mirrors/linux-stable
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git synced 2024-08-22 17:01:14 +00:00
Code Issues Releases Wiki Activity
linux-stable/drivers/hid
History
Hyunwoo Kim cacdb14b1c HID: roccat: Fix use-after-free in roccat_read() 
roccat_report_event() is responsible for registering
roccat-related reports in struct roccat_device.

int roccat_report_event(int minor, u8 const *data)
{
	struct roccat_device *device;
	struct roccat_reader *reader;
	struct roccat_report *report;
	uint8_t *new_value;

	device = devices[minor];

	new_value = kmemdup(data, device->report_size, GFP_ATOMIC);
	if (!new_value)
		return -ENOMEM;

	report = &device->cbuf[device->cbuf_end];

	/* passing NULL is safe */
	kfree(report->value);
	...

The registered report is stored in the struct roccat_device member
"struct roccat_report cbuf[ROCCAT_CBUF_SIZE];".
If more reports are received than the "ROCCAT_CBUF_SIZE" value,
kfree() the saved report from cbuf[0] and allocates a new reprot.
Since there is no lock when this kfree() is performed,
kfree() can be performed even while reading the saved report.

static ssize_t roccat_read(struct file *file, char __user *buffer,
		size_t count, loff_t *ppos)
{
	struct roccat_reader *reader = file->private_data;
	struct roccat_device *device = reader->device;
	struct roccat_report *report;
	ssize_t retval = 0, len;
	DECLARE_WAITQUEUE(wait, current);

	mutex_lock(&device->cbuf_lock);

	...

	report = &device->cbuf[reader->cbuf_start];
	/*
	 * If report is larger than requested amount of data, rest of report
	 * is lost!
	 */
	len = device->report_size > count ? count : device->report_size;

	if (copy_to_user(buffer, report->value, len)) {
		retval = -EFAULT;
		goto exit_unlock;
	}
	...

The roccat_read() function receives the device->cbuf report and
delivers it to the user through copy_to_user().
If the N+ROCCAT_CBUF_SIZE th report is received while copying of
the Nth report->value is in progress, the pointer that copy_to_user()
is working on is kfree()ed and UAF read may occur. (race condition)

Since the device node of this driver does not set separate permissions,
this is not a security vulnerability, but because it is used for
requesting screen display of profile or dpi settings,
a user using the roccat device can apply udev to this device node or
There is a possibility to use it by giving.

