mirrors/linux-stable
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git synced 2024-09-30 06:10:56 +00:00
Code Issues Releases Wiki Activity
linux-stable/drivers/hid
History
ZhangPeng 8e14f20e12 HID: core: fix shift-out-of-bounds in hid_report_raw_event 
commit ec61b41918 upstream.

Syzbot reported shift-out-of-bounds in hid_report_raw_event.

microsoft 0003:045E:07DA.0001: hid_field_extract() called with n (128) >
32! (swapper/0)
======================================================================
UBSAN: shift-out-of-bounds in drivers/hid/hid-core.c:1323:20
shift exponent 127 is too large for 32-bit type 'int'
CPU: 0 PID: 0 Comm: swapper/0 Not tainted
6.1.0-rc4-syzkaller-00159-g4bbf3422df78 #0
Hardware name: Google Compute Engine/Google Compute Engine, BIOS
Google 10/26/2022
Call Trace:
 <IRQ>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x1e3/0x2cb lib/dump_stack.c:106
 ubsan_epilogue lib/ubsan.c:151 [inline]
 __ubsan_handle_shift_out_of_bounds+0x3a6/0x420 lib/ubsan.c:322
 snto32 drivers/hid/hid-core.c:1323 [inline]
 hid_input_fetch_field drivers/hid/hid-core.c:1572 [inline]
 hid_process_report drivers/hid/hid-core.c:1665 [inline]
 hid_report_raw_event+0xd56/0x18b0 drivers/hid/hid-core.c:1998
 hid_input_report+0x408/0x4f0 drivers/hid/hid-core.c:2066
 hid_irq_in+0x459/0x690 drivers/hid/usbhid/hid-core.c:284
 __usb_hcd_giveback_urb+0x369/0x530 drivers/usb/core/hcd.c:1671
 dummy_timer+0x86b/0x3110 drivers/usb/gadget/udc/dummy_hcd.c:1988
 call_timer_fn+0xf5/0x210 kernel/time/timer.c:1474
 expire_timers kernel/time/timer.c:1519 [inline]
 __run_timers+0x76a/0x980 kernel/time/timer.c:1790
 run_timer_softirq+0x63/0xf0 kernel/time/timer.c:1803
 __do_softirq+0x277/0x75b kernel/softirq.c:571
 __irq_exit_rcu+0xec/0x170 kernel/softirq.c:650
 irq_exit_rcu+0x5/0x20 kernel/softirq.c:662
 sysvec_apic_timer_interrupt+0x91/0xb0 arch/x86/kernel/apic/apic.c:1107
======================================================================

If the size of the integer (unsigned n) is bigger than 32 in snto32(),
shift exponent will be too large for 32-bit type 'int', resulting in a
shift-out-of-bounds bug.
Fix this by adding a check on the size of the integer (unsigned n) in
snto32(). To add support for n greater than 32 bits, set n to 32, if n
is greater than 32.

Reported-by: syzbot+8b1641d2f14732407e23@syzkaller.appspotmail.com
Fixes: dde5845a52 ("[PATCH] Generic HID layer - code split")
Signed-off-by: ZhangPeng <zhangpeng362@huawei.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2022-12-14 11:28:27 +01:00
..
