iv/linux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
f043bfc98c
linux/drivers
History
Jaejoong Kim f043bfc98c HID: usbhid: fix out-of-bounds bug 
The hid descriptor identifies the length and type of subordinate
descriptors for a device. If the received hid descriptor is smaller than
the size of the struct hid_descriptor, it is possible to cause
out-of-bounds.

In addition, if bNumDescriptors of the hid descriptor have an incorrect
value, this can also cause out-of-bounds while approaching hdesc->desc[n].

So check the size of hid descriptor and bNumDescriptors.

	BUG: KASAN: slab-out-of-bounds in usbhid_parse+0x9b1/0xa20
	Read of size 1 at addr ffff88006c5f8edf by task kworker/1:2/1261

	CPU: 1 PID: 1261 Comm: kworker/1:2 Not tainted
	4.14.0-rc1-42251-gebb2c2437d80 #169
	Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
	Workqueue: usb_hub_wq hub_event
	Call Trace:
	__dump_stack lib/dump_stack.c:16
	dump_stack+0x292/0x395 lib/dump_stack.c:52
	print_address_description+0x78/0x280 mm/kasan/report.c:252
	kasan_report_error mm/kasan/report.c:351
	kasan_report+0x22f/0x340 mm/kasan/report.c:409
	__asan_report_load1_noabort+0x19/0x20 mm/kasan/report.c:427
	usbhid_parse+0x9b1/0xa20 drivers/hid/usbhid/hid-core.c:1004
	hid_add_device+0x16b/0xb30 drivers/hid/hid-core.c:2944
	usbhid_probe+0xc28/0x1100 drivers/hid/usbhid/hid-core.c:1369
	usb_probe_interface+0x35d/0x8e0 drivers/usb/core/driver.c:361
	really_probe drivers/base/dd.c:413
	driver_probe_device+0x610/0xa00 drivers/base/dd.c:557
	__device_attach_driver+0x230/0x290 drivers/base/dd.c:653
	bus_for_each_drv+0x161/0x210 drivers/base/bus.c:463
	__device_attach+0x26e/0x3d0 drivers/base/dd.c:710
	device_initial_probe+0x1f/0x30 drivers/base/dd.c:757
	bus_probe_device+0x1eb/0x290 drivers/base/bus.c:523
	device_add+0xd0b/0x1660 drivers/base/core.c:1835
	usb_set_configuration+0x104e/0x1870 drivers/usb/core/message.c:1932
	generic_probe+0x73/0xe0 drivers/usb/core/generic.c:174
	usb_probe_device+0xaf/0xe0 drivers/usb/core/driver.c:266
	really_probe drivers/base/dd.c:413
	driver_probe_device+0x610/0xa00 drivers/base/dd.c:557
	__device_attach_driver+0x230/0x290 drivers/base/dd.c:653
	bus_for_each_drv+0x161/0x210 drivers/base/bus.c:463
	__device_attach+0x26e/0x3d0 drivers/base/dd.c:710
	device_initial_probe+0x1f/0x30 drivers/base/dd.c:757
	bus_probe_device+0x1eb/0x290 drivers/base/bus.c:523
	device_add+0xd0b/0x1660 drivers/base/core.c:1835
	usb_new_device+0x7b8/0x1020 drivers/usb/core/hub.c:2457
	hub_port_connect drivers/usb/core/hub.c:4903
	hub_port_connect_change drivers/usb/core/hub.c:5009
	port_event drivers/usb/core/hub.c:5115
	hub_event+0x194d/0x3740 drivers/usb/core/hub.c:5195
	process_one_work+0xc7f/0x1db0 kernel/workqueue.c:2119
	worker_thread+0x221/0x1850 kernel/workqueue.c:2253
	kthread+0x3a1/0x470 kernel/kthread.c:231
	ret_from_fork+0x2a/0x40 arch/x86/entry/entry_64.S:431

