projects / GitHub / LineageOS / android_kernel_motorola_exynos9610.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 43ab41d) | patch
HID: usbhid: fix info leak in hid_submit_ctrl
authorAnirudh Rayabharam <mail@anirudhrb.com>
Sun, 25 Apr 2021 17:33:53 +0000 (23:03 +0530)
committerSasha Levin <sashal@kernel.org>
Wed, 30 Jun 2021 12:48:45 +0000 (08:48 -0400)
commit8c064eece9a51856f3f275104520c7e3017fc5c0
tree0dd5ee04d297a6b9338c9894915574ce14e789cbtree | snapshot (tar.gz zip)
parent43ab41d973e3e3be389a2819477d8054b9e61903commit | diff
HID: usbhid: fix info leak in hid_submit_ctrl

[ Upstream commit 6be388f4a35d2ce5ef7dbf635a8964a5da7f799f ]

In hid_submit_ctrl(), the way of calculating the report length doesn't
take into account that report->size can be zero. When running the
syzkaller reproducer, a report of size 0 causes hid_submit_ctrl) to
calculate transfer_buffer_length as 16384. When this urb is passed to
the usb core layer, KMSAN reports an info leak of 16384 bytes.

To fix this, first modify hid_report_len() to account for the zero
report size case by using DIV_ROUND_UP for the division. Then, call it
from hid_submit_ctrl().

Reported-by: syzbot+7c2bb71996f95a82524c@syzkaller.appspotmail.com
Signed-off-by: Anirudh Rayabharam <mail@anirudhrb.com>
Acked-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Signed-off-by: Sasha Levin <sashal@kernel.org>
drivers/hid/usbhid/hid-core.c diff | blob | blame | history
include/linux/hid.h diff | blob | blame | history