linux/drivers/hid
Jaejoong Kim f043bfc98c HID: usbhid: fix out-of-bounds bug
The hid descriptor identifies the length and type of subordinate
descriptors for a device. If the received hid descriptor is smaller than
the size of the struct hid_descriptor, it is possible to cause
out-of-bounds.

In addition, if bNumDescriptors of the hid descriptor have an incorrect
value, this can also cause out-of-bounds while approaching hdesc->desc[n].

So check the size of hid descriptor and bNumDescriptors.

	BUG: KASAN: slab-out-of-bounds in usbhid_parse+0x9b1/0xa20
	Read of size 1 at addr ffff88006c5f8edf by task kworker/1:2/1261

	CPU: 1 PID: 1261 Comm: kworker/1:2 Not tainted
	4.14.0-rc1-42251-gebb2c2437d80 #169
	Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
	Workqueue: usb_hub_wq hub_event
	Call Trace:
	__dump_stack lib/dump_stack.c:16
	dump_stack+0x292/0x395 lib/dump_stack.c:52
	print_address_description+0x78/0x280 mm/kasan/report.c:252
	kasan_report_error mm/kasan/report.c:351
	kasan_report+0x22f/0x340 mm/kasan/report.c:409
	__asan_report_load1_noabort+0x19/0x20 mm/kasan/report.c:427
	usbhid_parse+0x9b1/0xa20 drivers/hid/usbhid/hid-core.c:1004
	hid_add_device+0x16b/0xb30 drivers/hid/hid-core.c:2944
	usbhid_probe+0xc28/0x1100 drivers/hid/usbhid/hid-core.c:1369
	usb_probe_interface+0x35d/0x8e0 drivers/usb/core/driver.c:361
	really_probe drivers/base/dd.c:413
	driver_probe_device+0x610/0xa00 drivers/base/dd.c:557
	__device_attach_driver+0x230/0x290 drivers/base/dd.c:653
	bus_for_each_drv+0x161/0x210 drivers/base/bus.c:463
	__device_attach+0x26e/0x3d0 drivers/base/dd.c:710
	device_initial_probe+0x1f/0x30 drivers/base/dd.c:757
	bus_probe_device+0x1eb/0x290 drivers/base/bus.c:523
	device_add+0xd0b/0x1660 drivers/base/core.c:1835
	usb_set_configuration+0x104e/0x1870 drivers/usb/core/message.c:1932
	generic_probe+0x73/0xe0 drivers/usb/core/generic.c:174
	usb_probe_device+0xaf/0xe0 drivers/usb/core/driver.c:266
	really_probe drivers/base/dd.c:413
	driver_probe_device+0x610/0xa00 drivers/base/dd.c:557
	__device_attach_driver+0x230/0x290 drivers/base/dd.c:653
	bus_for_each_drv+0x161/0x210 drivers/base/bus.c:463
	__device_attach+0x26e/0x3d0 drivers/base/dd.c:710
	device_initial_probe+0x1f/0x30 drivers/base/dd.c:757
	bus_probe_device+0x1eb/0x290 drivers/base/bus.c:523
	device_add+0xd0b/0x1660 drivers/base/core.c:1835
	usb_new_device+0x7b8/0x1020 drivers/usb/core/hub.c:2457
	hub_port_connect drivers/usb/core/hub.c:4903
	hub_port_connect_change drivers/usb/core/hub.c:5009
	port_event drivers/usb/core/hub.c:5115
	hub_event+0x194d/0x3740 drivers/usb/core/hub.c:5195
	process_one_work+0xc7f/0x1db0 kernel/workqueue.c:2119
	worker_thread+0x221/0x1850 kernel/workqueue.c:2253
	kthread+0x3a1/0x470 kernel/kthread.c:231
	ret_from_fork+0x2a/0x40 arch/x86/entry/entry_64.S:431

Cc: stable@vger.kernel.org
Reported-by: Andrey Konovalov <andreyknvl@google.com>
Signed-off-by: Jaejoong Kim <climbbb.kim@gmail.com>
Tested-by: Andrey Konovalov <andreyknvl@google.com>
Acked-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
2017-10-11 15:40:31 +02:00
..
