Received: by 2002:ab2:7903:0:b0:1fb:b500:807b with SMTP id a3csp363548lqj; Sun, 2 Jun 2024 01:52:02 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCUWQO1YucqaSeOw349V0pLNe3/+9q0bMDcYaJ64dZkINrLCgKBsPJYFb6fQnyqgBh+Jfvt4r18yOHhFdfwyKF3X1+/oNqENpQ/GPp7Q0g== X-Google-Smtp-Source: AGHT+IGH8QrMhsWe1ppAvrm7q/GcvFoxY//J/w/ZqnRnyU1a4pXuJuYxzc3VNJ2cBudnGghSV69I X-Received: by 2002:a05:6214:c49:b0:6ad:7573:acb9 with SMTP id 6a1803df08f44-6ae0e0e573dmr168604756d6.0.1717318322659; Sun, 02 Jun 2024 01:52:02 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1717318322; cv=pass; d=google.com; s=arc-20160816; b=CXbKEkohmZ0eJpKQxSq2XRUcBdE7xXTMt7cYNve/LqhVVNiiP0I391qwThjjuLiKQ8 tZIteQiCtyw7IUoFR6Y98uMBeOvLo0D3+cs45f2rwHpnPxQIYvbmrEUY4yG0Lpf82pN2 yl/lf5pUfUuIFb39WVT2Pmqlgek5VkaybPnOL0Mcbl4GtYT/gxVgjArp343q/r8egG3J bVDrBI+QcKpQhl4qz74Gq9dHs53cBhQ7r8MpI4vXFbIGLgdH+t4sQIDBHWTtNnZE9gMa y4I7giryvRRmUc5dRMbh+cTqoYTB3d8kfwCb0cio8DzOurFLYVScCvYq17MUkq7xaDb3 zXzw== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:references:in-reply-to:message-id :date:subject:cc:to:from:dkim-signature; bh=B4hYHmgrY/sSpNoKlBUHQFCOVOO+xIhSM1LWCgBv6E8=; fh=CDqUduTTC2KyUPhPyJ619NIAHYMMTMAts9k21jBdImM=; b=et02HqQaCiTmh0+B6z1TRnM5gUMfzhGtPuGKjZUpsaxMbBFKbB5+RzjzunZZUvlN+c rBlkuFQuyefTuzcnFTm5YPQOJCURwGTmt22mNVBiMokGnG1NSwZxopq4FrEqZaS7Rf95 HgCF2Ya/ZpkDg+n4YSbRnvYkwHR+kEVbeATt2Y7Hms6EiR0aRfpggDuwirPxrxdrQp1P zQizw3bFXI1Z0qezxV/TApIzppx60nn2Xky6Snl8T+LgDfWN7HshLioNPpi817rU89bP CiHWaeAshl9XATV+u+Pfsx9aFG9GquKR059XtpykE/CZFntKkWfGLc3NFfGLkGeoY9ox 6ZXA==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=jtFdSVVw; arc=pass (i=1 spf=pass spfdomain=gmail.com dkim=pass dkdomain=gmail.com dmarc=pass fromdomain=gmail.com); spf=pass (google.com: domain of linux-kernel+bounces-198164-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) smtp.mailfrom="linux-kernel+bounces-198164-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org. [147.75.199.223]) by mx.google.com with ESMTPS id 6a1803df08f44-6ae4b42b6d6si60303926d6.456.2024.06.02.01.52.02 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 02 Jun 2024 01:52:02 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-198164-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) client-ip=147.75.199.223; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=jtFdSVVw; arc=pass (i=1 spf=pass spfdomain=gmail.com dkim=pass dkdomain=gmail.com dmarc=pass fromdomain=gmail.com); spf=pass (google.com: domain of linux-kernel+bounces-198164-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) smtp.mailfrom="linux-kernel+bounces-198164-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ny.mirrors.kernel.org (Postfix) with ESMTPS id 62F831C20A69 for ; Sun, 2 Jun 2024 08:52:02 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id DA09F28E0F; Sun, 2 Jun 2024 08:51:52 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="jtFdSVVw" Received: from mail-ot1-f54.google.com (mail-ot1-f54.google.com [209.85.210.54]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id AF3311E535; Sun, 2 Jun 2024 08:51:50 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.210.54 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1717318312; cv=none; b=Ec/pRrZTq4dQXvQq+uVRzZXcKleNnz3YhTxohGL9GwLChTo7UxQbeCzaAhZKCfJNs7uZvMujyjaFLsihhOmhR+aPk5SlL0dI4X4HngLkKJUz/D9ITfjt937yJgGFWuSSLWqx6lx6eUDaWpFoLxcq3DA/aKFy1qobJpEy3gQ0bgc= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1717318312; c=relaxed/simple; bh=e65MDGgz/5t6pNJjm2h6eNurKKcTphF0Q2NEmJmIwI8=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=G2XKzPxvH4608GwX6BHnq/cxWfUJ7QGEOWaZet7ZEriuz0IZ2pMNuUJYqCRCRgiTbuHloBzOfga/sHOPWzsBVGJFz7W+RamAd/xlGqw3zqH8XT8lVIbL729evx7vsozYHQ3SaqCAwd8MeSqCI5K+/M43U/KgTwKUQsgXb1EgBww= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=jtFdSVVw; arc=none smtp.client-ip=209.85.210.54 