Signed-off-by: Hyunwoo Kim <imv4bel@gmail.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
2022-09-20 14:49:15 +02:00
..
amd-sfh-hid HID: AMD_SFH: Add a DMI quirk entry for Chromebooks 2022-08-25 11:42:54 +02:00
i2c-hid HID: i2c-hid: elan: Add support for Elan eKTH6915 i2c-hid touchscreens 2022-06-08 11:46:23 +02:00
intel-ish-hid HID: intel-ish-hid: ipc: Add Meteor Lake PCI device ID 2022-08-25 15:03:15 +02:00
surface-hid HID: add suspend/resume helpers 2021-12-02 15:42:46 +01:00
usbhid HID: usbhid: remove third argument of usb_maxpacket() 2022-04-23 10:33:53 +02:00
.kunitconfig HID: uclogic: Add KUnit tests for uclogic_rdesc_template_apply() 2022-06-15 15:51:46 +02:00
hid-a4tech.c HID: a4tech: use A4_2WHEEL_MOUSE_HACK_B8 for A4TECH NB-95 2021-05-05 14:29:13 +02:00
hid-accutouch.c
hid-alps.c HID: alps: Declare U1_UNICORN_LEGACY support 2022-07-22 15:02:20 +02:00
hid-apple.c HID: apple: Add "GANSS" to the non-Apple list 2022-07-22 15:05:22 +02:00
hid-appleir.c HID: appleir: Use devm_kzalloc() instead of kzalloc() 2020-03-13 17:33:11 +01:00
hid-asus.c HID: asus: ROG NKey: Ignore portion of 0x5a report 2022-08-25 11:31:41 +02:00
hid-aureal.c
hid-axff.c HID: Fix assumption that devices have inputs 2019-10-03 15:36:40 -04:00
hid-belkin.c
hid-betopff.c HID: betop: fix slab-out-of-bounds Write in betop_probe 2021-09-15 16:31:21 +02:00
hid-bigbenff.c HID: bigben: fix slab-out-of-bounds Write in bigben_probe 2022-05-06 10:46:36 +02:00
hid-cherry.c
hid-chicony.c HID: check for valid USB device for many HID drivers 2021-12-02 15:36:18 +01:00
hid-cmedia.c HID: cmedia: add support for HS-100B mute button 2021-07-28 11:51:07 +02:00
hid-core.c HID: core: remove unneeded assignment in hid_process_report() 2022-07-21 13:36:49 +02:00
hid-corsair.c HID: check for valid USB device for many HID drivers 2021-12-02 15:36:18 +01:00
hid-cougar.c HID: cougar: Make use of the helper function devm_add_action_or_reset() 2021-10-07 13:37:25 +02:00
hid-cp2112.c HID: cp2112: prevent a buffer overflow in cp2112_xfer() 2022-06-09 10:55:46 +02:00
hid-creative-sb0540.c HID: sb0540: add support for Creative SB0540 IR receivers 2019-09-03 16:52:04 +02:00
hid-cypress.c HID: cypress: Support Varmilo Keyboards' media hotkeys 2020-10-23 13:23:44 +02:00
hid-debug.c HID: add mapping for KEY_ALL_APPLICATIONS 2022-03-03 18:44:21 -08:00
hid-dr.c HID: Fix assumption that devices have inputs 2019-10-03 15:36:40 -04:00
hid-elan.c HID: elan: Fix potential double free in elan_input_configured 2022-04-21 11:38:28 +02:00
hid-elecom.c HID: elecom: drop stray comment 2020-11-25 17:40:23 +01:00
hid-elo.c HID: elo: Revert USB reference counting 2022-02-17 14:14:41 +01:00
hid-emsff.c HID: Fix assumption that devices have inputs 2019-10-03 15:36:40 -04:00
hid-ezkey.c
hid-ft260.c HID: check for valid USB device for many HID drivers 2021-12-02 15:36:18 +01:00
hid-gaff.c HID: Fix assumption that devices have inputs 2019-10-03 15:36:40 -04:00
hid-gembird.c
hid-generic.c
hid-gfrm.c HID: do not call hid_set_drvdata(hdev, NULL) in drivers 2019-08-22 17:11:58 +02:00
hid-glorious.c HID: Add driver fixing Glorious PC Gaming Race mouse report descriptor 2020-03-18 13:36:21 +01:00
hid-google-hammer.c Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input 2022-04-01 10:14:32 -07:00
hid-gt683r.c HID: gt683r: add missing MODULE_DEVICE_TABLE 2021-05-27 15:40:34 +02:00
hid-gyration.c
hid-holtek-kbd.c HID: check for valid USB device for many HID drivers 2021-12-02 15:36:18 +01:00
hid-holtek-mouse.c HID: holtek: fix mouse probing 2021-12-20 11:25:42 +01:00
hid-holtekff.c HID: Fix assumption that devices have inputs 2019-10-03 15:36:40 -04:00
hid-hyperv.c HID: hyperv: Correctly access fields declared as __le16 2022-06-08 12:28:13 +00:00
hid-icade.c
hid-ids.h HID: Add Apple Touchbar on T2 Macs in hid_have_special_driver list 2022-08-25 11:46:15 +02:00
hid-input.c HID: input: fix uclogic tablets 2022-08-25 11:46:55 +02:00
hid-ite.c HID: lg-g15 + ite: Add MODULE_AUTHOR 2021-05-05 14:39:24 +02:00