i2c-hid HID: i2c-hid: allocate hid buffers for real worst case 2017-09-13 18:16:40 +02:00
intel-ish-hid Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/hid 2017-07-10 09:22:48 -07:00
usbhid HID: usbhid: fix out-of-bounds bug 2017-10-11 15:40:31 +02:00
hid-a4tech.c
hid-accutouch.c HID: Accutouch: Add driver for ELO Accutouch 2216 USB Touchscreens 2017-03-21 15:03:55 +01:00
hid-alps.c Merge branches 'for-4.8/upstream-fixes', 'for-4.9/alps', 'for-4.9/hid-input', 'for-4.9/intel-ish', 'for-4.9/kye-uclogic-waltop-fixes', 'for-4.9/logitech', 'for-4.9/sony', 'for-4.9/upstream' and 'for-4.9/wacom' into for-linus 2016-10-07 09:59:48 +02:00
hid-apple.c HID: apple: Use country code to detect ISO keyboards 2017-06-08 13:58:03 +02:00
hid-appleir.c HID: hid-input: allow input_configured callback return errors 2015-11-05 09:51:50 -08:00
hid-asus.c HID: asus: Add T100CHI bluetooth keyboard dock touchpad support 2017-08-08 10:05:23 +02:00
hid-aureal.c HID: fix some indenting issues 2015-10-21 13:15:53 +02:00
hid-axff.c
hid-belkin.c
hid-betopff.c HID: betop: add drivers/hid/hid-betopff.c 2014-12-22 15:00:25 +01:00
hid-cherry.c
hid-chicony.c HID: move Asus keyboard support from hid-chicony to hid-asus 2017-06-08 13:47:52 +02:00
hid-cmedia.c HID: Support for CMedia CM6533 HID audio jack controls 2016-03-02 10:31:36 +01:00
hid-core.c Merge branch 'for-4.14/driver-lock-removal' into for-linus 2017-09-05 11:08:52 +02:00
hid-corsair.c HID: corsair: Add driver Scimitar Pro RGB gaming mouse 1b1c:1b3e support to hid-corsair 2017-03-21 14:46:15 +01:00
hid-cp2112.c HID: cp2112: use proper hidraw name with minor number 2017-03-21 15:20:39 +01:00
hid-cypress.c HID: hid-cypress: validate length of report 2017-01-06 16:06:43 +01:00
hid-debug.c Merge branch 'for-4.12/asus' into for-linus 2017-05-02 11:02:41 +02:00
hid-dr.c Revert "HID: dragonrise: fix HID Descriptor for 0x0006 PID" 2016-10-10 10:52:01 +02:00
hid-elecom.c HID: elecom: extend to fix the descriptor for DEFT trackballs 2017-05-11 10:49:14 +02:00
hid-elo.c HID: elo: kill not flush the work 2016-06-01 14:08:17 +02:00
hid-emsff.c
hid-ezkey.c
hid-gaff.c
hid-gembird.c HID: gembird: add new driver to fix Gembird JPD-DualForce 2 2015-08-18 15:03:43 +02:00
hid-generic.c
hid-gfrm.c HID: hid-gfrm: avoid warning for input_configured API change 2015-11-05 10:15:35 -08:00
hid-gt683r.c HID: use to_hid_device() 2015-12-28 13:41:44 +01:00
hid-gyration.c
hid-holtek-kbd.c
hid-holtek-mouse.c
hid-holtekff.c
hid-hyperv.c HID: hyperv: match wait_for_completion_timeout return type 2015-01-26 14:25:41 +01:00
hid-icade.c
hid-ids.h Revert "HID: multitouch: Support ALPS PTP stick with pid 0x120A" 2017-10-02 11:49:43 +02:00
hid-input.c HID: input: throttle battery uevents 2017-08-15 10:56:03 +02:00
hid-ite.c HID: ite: Add hid-ite driver 2017-05-11 10:27:48 +02:00
hid-kensington.c
hid-keytouch.c
hid-kye.c scripts/spelling.txt: add "comsume(r)" pattern and fix typo instances 2017-02-27 18:43:47 -08:00
