linux

mirror of https://github.com/hardkernel/linux.git synced 2026-03-25 12:00:22 +09:00

Files

Alan Stern 6b8772ea68 HID: hidraw: Fix invalid read in hidraw_ioctl

commit 416dacb819 upstream.

The syzbot fuzzer has reported a pair of problems in the
hidraw_ioctl() function: slab-out-of-bounds read and use-after-free
read.  An example of the first:

BUG: KASAN: slab-out-of-bounds in strlen+0x79/0x90 lib/string.c:525
Read of size 1 at addr ffff8881c8035f38 by task syz-executor.4/2833

CPU: 1 PID: 2833 Comm: syz-executor.4 Not tainted 5.3.0-rc2+ #1
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
  __dump_stack lib/dump_stack.c:77 [inline]
  dump_stack+0xca/0x13e lib/dump_stack.c:113
  print_address_description+0x6a/0x32c mm/kasan/report.c:351
  __kasan_report.cold+0x1a/0x33 mm/kasan/report.c:482
  kasan_report+0xe/0x12 mm/kasan/common.c:612
  strlen+0x79/0x90 lib/string.c:525
  strlen include/linux/string.h:281 [inline]
  hidraw_ioctl+0x245/0xae0 drivers/hid/hidraw.c:446
  vfs_ioctl fs/ioctl.c:46 [inline]
  file_ioctl fs/ioctl.c:509 [inline]
  do_vfs_ioctl+0xd2d/0x1330 fs/ioctl.c:696
  ksys_ioctl+0x9b/0xc0 fs/ioctl.c:713
  __do_sys_ioctl fs/ioctl.c:720 [inline]
  __se_sys_ioctl fs/ioctl.c:718 [inline]
  __x64_sys_ioctl+0x6f/0xb0 fs/ioctl.c:718
  do_syscall_64+0xb7/0x580 arch/x86/entry/common.c:296
  entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x459829
Code: fd b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7
48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff
ff 0f 83 cb b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007f7a68f6dc78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000459829
RDX: 0000000000000000 RSI: 0000000080404805 RDI: 0000000000000004
RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f7a68f6e6d4
R13: 00000000004c21de R14: 00000000004d5620 R15: 00000000ffffffff

The two problems have the same cause: hidraw_ioctl() fails to test
whether the device has been removed.  This patch adds the missing test.

Reported-and-tested-by: syzbot+5a6c4ec678a0c6ee84ba@syzkaller.appspotmail.com
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
CC: <stable@vger.kernel.org>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

2023-05-15 14:31:52 +09:00

i2c-hid

i2c-hid: properly terminate i2c_hid_dmi_desc_override_table[] array

2023-05-15 12:28:16 +09:00

intel-ish-hid

HID: intel-ish: ipc: handle PIMR before ish_wakeup also clear PISR busy_clear bit

2023-05-15 12:21:35 +09:00

usbhid

HID: hiddev: do cleanup in failure of opening a device

2023-05-15 14:18:43 +09:00

hid-a4tech.c

HID: input: fix a4tech horizontal wheel custom usage

2023-05-15 14:20:45 +09:00

hid-alps.c

Merge branches 'for-4.8/upstream-fixes', 'for-4.9/alps', 'for-4.9/hid-input', 'for-4.9/intel-ish', 'for-4.9/kye-uclogic-waltop-fixes', 'for-4.9/logitech', 'for-4.9/sony', 'for-4.9/upstream' and 'for-4.9/wacom' into for-linus

2016-10-07 09:59:48 +02:00

hid-apple.c

HID: add support for Apple Magic Keyboards

2023-05-15 08:33:51 +09:00

hid-appleir.c

HID: hid-input: allow input_configured callback return errors

2015-11-05 09:51:50 -08:00

hid-asus.c

HID: asus: add support for VivoBook E200HA

2016-04-04 09:59:21 +02:00

hid-aureal.c

HID: fix some indenting issues

2015-10-21 13:15:53 +02:00

hid-axff.c

HID: Fix assumption that devices have inputs (CVE-2019-19532)

2020-12-17 17:23:21 +09:00

hid-belkin.c

HID: Use module_hid_driver macro

2013-01-03 10:27:31 +01:00

hid-betopff.c

HID: betop: add drivers/hid/hid-betopff.c

2014-12-22 15:00:25 +01:00

hid-cherry.c

HID: fix a couple of off-by-ones

2014-08-21 10:43:28 -05:00

hid-chicony.c

HID: chicony: Add support for another ASUS Zen AiO keyboard

2017-12-14 09:28:18 +01:00

hid-cmedia.c

HID: Support for CMedia CM6533 HID audio jack controls

2016-03-02 10:31:36 +01:00

hid-core.c

HID: core: move Usage Page concatenation to Main item

2023-05-15 13:35:51 +09:00

hid-corsair.c

HID: corsair: Add driver Scimitar Pro RGB gaming mouse 1b1c:1b3e support to hid-corsair

