4d7f45d1cf-57a31c9c125sm770024a12.90.2024.05.31.01.59.42 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 31 May 2024 01:59:43 -0700 (PDT) Date: Fri, 31 May 2024 11:59:39 +0300 From: Dan Carpenter To: Andrew Ballance Cc: syzbot+07762f019fd03d01f04c@syzkaller.appspotmail.com, benjamin.tissoires@redhat.com, bentiss@kernel.org, jikos@kernel.org, jkosina@suse.com, linux-input@vger.kernel.org, linux-kernel@vger.kernel.org, linux-usb@vger.kernel.org, luke@ljones.dev, syzkaller-bugs@googlegroups.com, linux-kernel-mentees@lists.linuxfoundation.org, skhan@linuxfoundation.org Subject: Re: [PATCH] hid: asus: asus_report_fixup: fix potential read out of bounds Message-ID: References: <000000000000915d550619389e8a@google.com> <20240528050555.1150628-1-andrewjballance@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20240528050555.1150628-1-andrewjballance@gmail.com> On Tue, May 28, 2024 at 12:05:39AM -0500, Andrew Ballance wrote: > #syz test > > there may be a read out of the bounds of rdesc. > this adds bounds checks > > Signed-off-by: Andrew Ballance > --- > drivers/hid/hid-asus.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > diff --git a/drivers/hid/hid-asus.c b/drivers/hid/hid-asus.c > index 02de2bf4f790..37e6d25593c2 100644 > --- a/drivers/hid/hid-asus.c > +++ b/drivers/hid/hid-asus.c > @@ -1204,8 +1204,8 @@ static __u8 *asus_report_fixup(struct hid_device *hdev, __u8 *rdesc, > } > > /* match many more n-key devices */ > - if (drvdata->quirks & QUIRK_ROG_NKEY_KEYBOARD) { > - for (int i = 0; i < *rsize + 1; i++) { > + if (drvdata->quirks & QUIRK_ROG_NKEY_KEYBOARD && *rsize > 15) { > + for (int i = 0; i < *rsize - 15; i++) { Yep. This looks correct. Please resend with a complete commit message and a fixes tag etc. > /* offset to the count from 0x5a report part always 14 */ > if (rdesc[i] == 0x85 && rdesc[i + 1] == 0x5a && > rdesc[i + 14] == 0x95 && rdesc[i + 15] == 0x05) { regards, dan carpenter