Cc: stable@vger.kernel.org
Reported-by: Andrey Konovalov <andreyknvl@google.com>
Signed-off-by: Jaejoong Kim <climbbb.kim@gmail.com>
Tested-by: Andrey Konovalov <andreyknvl@google.com>
Acked-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
2017-10-11 15:40:31 +02:00
..
accessibility
acpi arm64 updates for 4.14: 2017-09-05 09:53:37 -07:00
amba
android ANDROID: binder: don't queue async transactions to thread. 2017-09-01 09:22:50 +02:00
ata Merge branch 'core-rcu-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2017-09-04 08:13:52 -07:00
atm atm: zatm: Fix an error handling path in 'zatm_init_one()' 2017-07-18 11:37:46 -07:00
auxdisplay auxdisplay: constify charlcd_ops. 2017-07-17 17:23:16 +02:00
base driver core: bus: Fix a potential double free 2017-08-31 18:57:30 +02:00
bcma
block Merge branch 'locking-core-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2017-09-04 11:52:29 -07:00
bluetooth Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next 2017-07-05 12:31:59 -07:00
bus bus: uniphier-system-bus: set up registers when resuming 2017-08-04 12:57:18 +02:00
cdrom block: don't set bounce limit in blk_init_queue 2017-06-27 12:13:45 -06:00
char Char/Misc drivers for 4.14-rc1 2017-09-05 11:08:17 -07:00
clk clk: keystone: sci-clk: Fix sci_clk_get 2017-08-02 18:37:26 -07:00
clocksource Merge branch 'timers-core-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2017-09-04 13:06:34 -07:00
connector
cpufreq cpufreq: intel_pstate: report correct CPU frequencies during trace 2017-08-11 01:25:53 +02:00
cpuidle smp: Avoid using two cache lines for struct call_single_data 2017-08-29 15:14:38 +02:00
crypto crypto: ixp4xx - Fix error handling path in 'aead_perform()' 2017-08-09 20:01:33 +08:00
dax - A few DM integrity fixes that improve performance. One that address 2017-07-28 12:17:17 -07:00
dca
devfreq PM / devfreq: constify attribute_group structures. 2017-07-06 10:17:24 +09:00
dio
dma dmaengine: tegra210-adma: fix of_irq_get() error check 2017-08-09 11:39:16 +05:30
dma-buf dma-buf: fix reservation_object_wait_timeout_rcu to wait correctly v2 2017-08-14 13:01:25 -04:00
edac EDAC, mce_amd: Get rid of local var in amd_filter_mce() 2017-08-21 17:59:38 +02:00
eisa
extcon extcon: max77693: Allow MHL attach notifier 2017-08-25 09:32:27 +09:00
firewire
firmware Char/Misc drivers for 4.14-rc1 2017-09-05 11:08:17 -07:00
fmc drivers/fmc: carrier can program FPGA on registration 2017-08-28 16:24:22 +02:00
fpga fpga: altera-hps2fpga: fix multiple init of l3_remap_lock 2017-08-10 14:27:55 -07:00
fsi drivers/fsi/scom: Remove reset before every putscom 2017-08-28 17:15:16 +02:00
gpio This is the bulk of the GPIO changes for the v4.14 cycle: 2017-09-05 11:49:48 -07:00
gpu Merge branch 'x86-mm-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2017-09-04 12:21:28 -07:00
hid HID: usbhid: fix out-of-bounds bug 2017-10-11 15:40:31 +02:00
hsi HSI changes for the v4.13 series 2017-07-04 14:28:22 -07:00
hv Drivers: hv: vmbus: Fix rescind handling issues 2017-08-16 09:16:29 -07:00
hwmon hwmon: (ltq-cputemp) add cpu temp sensor driver 2017-09-01 07:24:14 -07:00
hwspinlock
hwtracing stm class / intel_th: Updates for 4.14 2017-08-28 16:58:19 +02:00
i2c i2c: designware: Round down ACPI provided clk to nearest supported clk 2017-08-31 20:27:39 +02:00
ide ide: avoid warning for timings calculation 2017-07-21 04:37:22 +01:00
idle Merge branch 'x86/boot' into x86/mm, to pick up interacting changes 2017-07-18 11:36:53 +02:00
iio Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/hid 2017-09-05 11:54:41 -07:00
infiniband Updates for 4.14 kernel merge window 2017-09-03 17:49:17 -07:00
input Driver core update for 4.14-rc1 2017-09-05 10:41:21 -07:00
iommu Merge branch 'x86-mm-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2017-09-04 12:21:28 -07:00
ipack
irqchip Merge branch 'irq-core-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2017-09-04 13:08:27 -07:00
isdn mISDN: Fix null pointer dereference at mISDN_FsmNew 2017-08-11 14:56:23 -07:00
leds LED updates for 4.13 2017-07-06 11:32:40 -07:00
lightnvm lightnvm: pblk: advance bio according to lba index 2017-07-28 08:06:00 -06:00
macintosh Merge branch 'work.misc-set_fs' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2017-07-05 13:13:32 -07:00
mailbox mailbox: pcc: Fix crash when request PCC channel 0 2017-07-26 02:11:47 +02:00
mcb Char/Misc drivers for 4.14-rc1 2017-09-05 11:08:17 -07:00
md dm mpath: do not lock up a CPU with requeuing activity 2017-08-28 09:58:27 -04:00
media Linux 4.13-rc5 2017-08-15 16:16:58 +10:00
memory memory: atmel-ebi: Fix smc cycle xlate converter 2017-07-26 22:37:54 +02:00