hid-lcpower.c
hid-led.c HID: hid-led: fix issue with transfer buffer not being dma capable 2016-10-10 10:47:03 +02:00
hid-lenovo.c HID: lenovo: Don't use stack variables for DMA buffers 2016-03-29 15:39:36 +02:00
hid-lg2ff.c
hid-lg3ff.c
hid-lg4ff.c HID: hid-logitech: Improve Wingman Formula Force GP support 2016-09-26 15:39:56 +02:00
hid-lg4ff.h HID: hid-logitech: Add combined pedal support Logitech wheels 2016-09-26 15:39:54 +02:00
hid-lg.c HID: hid-lg: Fix immediate disconnection of Logitech Rumblepad 2 2017-01-26 21:58:16 +01:00
hid-lg.h HID: hid-lg4ff: Introduce a module parameter to disable automatic switch of compatibility mode 2015-02-18 21:14:54 +01:00
hid-lgff.c
hid-logitech-dj.c HID: logitech-dj: allow devices to request full pairing information 2017-04-06 14:36:36 +02:00
hid-logitech-hidpp.c HID: logitech-hidpp: constify attribute_group structures. 2017-08-03 13:38:30 +02:00
hid-magicmouse.c Revert "HID: magicmouse: Set multi-touch keybits for Magic Mouse" 2017-06-20 10:38:17 +02:00
hid-mf.c HID: hid-mf: add force feedback support for Mayflash DolphinBar and GameCube 2017-01-11 22:12:44 +01:00
hid-microsoft.c HID: multitouch: enable Surface 3 Type Cover Pro to report multitouch data 2017-01-20 15:17:19 +01:00
hid-monterey.c
hid-multitouch.c Revert "HID: multitouch: Support ALPS PTP stick with pid 0x120A" 2017-10-02 11:49:43 +02:00
hid-nti.c HID: Add quirk driver for NTI USB-SUN adapter 2017-03-06 13:16:33 +01:00
hid-ntrig.c HID: ntrig: constify attribute_group structures. 2017-08-03 13:38:30 +02:00
hid-ortek.c HID: ortek: add one more buggy device 2017-07-24 17:38:21 +02:00
hid-penmount.c HID: penmount: report only one button for PenMount 6000 USB touchscreen controller 2016-03-10 17:17:26 +01:00
hid-petalynx.c
hid-picolcd_backlight.c HID: picoLCD: Deletion of unnecessary checks before three function calls 2015-06-29 14:51:12 +02:00
hid-picolcd_cir.c [media] rc-main: assign driver type during allocation 2017-01-30 13:59:57 -02:00
hid-picolcd_core.c
hid-picolcd_debugfs.c HID: picoLCD: Spelling s/REPORT_WRTIE_MEMORY/REPORT_WRITE_MEMORY/ 2017-03-24 15:45:04 +01:00
hid-picolcd_fb.c
hid-picolcd_lcd.c HID: picoLCD: Deletion of unnecessary checks before three function calls 2015-06-29 14:51:12 +02:00
hid-picolcd_leds.c HID: use to_hid_device() 2015-12-28 13:41:44 +01:00
hid-picolcd.h
hid-pl.c
hid-plantronics.c HID: plantronics: Update to map volume up/down controls 2015-06-12 15:04:17 +02:00
hid-primax.c
hid-prodikeys.c HID: prodikeys: constify snd_rawmidi_ops structures 2017-08-15 11:02:45 +02:00
hid-retrode.c HID: Add driver for Retrode2 joypad adapter 2017-06-22 14:44:11 +02:00
hid-rmi.c HID: rmi: Make sure the HID device is opened on resume 2017-09-08 15:00:52 +02:00
hid-roccat-arvo.c HID: use kobj_to_dev() 2015-12-28 13:41:51 +01:00
hid-roccat-arvo.h
hid-roccat-common.c HID: use kobj_to_dev() 2015-12-28 13:41:51 +01:00