i2c-hid HID: i2c-hid: fix GET/SET_REPORT for unnumbered reports 2022-04-15 14:14:48 +02:00
intel-ish-hid HID: ishtp-hid-clientHID: ishtp-hid-client: Fix comment typo 2022-09-20 12:26:47 +02:00
usbhid HID: usbhid: free raw_report buffers in usbhid_stop 2021-10-06 15:31:28 +02:00
hid-a4tech.c HID: input: fix a4tech horizontal wheel custom usage 2019-08-29 08:28:40 +02:00
hid-accutouch.c
hid-alps.c HID: alps: Declare U1_UNICORN_LEGACY support 2022-08-25 11:15:18 +02:00
hid-apple.c HID: apple: Do not reset quirks when the Fn key is not found 2022-01-27 09:04:23 +01:00
hid-appleir.c treewide: setup_timer() -> timer_setup() 2017-11-21 15:57:07 -08:00
hid-asus.c HID: add hid_is_usb() function to make it simpler for USB detection 2021-12-14 10:18:03 +01:00
hid-aureal.c
hid-axff.c HID: Fix assumption that devices have inputs 2019-11-06 13:06:18 +01:00
hid-belkin.c
hid-betopff.c HID: betop: fix slab-out-of-bounds Write in betop_probe 2021-10-06 15:31:27 +02:00
hid-cherry.c
hid-chicony.c HID: check for valid USB device for many HID drivers 2021-12-14 10:18:04 +01:00
hid-cmedia.c
hid-core.c HID: core: fix shift-out-of-bounds in hid_report_raw_event 2022-12-14 11:28:27 +01:00
hid-corsair.c HID: check for valid USB device for many HID drivers 2021-12-14 10:18:04 +01:00
hid-cougar.c HID: cougar: Add support for the Cougar 500k Gaming Keyboard 2018-07-23 11:35:05 +02:00
hid-cp2112.c HID: cp2112: prevent a buffer overflow in cp2112_xfer() 2022-08-25 11:15:14 +02:00
hid-cypress.c HID: cypress: Support Varmilo Keyboards' media hotkeys 2020-12-02 08:48:08 +01:00
hid-debug.c HID: add mapping for KEY_ALL_APPLICATIONS 2022-03-08 19:04:09 +01:00
hid-dr.c HID: Fix assumption that devices have inputs 2019-11-06 13:06:18 +01:00
hid-elan.c HID: elan: Fix potential double free in elan_input_configured 2022-06-14 16:59:20 +02:00
hid-elecom.c HID: elecom: add support for EX-G M-XT4DRBK trackball 2018-03-06 15:15:47 +01:00
hid-elo.c HID: check for valid USB device for many HID drivers 2021-12-14 10:18:04 +01:00
hid-emsff.c HID: Fix assumption that devices have inputs 2019-11-06 13:06:18 +01:00
hid-ezkey.c
hid-gaff.c HID: Fix assumption that devices have inputs 2019-11-06 13:06:18 +01:00
hid-gembird.c
hid-generic.c HID: generic: create one input report per application type 2018-04-26 14:17:31 +02:00
hid-gfrm.c HID: generic: create one input report per application type 2018-04-26 14:17:31 +02:00
hid-google-hammer.c HID: google: add eel USB id 2021-12-14 10:18:03 +01:00
hid-gt683r.c HID: gt683r: add missing MODULE_DEVICE_TABLE 2021-06-30 08:48:11 -04:00
hid-gyration.c
hid-holtek-kbd.c HID: check for valid USB device for many HID drivers 2021-12-14 10:18:04 +01:00
hid-holtek-mouse.c HID: holtek: fix mouse probing 2021-12-29 12:20:43 +01:00
hid-holtekff.c HID: Fix assumption that devices have inputs 2019-11-06 13:06:18 +01:00
hid-hyperv.c HID: hyperv: fix possible memory leak in mousevsc_probe() 2022-11-25 17:40:16 +01:00
hid-icade.c
hid-ids.h HID: saitek: add madcatz variant of MMO7 mouse device ID 2022-11-10 17:46:54 +01:00