2017-12-25 14:23:37 +01:00

hid-cp2112.c

HID: cp2112: fix broken gpio_direction_input callback

2017-12-20 10:07:26 +01:00

hid-cypress.c

HID: hid-cypress: validate length of report

2017-01-15 13:42:56 +01:00

hid-debug.c

HID: debug: fix race condition with between rdesc_show() and device removal

2023-05-15 12:38:21 +09:00

hid-dr.c

HID: Fix assumption that devices have inputs (CVE-2019-19532)

2020-12-17 17:23:21 +09:00

hid-elecom.c

HID: fix some indenting issues

2015-10-21 13:15:53 +02:00

hid-elo.c

HID: elo: clear BTN_LEFT mapping

2018-03-22 09:17:53 +01:00

hid-emsff.c

HID: Fix assumption that devices have inputs (CVE-2019-19532)

2020-12-17 17:23:21 +09:00

hid-ezkey.c

HID: Use module_hid_driver macro

2013-01-03 10:27:31 +01:00

hid-gaff.c

HID: Fix assumption that devices have inputs (CVE-2019-19532)

2020-12-17 17:23:21 +09:00

hid-gembird.c

HID: gembird: add new driver to fix Gembird JPD-DualForce 2

2015-08-18 15:03:43 +02:00

hid-generic.c

HID: Use module_hid_driver macro

2013-01-03 10:27:31 +01:00

hid-gfrm.c

HID: hid-gfrm: avoid warning for input_configured API change

2015-11-05 10:15:35 -08:00

hid-gt683r.c

HID: use to_hid_device()

2015-12-28 13:41:44 +01:00

hid-gyration.c

HID: Use module_hid_driver macro

2013-01-03 10:27:31 +01:00

hid-holtek-kbd.c

HID: holtek: test for sanity of intfdata

2023-05-15 14:18:25 +09:00

hid-holtek-mouse.c

HID: Add Holtek USB ID 04d9:a0c2 ETEKCITY Scroll

2014-09-08 09:48:56 +02:00

hid-holtekff.c

HID: Fix assumption that devices have inputs (CVE-2019-19532)

2020-12-17 17:23:21 +09:00

hid-hyperv.c

HID: hyperv: match wait_for_completion_timeout return type

2015-01-26 14:25:41 +01:00

hid-icade.c

HID: icade: u16 which never < 0

2013-04-24 16:32:27 +02:00

hid-ids.h

HID: Add quirk for HP X1200 PIXART OEM mouse

2023-05-15 14:15:49 +09:00

hid-input.c

HID: input: add mapping for "Toggle Display" key

2023-05-15 12:49:35 +09:00

hid-kensington.c

HID: Use module_hid_driver macro

2013-01-03 10:27:31 +01:00

hid-keytouch.c

HID: Use module_hid_driver macro

2013-01-03 10:27:31 +01:00

hid-kye.c

HID: kye: Fix MousePen i608X v2 report descriptor

2016-09-19 14:32:22 +02:00

hid-lcpower.c

HID: Use module_hid_driver macro

2013-01-03 10:27:31 +01:00

hid-led.c

HID: hid-led: fix issue with transfer buffer not being dma capable

2016-10-10 10:47:03 +02:00

hid-lenovo.c

HID: lenovo: Add checks to fix of_led_classdev_register

2023-05-15 11:23:36 +09:00

hid-lg2ff.c

HID: Fix assumption that devices have inputs (CVE-2019-19532)

2020-12-17 17:23:21 +09:00

hid-lg3ff.c

HID: Fix assumption that devices have inputs (CVE-2019-19532)

2020-12-17 17:23:21 +09:00

hid-lg4ff.c

HID: logitech: Fix general protection fault caused by Logitech driver

2023-05-15 14:31:50 +09:00

hid-lg4ff.h

HID: hid-logitech: Add combined pedal support Logitech wheels

2016-09-26 15:39:54 +02:00

hid-lg.c

HID: logitech: Fix general protection fault caused by Logitech driver

2023-05-15 14:31:50 +09:00

hid-lg.h

HID: hid-lg4ff: Introduce a module parameter to disable automatic switch of compatibility mode

2015-02-18 21:14:54 +01:00

hid-lgff.c

HID: Fix assumption that devices have inputs (CVE-2019-19532)

