Skip to content

Commit 773332f

Browse files
dtorgregkh
authored andcommitted
HID: i2c-hid: fix OOB write in i2c_hid_set_or_send_report()
commit 3b65428 upstream. Even though hid_hw_* checks that passed in data_len is less than HID_MAX_BUFFER_SIZE it is not enough, as i2c-hid does not necessarily allocate buffers of HID_MAX_BUFFER_SIZE but rather checks all device reports and select largest size. In-kernel users normally just send as much data as report needs, so there is no problem, but hidraw users can do whatever they please: BUG: KASAN: slab-out-of-bounds in memcpy+0x34/0x54 at addr ffffffc07135ea80 Write of size 4101 by task syz-executor/8747 CPU: 2 PID: 8747 Comm: syz-executor Tainted: G BU 3.18.0 #37 Hardware name: Google Tegra210 Smaug Rev 1,3+ (DT) Call trace: [<ffffffc00020ebcc>] dump_backtrace+0x0/0x258 arch/arm64/kernel/traps.c:83 [<ffffffc00020ee40>] show_stack+0x1c/0x2c arch/arm64/kernel/traps.c:172 [< inline >] __dump_stack lib/dump_stack.c:15 [<ffffffc001958114>] dump_stack+0x90/0x140 lib/dump_stack.c:50 [< inline >] print_error_description mm/kasan/report.c:97 [< inline >] kasan_report_error mm/kasan/report.c:278 [<ffffffc0004597dc>] kasan_report+0x268/0x530 mm/kasan/report.c:305 [<ffffffc0004592e8>] __asan_storeN+0x20/0x150 mm/kasan/kasan.c:718 [<ffffffc0004594e0>] memcpy+0x30/0x54 mm/kasan/kasan.c:299 [<ffffffc001306354>] __i2c_hid_command+0x2b0/0x7b4 drivers/hid/i2c-hid/i2c-hid.c:178 [< inline >] i2c_hid_set_or_send_report drivers/hid/i2c-hid/i2c-hid.c:321 [<ffffffc0013079a0>] i2c_hid_output_raw_report.isra.2+0x3d4/0x4b8 drivers/hid/i2c-hid/i2c-hid.c:589 [<ffffffc001307ad8>] i2c_hid_output_report+0x54/0x68 drivers/hid/i2c-hid/i2c-hid.c:602 [< inline >] hid_hw_output_report include/linux/hid.h:1039 [<ffffffc0012cc7a0>] hidraw_send_report+0x400/0x414 drivers/hid/hidraw.c:154 [<ffffffc0012cc7f4>] hidraw_write+0x40/0x64 drivers/hid/hidraw.c:177 [<ffffffc0004681dc>] vfs_write+0x1d4/0x3cc fs/read_write.c:534 [< inline >] SYSC_pwrite64 fs/read_write.c:627 [<ffffffc000468984>] SyS_pwrite64+0xec/0x144 fs/read_write.c:614 Object at ffffffc07135ea80, in cache kmalloc-512 Object allocated with size 268 bytes. Let's check data length against the buffer size before attempting to copy data over. Reported-by: Alexander Potapenko <[email protected]> Signed-off-by: Dmitry Torokhov <[email protected]> Reviewed-by: Benjamin Tissoires <[email protected]> Signed-off-by: Jiri Kosina <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
1 parent 72c49c6 commit 773332f

File tree

1 file changed

+10
-6
lines changed

1 file changed

+10
-6
lines changed

drivers/hid/i2c-hid/i2c-hid.c

Lines changed: 10 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -282,17 +282,21 @@ static int i2c_hid_set_or_send_report(struct i2c_client *client, u8 reportType,
282282
u16 dataRegister = le16_to_cpu(ihid->hdesc.wDataRegister);
283283
u16 outputRegister = le16_to_cpu(ihid->hdesc.wOutputRegister);
284284
u16 maxOutputLength = le16_to_cpu(ihid->hdesc.wMaxOutputLength);
285+
u16 size;
286+
int args_len;
287+
int index = 0;
288+
289+
i2c_hid_dbg(ihid, "%s\n", __func__);
290+
291+
if (data_len > ihid->bufsize)
292+
return -EINVAL;
285293

286-
/* hid_hw_* already checked that data_len < HID_MAX_BUFFER_SIZE */
287-
u16 size = 2 /* size */ +
294+
size = 2 /* size */ +
288295
(reportID ? 1 : 0) /* reportID */ +
289296
data_len /* buf */;
290-
int args_len = (reportID >= 0x0F ? 1 : 0) /* optional third byte */ +
297+
args_len = (reportID >= 0x0F ? 1 : 0) /* optional third byte */ +
291298
2 /* dataRegister */ +
292299
size /* args */;
293-
int index = 0;
294-
295-
i2c_hid_dbg(ihid, "%s\n", __func__);
296300

297301
if (!use_data && maxOutputLength == 0)
298302
return -ENOSYS;

0 commit comments

Comments
 (0)