hid-input.c HID: add mapping for KEY_ALL_APPLICATIONS 2022-03-08 19:04:09 +01:00
hid-ite.c HID: ite: Only bind to keyboard USB interface on Acer SW5-012 keyboard dock 2020-03-05 16:42:18 +01:00
hid-jabra.c HID: Add special driver for Jabra devices 2017-11-21 12:54:58 +01:00
hid-kensington.c
hid-keytouch.c
hid-kye.c
hid-lcpower.c
hid-led.c HID: hid-led: fix maximum brightness for Dream Cheeky 2022-06-14 16:59:20 +02:00
hid-lenovo.c HID: lenovo: Add checks to fix of_led_classdev_register 2019-02-12 19:47:19 +01:00
hid-lg.c HID: check for valid USB device for many HID drivers 2021-12-14 10:18:04 +01:00
hid-lg.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
hid-lg2ff.c HID: Fix assumption that devices have inputs 2019-11-06 13:06:18 +01:00
hid-lg3ff.c HID: Fix assumption that devices have inputs 2019-11-06 13:06:18 +01:00
hid-lg4ff.c HID: hid-lg4ff: Add check for empty lbuf 2022-12-14 11:28:27 +01:00
hid-lg4ff.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
hid-lgff.c HID: Fix assumption that devices have inputs 2019-11-06 13:06:18 +01:00
hid-logitech-dj.c
hid-logitech-hidpp.c HID: logitech-hidpp: Silence intermittent get_battery_capacity errors 2020-01-04 19:12:59 +01:00
hid-magicmouse.c HID: magicmouse: Do not set BTN_MOUSE on double report 2022-11-03 23:52:26 +09:00
hid-mf.c HID: mf: add support for 0079:1846 Mayflash/Dragonrise USB Gamecube Adapter 2021-03-11 14:05:01 +01:00
hid-microsoft.c HID: microsoft: support the Surface Dial 2018-07-17 15:33:47 +02:00
hid-monterey.c
hid-multitouch.c HID: multitouch: Add memory barriers 2022-10-26 13:19:21 +02:00
hid-nti.c
hid-ntrig.c HID: hid-ntrig: add error handling for sysfs_create_group 2018-06-25 15:16:11 +02:00
hid-ortek.c HID: ortek: add one more buggy device 2017-07-24 17:38:21 +02:00
hid-penmount.c
hid-petalynx.c
hid-picolcd.h
hid-picolcd_backlight.c
hid-picolcd_cir.c media: rc: rename RC_TYPE_* to RC_PROTO_* and RC_BIT_* to RC_PROTO_BIT_* 2017-08-20 10:02:48 -04:00
hid-picolcd_core.c
hid-picolcd_debugfs.c
hid-picolcd_fb.c treewide: kmalloc() -> kmalloc_array() 2018-06-12 16:19:22 -07:00
hid-picolcd_lcd.c
hid-picolcd_leds.c
hid-pl.c
hid-plantronics.c HID: plantronics: Workaround for double volume key presses 2021-05-22 10:59:34 +02:00
hid-primax.c
hid-prodikeys.c HID: check for valid USB device for many HID drivers 2021-12-14 10:18:04 +01:00
hid-quirks.c HID: saitek: add madcatz variant of MMO7 mouse device ID 2022-11-10 17:46:54 +01:00
hid-redragon.c HID: redragon: fix num lock and caps lock LEDs 2018-06-25 15:23:40 +02:00
hid-retrode.c HID: Add driver for Retrode2 joypad adapter 2017-06-22 14:44:11 +02:00
hid-rmi.c HID: rmi: Check that the RMI_STARTED bit is set before unregistering the RMI transport device 2020-01-04 19:13:00 +01:00
hid-roccat-arvo.c HID: check for valid USB device for many HID drivers 2021-12-14 10:18:04 +01:00
hid-roccat-arvo.h
hid-roccat-common.c
hid-roccat-common.h
hid-roccat-isku.c HID: check for valid USB device for many HID drivers 2021-12-14 10:18:04 +01:00
hid-roccat-isku.h
hid-roccat-kone.c HID: check for valid USB device for many HID drivers 2021-12-14 10:18:04 +01:00