2020-12-17 17:23:21 +09:00

hid-logitech-dj.c

HID: logitech-dj: check report length

2014-12-17 08:50:12 +01:00

hid-logitech-hidpp.c

HID: logitech-hidpp: use RAP instead of FAP to get the protocol version

2023-05-15 13:34:21 +09:00

hid-magicmouse.c

BACKPORT: treewide: Fix function prototypes for module_param_call()

2018-02-28 15:09:58 -08:00

hid-microsoft.c

HID: multitouch: enable the Surface 3 Type Cover to report multitouch data

2017-04-12 12:41:16 +02:00

hid-monterey.c

HID: fix a couple of off-by-ones

2014-08-21 10:43:28 -05:00

hid-multitouch.c

ODROID-G12: Make hid-multitouch and dwav-usb-mt driver as mouldes.

2022-03-15 09:20:56 +09:00

hid-ntrig.c

HID: hid-ntrig: add error handling for sysfs_create_group

2023-05-15 08:29:12 +09:00

hid-ortek.c

HID: Use module_hid_driver macro

2013-01-03 10:27:31 +01:00

hid-penmount.c

HID: penmount: report only one button for PenMount 6000 USB touchscreen controller

2016-03-10 17:17:26 +01:00

hid-petalynx.c

HID: fix a couple of off-by-ones

2014-08-21 10:43:28 -05:00

hid-picolcd_backlight.c

HID: picoLCD: Deletion of unnecessary checks before three function calls

2015-06-29 14:51:12 +02:00

hid-picolcd_cir.c

HID: picoLCD: Deletion of unnecessary checks before three function calls

2015-06-29 14:51:12 +02:00

hid-picolcd_core.c

HID: picolcd: be more verbose when reporting report size error

2014-08-27 23:27:10 +02:00

hid-picolcd_debugfs.c

HID: picolcd: remove unnecessary NULL test before debugfs_remove

2014-06-30 09:54:22 +02:00

hid-picolcd_fb.c

drivers/hid/hid-picolcd_fb: avoid world-writable sysfs files.

2014-05-14 10:53:56 +09:30

hid-picolcd_lcd.c

HID: picoLCD: Deletion of unnecessary checks before three function calls

2015-06-29 14:51:12 +02:00

hid-picolcd_leds.c

HID: use to_hid_device()

2015-12-28 13:41:44 +01:00

hid-picolcd.h

Merge branches 'for-3.10/multitouch', 'for-3.10/roccat' and 'for-3.10/upstream' into for-linus

2013-04-30 10:19:07 +02:00

hid-pl.c

HID: pantherlord: validate output report details

2013-09-04 11:58:32 +02:00

hid-plantronics.c

HID: hid-plantronics: Re-resend Update to map button for PTT products

2023-05-12 16:42:19 +09:00

hid-primax.c

HID: Use module_hid_driver macro

2013-01-03 10:27:31 +01:00

hid-prodikeys.c

HID: prodikeys: Fix general protection fault during probe

2023-05-15 14:31:49 +09:00

hid-rmi.c

HID: Fix hid_report_len usage

2018-04-24 09:34:11 +02:00

hid-roccat-arvo.c

HID: use kobj_to_dev()

2015-12-28 13:41:51 +01:00

hid-roccat-arvo.h

HID: roccat: correction and cleanup of HID feature reports

2011-06-13 12:52:57 +02:00

hid-roccat-common.c

HID: use kobj_to_dev()

2015-12-28 13:41:51 +01:00

hid-roccat-common.h

HID: roccat: generalize some common code

2013-10-30 14:17:31 +01:00

hid-roccat-isku.c

HID: use kobj_to_dev()

2015-12-28 13:41:51 +01:00

hid-roccat-isku.h

HID: roccat: add support for IskuFX

2013-03-14 11:50:49 +01:00

hid-roccat-kone.c

HID: use kobj_to_dev()

2015-12-28 13:41:51 +01:00

hid-roccat-kone.h

HID: roccat: added media key support for Kone

2013-04-08 10:33:13 +02:00

hid-roccat-koneplus.c

HID: use kobj_to_dev()

2015-12-28 13:41:51 +01:00

hid-roccat-koneplus.h

HID: roccat: fix wrong attr size for koneplus tcu

2012-11-18 22:58:28 +01:00

hid-roccat-konepure.c

HID: roccat: generalize some common code

2013-10-30 14:17:31 +01:00

hid-roccat-kovaplus.c

HID: roccat: prevent an out of bounds read in kovaplus_profile_activated()

2018-05-30 07:50:21 +02:00

hid-roccat-kovaplus.h

HID: roccat: deprecate some Kovaplus attributes

2012-11-12 15:30:29 +01:00

hid-roccat-lua.c

HID: use kobj_to_dev()