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Received: by mail-ot1-f54.google.com with SMTP id 46e09a7af769-6f8d0a215deso1685489a34.0; Sun, 02 Jun 2024 01:51:50 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1717318309; x=1717923109; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=B4hYHmgrY/sSpNoKlBUHQFCOVOO+xIhSM1LWCgBv6E8=; b=jtFdSVVwxMJN+IfM/Qj0maZbLCSUFQHHaaGeWQKBMMEuptqbyqB6XzjZH++P3MQ8zT TcSDMy/ZM4w5nXK453/tZq8N3iNB+3kGZM+BBMqvjMO4ZCIpFJZEVwC4910ZONv6AS51 kfY8J+7HU90M+nKB8TYBWIwzPKZHpqQ32N1WcQESI+Jm5V44Es9PX+R42NAe8zeXlic0 KnXZo+1tvxddtwtJ8yGry25HrQXto8YQrKpGnGv/h5F0MLWT4dALG39wGIF1B8PONGfv UWIIP1RrYj/5St3oxiG5Fv4lRPKk2jlMx0jCKxsqlZE5QVCueuLYsfv4wfKCSTt8gBZ+ pqWQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1717318309; x=1717923109; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=B4hYHmgrY/sSpNoKlBUHQFCOVOO+xIhSM1LWCgBv6E8=; b=WennGhYAEgQpK0EXIxcv3ZIXQQy/JCSwBLtaC2kVqBBbGEXNeGqEcfm4jky2MfZZTy BZAIsYZSpO75JGiQgnoRWt9bVCsG/DHw5bKx6AQNqhfJW6Wjv0DbymH0/O1K4PNNkYpk y8kkWowmkJ6/V5zGmMfZYkT/ltwh4LlS2wcn8TvB4ZLUUmqt3ap+DStZ3ZNZFsNVlkTh bOviKXBakFHuF6jJmO03ToeC5s2nAQazAfWu7vTga3EM2B2zdoPsiw1HUq0q7hgcBzwX 0AwKx4jeUG6QV9FxhSirfd9TtVRQ3m0NY3SxL8N1ggG+f4c781zAc8Zggf9r6QjTIMrv siGw== X-Forwarded-Encrypted: i=1; AJvYcCVDMYk4qUoQ7Bj0Df9YjQXQoSW4ICA7uBQ6H+1I+SEKsF4UYT772//giJ24SzSWtcBUwNUN+xTHo0wgaR+Wi9cA4GlaKvJE8bO8bcIfTdXME1ZnS4FvzUIu14tpvHVIbGMRgQWANGk4Y/tf7qT6721A0t+D+4wUixCT5sIQ15Dkgpp4tCY= X-Gm-Message-State: AOJu0Yx3mP6cK49M+s+E0BSSqcnF06GEOeweAI1X5R8/TSLOyCtaBzL/ jj5C/dRVpjnGUgbVgtD7TM/VA5Ehr0//AHmOTpVREkWHkuqr11VN X-Received: by 2002:a9d:3e0c:0:b0:6f0:360d:d730 with SMTP id 46e09a7af769-6f911a8e5d6mr2783523a34.6.1717318309450; Sun, 02 Jun 2024 01:51:49 -0700 (PDT) Received: from my-computer.lan (c-98-39-68-68.hsd1.tx.comcast.net. [98.39.68.68]) by smtp.googlemail.com with ESMTPSA id 46e09a7af769-6f91054f672sm1016350a34.46.2024.06.02.01.51.48 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 02 Jun 2024 01:51:49 -0700 (PDT) From: Andrew Ballance To: dan.carpenter@linaro.org Cc: andrewjballance@gmail.com, benjamin.tissoires@redhat.com, bentiss@kernel.org, jikos@kernel.org, jkosina@suse.com, linux-input@vger.kernel.org, linux-kernel-mentees@lists.linuxfoundation.org, linux-kernel@vger.kernel.org, linux-usb@vger.kernel.org, luke@ljones.dev, skhan@linuxfoundation.org, syzbot+07762f019fd03d01f04c@syzkaller.appspotmail.com, syzkaller-bugs@googlegroups.com Subject: [PATCH v2] hid: asus: asus_report_fixup: fix potential read out of bounds Date: Sun, 2 Jun 2024 03:50:23 -0500 Message-ID: <20240602085023.1720492-1-andrewjballance@gmail.com> X-Mailer: git-send-email 2.45.1 In-Reply-To: References: Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit syzbot reported a potential read out of bounds in asus_report_fixup. this patch adds checks so that a read out of bounds will not occur Signed-off-by: Andrew Ballance Reported-by: syzbot+07762f019fd03d01f04c@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=07762f019fd03d01f04c Fixes: 59d2f5b73921 ("HID: asus: fix more n-key report descriptors if n-key quirked") --- drivers/hid/hid-asus.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/hid/hid-asus.c b/drivers/hid/hid-asus.c index 02de2bf4f790..37e6d25593c2 100644 --- a/drivers/hid/hid-asus.c +++ b/drivers/hid/hid-asus.c @@ -1204,8 +1204,8 @@ static __u8 *asus_report_fixup(struct hid_device *hdev, __u8 *rdesc, } /* match many more n-key devices */ - if (drvdata->quirks & QUIRK_ROG_NKEY_KEYBOARD) { - for (int i = 0; i < *rsize + 1; i++) { + if (drvdata->quirks & QUIRK_ROG_NKEY_KEYBOARD && *rsize > 15) { + for (int i = 0; i < *rsize - 15; i++) { /* offset to the count from 0x5a report part always 14 */ if (rdesc[i] == 0x85 && rdesc[i + 1] == 0x5a && rdesc[i + 14] == 0x95 && rdesc[i + 15] == 0x05) { -- 2.45.1