linux-stable/include
Jiri Kosina 27ce405039 HID: fix data access in implement()
implement() is setting bytes in LE data stream. In case the data is not
aligned to 64bits, it reads past the allocated buffer. It doesn't really
change any value there (it's properly bitmasked), but in case that this
read past the boundary hits a page boundary, pagefault happens when
accessing 64bits of 'x' in implement(), and kernel oopses.

This happens much more often when numbered reports are in use, as the
initial 8bit skip in the buffer makes the whole process work on values
which are not aligned to 64bits.

This problem dates back to attempts in 2005 and 2006 to make implement()
and extract() as generic as possible, and even back then the problem
was realized by Adam Kroperlin, but falsely assumed to be impossible
to cause any harm:

  http://www.mail-archive.com/linux-usb-devel@lists.sourceforge.net/msg47690.html

I have made several attempts at fixing it "on the spot" directly in
implement(), but the results were horrible; the special casing for processing
last 64bit chunk and switching to different math makes it unreadable mess.

I therefore took a path to allocate a few bytes more which will never make
it into final report, but are there as a cushion for all the 64bit math
operations happening in implement() and extract().

All callers of hid_output_report() are converted at the same time to allocate
the buffer by newly introduced hid_alloc_report_buf() helper.

Bruno noticed that the whole raw_size test can be dropped as well, as
hid_alloc_report_buf() makes sure that the buffer is always of a proper
size.

Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Acked-by: Gustavo Padovan <gustavo.padovan@collabora.co.uk>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
2013-07-22 16:16:40 +02:00
..
acpi PCI changes for the v3.11 merge window: 2013-07-03 16:31:35 -07:00
asm-generic Merge branch 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/benh/powerpc 2013-07-04 10:29:23 -07:00
clocksource clocksource: arch_timer: use virtual counters 2013-06-07 10:20:28 +01:00
crypto
drm
dt-bindings Pin control changes for the v3.11 kernel cycle: 2013-07-03 11:48:03 -07:00
keys
kvm ARM: KVM: Allow host virt timer irq to be different from guest timer virt irq 2013-06-26 10:50:02 -07:00
linux HID: fix data access in implement() 2013-07-22 16:16:40 +02:00
math-emu
media Merge branch 'v4l_for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media 2013-06-18 06:25:08 -10:00
memory
misc
net ip_tunnel: remove __net_init/exit from exported functions 2013-06-13 03:00:59 -07:00
pcmcia
ras
rdma
rxrpc
scsi
sound ASoC: More updates for v3.11 2013-06-28 13:36:22 +02:00
target
trace Merge branch 'akpm' (updates from Andrew Morton) 2013-07-03 17:12:13 -07:00
uapi Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/hid 2013-07-04 11:39:00 -07:00
video
xen Power management and ACPI updates for 3.11-rc1 2013-07-03 14:35:40 -07:00
Kbuild