hid-roccat-common.h
hid-roccat-isku.c HID: use kobj_to_dev() 2015-12-28 13:41:51 +01:00
hid-roccat-isku.h
hid-roccat-kone.c HID: use kobj_to_dev() 2015-12-28 13:41:51 +01:00
hid-roccat-kone.h
hid-roccat-koneplus.c HID: use kobj_to_dev() 2015-12-28 13:41:51 +01:00
hid-roccat-koneplus.h
hid-roccat-konepure.c
hid-roccat-kovaplus.c HID: use kobj_to_dev() 2015-12-28 13:41:51 +01:00
hid-roccat-kovaplus.h
hid-roccat-lua.c HID: use kobj_to_dev() 2015-12-28 13:41:51 +01:00
hid-roccat-lua.h
hid-roccat-pyra.c HID: use kobj_to_dev() 2015-12-28 13:41:51 +01:00
hid-roccat-pyra.h
hid-roccat-ryos.c
hid-roccat-savu.c
hid-roccat-savu.h
hid-roccat.c sched/headers: Prepare to move signal wakeup & sigpending methods from <linux/sched.h> into <linux/sched/signal.h> 2017-03-02 08:42:32 +01:00
hid-saitek.c HID: Add a new Saitek mouse device ID (RAT 9) 2016-08-02 16:45:17 +02:00
hid-samsung.c
hid-sensor-custom.c Merge branch 'for-4.14/ish' into for-linus 2017-09-05 11:10:13 +02:00
hid-sensor-hub.c HID: hid-sensor-hub: Force logical minimum to 1 for power and report state 2017-08-09 22:15:59 +02:00
hid-sjoy.c HID: sjoy: support Super Joy Box 4 2015-05-07 10:47:53 +02:00
hid-sony.c Merge branch 'for-4.12/sony' into for-linus 2017-05-02 11:02:24 +02:00
hid-speedlink.c
hid-steelseries.c HID: use to_hid_device() 2015-12-28 13:41:44 +01:00
hid-sunplus.c
hid-tivo.c HID: tivo: enable all buttons on the TiVo Slide Pro remote 2015-03-15 10:04:27 -04:00
hid-tmff.c
hid-topseed.c
hid-twinhan.c
hid-uclogic.c HID: uclogic: add support for Ugee Tablet EX07S 2017-04-06 14:50:11 +02:00
hid-udraw-ps3.c HID: udraw-ps3: accel_limits is local to the driver 2016-11-15 14:23:17 +01:00
hid-waltop.c HID: Remove broken links to tablet descriptions 2016-09-19 14:32:21 +02:00
hid-wiimote-core.c
hid-wiimote-debug.c
hid-wiimote-modules.c HID: wiimote: Fix wiimote mp scale linearization 2016-03-18 17:31:38 +01:00
hid-wiimote.h HID: use to_hid_device() 2015-12-28 13:41:44 +01:00
hid-xinmo.c HID: xinmo: fix for out of range for THT 2P arcade controller. 2017-03-24 15:43:03 +01:00
hid-zpff.c
hid-zydacron.c
hidraw.c HID: hidraw: fix power sequence when closing device 2017-10-02 11:46:31 +02:00
Kconfig HID: wacom: add USB_HID dependency 2017-08-01 11:22:21 +02:00
Makefile Merge branches 'for-4.13/multitouch', 'for-4.13/retrode', 'for-4.13/transport-open-close-consolidation', 'for-4.13/upstream' and 'for-4.13/wacom' into for-linus 2017-07-10 11:11:25 +02:00
uhid.c HID: introduce hid_is_using_ll_driver 2017-07-27 15:14:28 +02:00
wacom_sys.c HID: wacom: Always increment hdev refcount within wacom_get_hdev_data 2017-10-02 11:45:29 +02:00
wacom_wac.c HID: wacom: generic: Clear ABS_MISC when tool leaves proximity 2017-09-13 19:14:48 +02:00
wacom_wac.h HID: wacom: generic: Refactor generic battery handling 2017-05-05 21:46:10 +02:00
wacom.h HID: wacom: Add ability to provide explicit battery status info 2017-05-05 21:46:10 +02:00