hid-jabra.c
hid-kensington.c
hid-keytouch.c
hid-kye.c HID: uclogic: Switch to Digitizer usage for styluses 2022-05-11 14:19:27 +02:00
hid-lcpower.c
hid-led.c HID: hid-led: fix maximum brightness for Dream Cheeky 2022-04-21 10:28:49 +02:00
hid-lenovo.c HID: lenovo: Add note about different report numbers 2022-05-02 17:49:44 +02:00
hid-letsketch.c HID: Add new Letsketch tablet driver 2022-01-06 14:22:51 +01:00
hid-lg-g15.c HID: lg-g15: Fix comment typo 2022-07-21 13:47:12 +02:00
hid-lg.c HID: check for valid USB device for many HID drivers 2021-12-02 15:36:18 +01:00
hid-lg.h
hid-lg2ff.c HID: Fix assumption that devices have inputs 2019-10-03 15:36:40 -04:00
hid-lg3ff.c HID: Fix assumption that devices have inputs 2019-10-03 15:36:40 -04:00
hid-lg4ff.c HID: Fix assumption that devices have inputs 2019-10-03 15:36:40 -04:00
hid-lg4ff.h
hid-lgff.c HID: Fix assumption that devices have inputs 2019-10-03 15:36:40 -04:00
hid-logitech-dj.c HID: logitech-dj: add new lightspeed receiver id 2022-02-16 16:26:21 +01:00
hid-logitech-hidpp.c HID: logitech-hidpp: Fix syntax errors in comments 2022-06-08 11:58:34 +02:00
hid-macally.c HID: macally: Constify macally_id_table 2020-08-17 11:38:49 +02:00
hid-magicmouse.c Merge branch 'for-5.17/magicmouse' into for-linus 2022-01-10 09:58:34 +01:00
hid-maltron.c
hid-mcp2221.c HID: mcp2221: prevent a buffer overflow in mcp_smbus_write() 2022-07-21 11:54:40 +02:00
hid-megaworld.c HID: Add support for Mega World controller force feedback 2022-05-06 08:29:26 +02:00
hid-mf.c HID: mf: add support for 0079:1846 Mayflash/Dragonrise USB Gamecube Adapter 2020-11-25 14:30:33 +01:00
hid-microsoft.c Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/hid/hid 2020-09-02 12:55:46 -07:00
hid-monterey.c
hid-multitouch.c HID: multitouch: new device class fix Lenovo X12 trackpad sticky 2022-06-09 11:13:08 +02:00
hid-nintendo.c HID: nintendo: fix rumble worker null pointer deref 2022-08-25 15:15:17 +02:00
hid-nti.c
hid-ntrig.c
hid-ortek.c
hid-penmount.c
hid-petalynx.c
hid-picolcd.h
hid-picolcd_backlight.c
hid-picolcd_cir.c media: rc: harmonize infrared durations to microseconds 2020-09-03 16:18:55 +02:00
hid-picolcd_core.c HID: hid-picolcd_core: Remove unused variable 'ret' 2021-04-07 18:46:20 +02:00
hid-picolcd_debugfs.c
hid-picolcd_fb.c fbdev: Rename pagelist to pagereflist for deferred I/O 2022-05-03 16:04:22 +02:00
hid-picolcd_lcd.c
hid-picolcd_leds.c
hid-pl.c
hid-plantronics.c HID: plantronics: Workaround for double volume key presses 2021-03-08 11:08:58 +01:00
hid-playstation.c HID: playstation: fix return from dualsense_player_led_set_brightness() 2021-10-27 10:05:07 +02:00
hid-primax.c
hid-prodikeys.c HID: check for valid USB device for many HID drivers 2021-12-02 15:36:18 +01:00
hid-quirks.c HID: Add Apple Touchbar on T2 Macs in hid_have_special_driver list 2022-08-25 11:46:15 +02:00
hid-razer.c HID: Add driver for Razer Blackwidow keyboards 2022-02-16 17:12:14 +01:00
hid-redragon.c
hid-retrode.c
hid-rmi.c Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input 2020-10-23 16:16:31 -07:00
hid-roccat-arvo.c HID: check for valid USB device for many HID drivers 2021-12-02 15:36:18 +01:00
hid-roccat-arvo.h
hid-roccat-common.c
hid-roccat-common.h
hid-roccat-isku.c HID: check for valid USB device for many HID drivers 2021-12-02 15:36:18 +01:00
hid-roccat-isku.h
hid-roccat-kone.c HID: check for valid USB device for many HID drivers 2021-12-02 15:36:18 +01:00
hid-roccat-kone.h HID: roccat: Use struct_group() to zero kone_mouse_event 2021-09-25 08:20:48 -07:00
hid-roccat-koneplus.c HID: check for valid USB device for many HID drivers 2021-12-02 15:36:18 +01:00
hid-roccat-koneplus.h
hid-roccat-konepure.c HID: check for valid USB device for many HID drivers 2021-12-02 15:36:18 +01:00
hid-roccat-kovaplus.c HID: check for valid USB device for many HID drivers 2021-12-02 15:36:18 +01:00
hid-roccat-kovaplus.h
hid-roccat-lua.c HID: check for valid USB device for many HID drivers 2021-12-02 15:36:18 +01:00
