projects / GitHub / MotorolaMobilityLLC / kernel-slsi.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: aca8d89)
HID: core: Correctly handle ReportSize being zero
authorMarc Zyngier <maz@kernel.org>
Sat, 29 Aug 2020 11:26:01 +0000 (12:26 +0100)
committerchenyt17 <chenyt17@lenovo.com>
Fri, 28 May 2021 07:07:54 +0000 (15:07 +0800)
commit bce1305c0ece3dc549663605e567655dd701752c upstream.

It appears that a ReportSize value of zero is legal, even if a bit
non-sensical. Most of the HID code seems to handle that gracefully,
except when computing the total size in bytes. When fed as input to
memset, this leads to some funky outcomes.

Detect the corner case and correctly compute the size.

Mot-CRs-fixed: (CR)
CVE-Fixed: CVE-2020-0465
Bug: 162844689

Cc: stable@vger.kernel.org
Signed-off-by: Marc Zyngier <maz@kernel.org>
Signed-off-by: Benjamin Tissoires <benjamin.tissoires@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Lee Jones <lee.jones@linaro.org>
Change-Id: I0e61ea8b763669affdff3b8788a5fc66a8b7fcd3
Signed-off-by: Jignesh Patel <jignesh@motorola.com>
Reviewed-on: https://gerrit.mot.com/1796757
SLTApproved: Slta Waiver
SME-Granted: SME Approvals Granted
Tested-by: Jira Key
Reviewed-by: Xiangpo Zhao <zhaoxp3@motorola.com>
Submit-Approved: Jira Key
(cherry picked from commit 70fce522225b6207913db2279af807f03734b367)

drivers/hid/hid-core.c patch | blob | blame | history

diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c
index a306493e2e9701e0d65f90127dffa8ff2d6c3cd4..350f6fa04d0fce1c4c8bb3caa4bf0eaf76bee519 100644 (file)
--- a/drivers/hid/hid-core.c
+++ b/drivers/hid/hid-core.c
@@ -1362,6 +1362,17 @@ static void hid_output_field(const struct hid_device *hid,
        }
 }
 
+/*
+ * Compute the size of a report.
+ */
+static size_t hid_compute_report_size(struct hid_report *report)
+{
+       if (report->size)
+               return ((report->size - 1) >> 3) + 1;
+
+       return 0;
+}
+
 /*
  * Create a report. 'data' has to be allocated using
  * hid_alloc_report_buf() so that it has proper size.
@@ -1374,7 +1385,7 @@ void hid_output_report(struct hid_report *report, __u8 *data)
        if (report->id > 0)
                *data++ = report->id;
 
-       memset(data, 0, ((report->size - 1) >> 3) + 1);
+       memset(data, 0, hid_compute_report_size(report));
        for (n = 0; n < report->maxfield; n++)
                hid_output_field(report->device, report->field[n], data);
 }
@@ -1501,7 +1512,7 @@ int hid_report_raw_event(struct hid_device *hid, int type, u8 *data, u32 size,
                csize--;
        }
 
-       rsize = ((report->size - 1) >> 3) + 1;
+       rsize = hid_compute_report_size(report);
 
        if (rsize > HID_MAX_BUFFER_SIZE)
                rsize = HID_MAX_BUFFER_SIZE;
Motorola kernel-slsi