hid-roccat-kone.h
hid-roccat-koneplus.c HID: check for valid USB device for many HID drivers 2021-12-14 10:18:04 +01:00
hid-roccat-koneplus.h
hid-roccat-konepure.c HID: check for valid USB device for many HID drivers 2021-12-14 10:18:04 +01:00
hid-roccat-kovaplus.c HID: check for valid USB device for many HID drivers 2021-12-14 10:18:04 +01:00
hid-roccat-kovaplus.h
hid-roccat-lua.c HID: check for valid USB device for many HID drivers 2021-12-14 10:18:04 +01:00
hid-roccat-lua.h
hid-roccat-pyra.c HID: check for valid USB device for many HID drivers 2021-12-14 10:18:04 +01:00
hid-roccat-pyra.h
hid-roccat-ryos.c HID: check for valid USB device for many HID drivers 2021-12-14 10:18:04 +01:00
hid-roccat-savu.c HID: check for valid USB device for many HID drivers 2021-12-14 10:18:04 +01:00
hid-roccat-savu.h
hid-roccat.c HID: roccat: Fix use-after-free in roccat_read() 2022-10-26 13:19:41 +02:00
hid-saitek.c HID: saitek: add madcatz variant of MMO7 mouse device ID 2022-11-10 17:46:54 +01:00
hid-samsung.c HID: check for valid USB device for many HID drivers 2021-12-14 10:18:04 +01:00
hid-sensor-custom.c iio/hid-sensors: Fix IIO_CHAN_INFO_RAW returning wrong values for signed numbers 2018-12-05 19:32:13 +01:00
hid-sensor-hub.c HID: hid-sensor-hub: Return error for hid_set_field() failure 2021-06-30 08:48:10 -04:00
hid-sjoy.c
hid-sony.c HID: sony: Fix for broken buttons on DS3 USB dongles 2020-06-07 13:17:53 +02:00
hid-speedlink.c
hid-steam.c HID: steam: Prevent NULL pointer dereference in steam_{recv,send}_report 2022-09-05 10:26:33 +02:00
hid-steelseries.c
hid-sunplus.c
hid-tivo.c
hid-tmff.c HID: Fix assumption that devices have inputs 2019-11-06 13:06:18 +01:00
hid-topseed.c
hid-twinhan.c
hid-uclogic.c HID: check for valid USB device for many HID drivers 2021-12-14 10:18:04 +01:00
hid-udraw-ps3.c
hid-waltop.c
hid-wiimote-core.c HID: wiimote: add support for Guitar-Hero devices 2018-06-25 15:26:06 +02:00
hid-wiimote-debug.c
hid-wiimote-modules.c HID: wiimote: add support for Guitar-Hero devices 2018-06-25 15:26:06 +02:00
hid-wiimote.h HID: wiimote: add support for Guitar-Hero devices 2018-06-25 15:26:06 +02:00
hid-xinmo.c
hid-zpff.c HID: Fix assumption that devices have inputs 2019-11-06 13:06:18 +01:00
hid-zydacron.c
hidraw.c HID: hidraw: fix memory leak in hidraw_release() 2022-09-05 10:26:33 +02:00
Kconfig HID: asus: Add depends on USB_HID to HID_ASUS Kconfig option 2022-01-05 12:34:57 +01:00
Makefile HID: cougar: Add support for the Cougar 500k Gaming Keyboard 2018-07-23 11:35:05 +02:00
uhid.c HID: uhid: Fix worker destroying device without any protection 2022-01-27 09:04:14 +01:00
wacom.h HID: wacom: generic: Treat serial number and related fields as unsigned 2019-11-12 19:20:38 +01:00
wacom_sys.c HID: wacom: Don't register pad_input for touch switch 2022-08-25 11:14:52 +02:00
wacom_wac.c HID: wacom: Don't register pad_input for touch switch 2022-08-25 11:14:52 +02:00
wacom_wac.h HID: wacom: Use "Confidence" flag to prevent reporting invalid contacts 2021-12-01 09:27:39 +01:00