memstick
message
mfd hwmon updates for v4.14 2017-09-03 18:43:20 -07:00
misc Char/Misc drivers for 4.14-rc1 2017-09-05 11:08:17 -07:00
mmc mmc: sdhci-xenon: add set_power callback 2017-08-30 14:11:47 +02:00
mtd mtd: nand: atmel: Relax tADL_min constraint 2017-08-24 20:59:50 -07:00
mux mux: make device_type const 2017-08-29 13:46:35 +02:00
net Merge branch 'parisc-4.14-1' of git://git.kernel.org/pub/scm/linux/kernel/git/deller/parisc-linux 2017-09-05 09:37:11 -07:00
nfc NFC 4.13 pull request 2017-07-01 14:30:39 -07:00
ntb ntb: transport shouldn't disable link due to bogus values in SPADs 2017-08-01 13:31:44 -04:00
nubus
nvdimm libnvdimm: fix badblock range handling of ARS range 2017-07-17 11:43:58 -07:00
nvme Updates for 4.14 kernel merge window 2017-09-03 17:49:17 -07:00
nvmem nvmem: core: remove unneeded NULL check 2017-08-28 17:33:23 +02:00
of of: fix DMA mask generation 2017-08-17 10:23:45 +02:00
oprofile
parisc parisc: Fix up devices below a PCI-PCI MegaRAID controller bridge 2017-08-24 18:46:44 +02:00
parport Char/Misc drivers for 4.14-rc1 2017-09-05 11:08:17 -07:00
pci Updates for 4.14 kernel merge window 2017-09-03 17:49:17 -07:00
pcmcia
perf arm64: perf: Allow standard PMUv3 events to be extended by the CPU type 2017-08-08 17:12:34 +01:00
phy Char/Misc drivers for 4.14-rc1 2017-09-05 11:08:17 -07:00
pinctrl Revert "pinctrl: sunxi: Don't enforce bias disable (for now)" 2017-08-31 15:51:49 +02:00
platform platform/x86: intel-vbtn: match power button on press rather than release 2017-08-05 14:37:19 -07:00
pnp This is the bulk of GPIO changes for the v4.13 series: 2017-07-07 12:40:27 -07:00
power power: wm831x_power: Support USB charger current limit management 2017-08-15 15:05:01 +03:00
powercap powercap/RAPL: prevent overridding bits outside of the mask 2017-06-28 00:38:34 +02:00
pps
ps3
ptp ptp: introduce ptp auxiliary worker 2017-08-01 15:22:55 -07:00
pwm pwm: Changes for v4.13-rc1 2017-07-13 11:49:52 -07:00
rapidio
ras arm64 updates for 4.13: 2017-07-05 17:09:27 -07:00
regulator Merge remote-tracking branches 'regulator/topic/rc5t619' and 'regulator/topic/stm32-vref' into regulator-next 2017-09-04 17:45:50 +01:00
remoteproc remoteproc/keystone: Fix circular dependencies for ARM configs 2017-06-27 16:21:34 -07:00
reset regulator: Convert to using %pOF instead of full_name 2017-07-19 11:56:01 +01:00
rpmsg rpmsg updates for v4.13 2017-07-06 15:38:31 -07:00
rtc rtc: ds1307: fix regmap config 2017-08-21 11:08:03 +02:00
s390 Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux 2017-09-05 09:45:46 -07:00
sbus sbus: Convert to using %pOF instead of full_name 2017-07-20 12:37:10 -07:00
scsi Merge branch 'parisc-4.14-1' of git://git.kernel.org/pub/scm/linux/kernel/git/deller/parisc-linux 2017-09-05 09:37:11 -07:00
sfi x86/boot: Fix memremap() related build failure 2017-07-20 11:37:58 +02:00
sh drivers/sh/intc/virq.c: delete an error message for a failed memory allocation in add_virq_to_pirq() 2017-07-06 16:24:30 -07:00
sn
soc soc: ti: knav: Add a NULL pointer check for kdev in knav_pool_create 2017-08-21 09:19:50 +02:00
spi Merge remote-tracking branch 'spi/topic/xlp' into spi-next 2017-09-04 15:51:34 +01:00
spmi spmi: pmic-arb: Move the ownership check to irq_chip callback 2017-08-28 13:52:22 +02:00
ssb
staging Staging/IIO driver updates for 4.14-rc1 2017-09-05 10:36:26 -07:00
target target: Fix node_acl demo-mode + uncached dynamic shutdown regression 2017-08-09 20:55:19 -07:00
tc
tee
thermal Merge branch 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/rzhang/linux 2017-07-14 13:12:32 -07:00
thunderbolt thunderbolt: Fix reset response_type 2017-08-28 16:21:32 +02:00
tty Staging/IIO driver updates for 4.14-rc1 2017-09-05 10:36:26 -07:00
uio
usb Char/Misc drivers for 4.14-rc1 2017-09-05 11:08:17 -07:00
uwb uwb: lc-rc: constify attribute_group structures. 2017-08-10 11:31:27 -07:00
vfio vfio/pci: Fix handling of RC integrated endpoint PCIe capability size 2017-07-27 10:39:33 -06:00
vhost Revert "vhost: cache used event for better performance" 2017-07-29 14:15:56 -07:00
video Driver core update for 4.14-rc1 2017-09-05 10:41:21 -07:00
virt
virtio Merge branch 'x86-asm-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2017-09-04 09:52:57 -07:00
vlynq
vme
w1 drivers: w1: add hwmon temp support for w1_therm 2017-08-31 18:50:14 +02:00
watchdog Merge git://www.linux-watchdog.org/linux-watchdog 2017-07-11 09:59:37 -07:00
xen Driver core update for 4.14-rc1 2017-09-05 10:41:21 -07:00
zorro
Kconfig
Makefile x86/lguest: Remove lguest support 2017-08-24 09:57:28 +02:00