2015-12-28 13:41:51 +01:00

hid-roccat-lua.h

HID: roccat: add support for Roccat Lua

2012-10-17 10:44:47 +02:00

hid-roccat-pyra.c

HID: use kobj_to_dev()

2015-12-28 13:41:51 +01:00

hid-roccat-pyra.h

HID: roccat: deprecated some Pyra attributes

2012-11-12 15:30:28 +01:00

hid-roccat-ryos.c

HID: roccat: add support for Ryos MK keyboards

2013-10-30 14:17:31 +01:00

hid-roccat-savu.c

HID: roccat: generalize some common code

2013-10-30 14:17:31 +01:00

hid-roccat-savu.h

HID: roccat: generalize some common code

2013-10-30 14:17:31 +01:00

hid-roccat.c

HID: roccat: silence an uninitialized variable warning

2016-04-04 09:49:12 +02:00

hid-saitek.c

HID: hid-saitek: Add device ID for RAT 7 Contagion

2023-05-15 08:33:53 +09:00

hid-samsung.c

HID: Use module_hid_driver macro

2013-01-03 10:27:31 +01:00

hid-sensor-custom.c

HID: sensor: fix attributes in HID sensor interface

2016-11-05 16:56:09 +01:00

hid-sensor-hub.c

HID: sensor-hub: add quirk for Microchip MM7150

2017-04-12 12:41:16 +02:00

hid-sjoy.c

HID: sjoy: support Super Joy Box 4

2015-05-07 10:47:53 +02:00

hid-sony.c

HID: sony: Support DS4 dongle

2023-05-15 08:25:29 +09:00

hid-speedlink.c

HID: Fix Speedlink VAD Cezanne support for some devices

2013-08-26 13:51:10 +02:00

hid-steelseries.c

HID: use to_hid_device()

2015-12-28 13:41:44 +01:00

hid-sunplus.c

HID: fix a couple of off-by-ones

2014-08-21 10:43:28 -05:00

hid-tivo.c

HID: tivo: enable all buttons on the TiVo Slide Pro remote

2015-03-15 10:04:27 -04:00

hid-tmff.c

HID: Add 044f:b320 ThrustMaster, Inc. 2 in 1 DT

2023-05-15 14:20:23 +09:00

hid-topseed.c

HID: Use module_hid_driver macro

2013-01-03 10:27:31 +01:00

hid-twinhan.c

HID: Use module_hid_driver macro

2013-01-03 10:27:31 +01:00

hid-uclogic.c

HID: uclogic: Add support for UC-Logic TWHA60 v3

2016-09-19 14:32:24 +02:00

hid-waltop.c

HID: Remove broken links to tablet descriptions

2016-09-19 14:32:21 +02:00

hid-wiimote-core.c

HID: wiimote: replace hid_output_raw_report with hid_hw_output_report for output requests

2014-02-17 14:57:17 +01:00

hid-wiimote-debug.c

HID: wiimote: fix DRM debug-attr to correctly parse input

2013-06-03 11:07:06 +02:00

hid-wiimote-modules.c

HID: wiimote: Fix wiimote mp scale linearization

2016-03-18 17:31:38 +01:00

hid-wiimote.h

HID: use to_hid_device()

2015-12-28 13:41:44 +01:00

hid-xinmo.c

HID: xinmo: fix for out of range for THT 2P arcade controller.

2017-12-25 14:23:40 +01:00

hid-zpff.c

HID: Fix assumption that devices have inputs (CVE-2019-19532)

2020-12-17 17:23:21 +09:00

hid-zydacron.c

HID: trivial devm conversion for special hid drivers

2013-07-31 10:12:28 +02:00

hidraw.c

HID: hidraw: Fix invalid read in hidraw_ioctl

2023-05-15 14:31:52 +09:00

Kconfig

HID: corsair: Add driver Scimitar Pro RGB gaming mouse 1b1c:1b3e support to hid-corsair

2017-12-25 14:23:37 +01:00

Makefile

HID: intel_ish-hid: ISH Transport layer

2016-08-17 11:13:07 +02:00

uhid.c

HID: uhid: forbid UHID_CREATE under KERNEL_DS or elevated privileges

2023-05-15 09:51:56 +09:00

wacom_sys.c

HID: Fix hid_report_len usage

2018-04-24 09:34:11 +02:00

wacom_wac.c

HID: wacom: Correct distance scale for 2nd-gen Intuos devices

2023-05-15 14:21:01 +09:00

wacom_wac.h

2016-10-07 09:59:48 +02:00

wacom.h

HID: wacom: power_supply: provide the actual model_name

2016-08-05 13:39:23 +02:00