hid-roccat-lua.h
hid-roccat-pyra.c HID: check for valid USB device for many HID drivers 2021-12-02 15:36:18 +01:00
hid-roccat-pyra.h
hid-roccat-ryos.c HID: check for valid USB device for many HID drivers 2021-12-02 15:36:18 +01:00
hid-roccat-savu.c HID: check for valid USB device for many HID drivers 2021-12-02 15:36:18 +01:00
hid-roccat-savu.h
hid-roccat.c HID: roccat: Fix use-after-free in roccat_read() 2022-09-20 14:49:15 +02:00
hid-saitek.c
hid-samsung.c HID: check for valid USB device for many HID drivers 2021-12-02 15:36:18 +01:00
hid-semitek.c HID: semitek: new driver for GK6X series keyboards 2021-05-05 14:21:08 +02:00
hid-sensor-custom.c HID: hid-sensor-custom: Process failure of sensor_hub_set_feature() 2021-05-26 12:36:46 +02:00
hid-sensor-hub.c HID: hid-sensor-hub: Return error for hid_set_field() failure 2021-05-05 14:36:18 +02:00
hid-sigmamicro.c HID: add SiGma Micro driver 2022-02-02 15:12:22 +01:00
hid-sjoy.c
hid-sony.c HID: sony: fix error path in probe 2021-12-02 15:36:18 +01:00
hid-speedlink.c
hid-steam.c HID: steam: Prevent NULL pointer dereference in steam_{recv,send}_report 2022-08-25 10:22:15 +02:00
hid-steelseries.c
hid-sunplus.c
hid-thrustmaster.c HID: thrustmaster: Add sparco wheel and fix array length 2022-08-25 11:38:55 +02:00
hid-tivo.c
hid-tmff.c HID: thrustmaster use swap() to make code cleaner 2021-12-14 10:50:23 +01:00
hid-topseed.c
hid-twinhan.c
hid-u2fzero.c HID: add hid_is_usb() function to make it simpler for USB detection 2021-12-02 15:35:57 +01:00
hid-uclogic-core.c HID: uclogic: Add support for XP-PEN Deco L 2022-06-15 15:51:47 +02:00
hid-uclogic-params.c Merge branch 'for-5.20/uclogic' into for-linus 2022-08-02 21:25:14 +02:00
hid-uclogic-params.h HID: uclogic: Do not focus on touch ring only 2022-05-11 14:19:27 +02:00
hid-uclogic-rdesc-test.c HID: uclogic: Allow to generate frame templates 2022-06-15 15:51:46 +02:00
hid-uclogic-rdesc.c HID: uclogic: Add support for XP-PEN Deco L 2022-06-15 15:51:47 +02:00
hid-uclogic-rdesc.h HID: uclogic: Add support for XP-PEN Deco L 2022-06-15 15:51:47 +02:00
hid-udraw-ps3.c HID: udraw-ps3: Replace HTTP links with HTTPS ones 2020-07-20 12:24:41 +02:00
hid-viewsonic.c HID: uclogic: Switch to Digitizer usage for styluses 2022-05-11 14:19:27 +02:00
hid-vivaldi-common.c HID: google: extract Vivaldi hid feature mapping for use in hid-hammer 2022-03-14 21:11:10 -07:00
hid-vivaldi-common.h HID: google: extract Vivaldi hid feature mapping for use in hid-hammer 2022-03-14 21:11:10 -07:00
hid-vivaldi.c HID: google: extract Vivaldi hid feature mapping for use in hid-hammer 2022-03-14 21:11:10 -07:00
hid-waltop.c
hid-wiimote-core.c HID: wiimote: remove h from printk format specifier 2021-01-07 10:14:58 +01:00
hid-wiimote-debug.c
hid-wiimote-modules.c HID: Wiimote: Treat the d-pad as an analogue stick 2020-06-19 14:17:22 +02:00
hid-wiimote.h HID: Wiimote: Treat the d-pad as an analogue stick 2020-06-19 14:17:22 +02:00
hid-xiaomi.c HID: Add support for side buttons of Xiaomi Mi Dual Mode Wireless Mouse Silent 2021-09-22 11:53:07 +02:00
hid-xinmo.c
hid-zpff.c HID: Fix assumption that devices have inputs 2019-10-03 15:36:40 -04:00
hid-zydacron.c
hidraw.c HID: hidraw: fix memory leak in hidraw_release() 2022-08-25 11:30:50 +02:00
Kconfig HID: uclogic: Add KUnit tests for uclogic_rdesc_template_apply() 2022-06-15 15:51:46 +02:00
Makefile HID: uclogic: Add KUnit tests for uclogic_rdesc_template_apply() 2022-06-15 15:51:46 +02:00
uhid.c uaccess: remove CONFIG_SET_FS 2022-02-25 09:36:06 +01:00
wacom.h HID: wacom: Force pen out of prox if no events have been received in a while 2022-07-21 13:49:32 +02:00
wacom_sys.c HID: wacom: Force pen out of prox if no events have been received in a while 2022-07-21 13:49:32 +02:00
wacom_wac.c HID: wacom: Add new Intuos Pro Small (PTH-460) device IDs 2022-09-02 12:00:24 +02:00
wacom_wac.h HID: wacom: Adding Support for new usages 2022-04-21 09:42:32 +02:00