Commit d9d4b1e4 authored by Alan Stern's avatar Alan Stern Committed by Benjamin Tissoires
Browse files

HID: Fix assumption that devices have inputs 



The syzbot fuzzer found a slab-out-of-bounds write bug in the hid-gaff
driver.  The problem is caused by the driver's assumption that the
device must have an input report.  While this will be true for all
normal HID input devices, a suitably malicious device can violate the
assumption.

The same assumption is present in over a dozen other HID drivers.
This patch fixes them by checking that the list of hid_inputs for the
hid_device is nonempty before allowing it to be used.

Reported-and-tested-by: default avatar <syzbot+403741a091bf41d4ae79@syzkaller.appspotmail.com>
Signed-off-by: default avatarAlan Stern <stern@rowland.harvard.edu>
CC: <stable@vger.kernel.org>
Signed-off-by: default avatarBenjamin Tissoires <benjamin.tissoires@redhat.com>
parent fe2199cf

drivers/hid/hid-axff.c

+9 −2
Original line number Diff line number Diff line
@@ -63,13 +63,20 @@ static int axff_init(struct hid_device *hid) 
{

	struct axff_device *axff;

	struct hid_report *report;

	struct hid_input *hidinput = list_first_entry(&hid->inputs, struct hid_input, list);

	struct hid_input *hidinput;

	struct list_head *report_list =&hid->report_enum[HID_OUTPUT_REPORT].report_list;

	struct input_dev *dev = hidinput->input;

	struct input_dev *dev;

	int field_count = 0;

	int i, j;

	int error;



	if (list_empty(&hid->inputs)) {

		hid_err(hid, "no inputs found\n");

		return -ENODEV;

	}

	hidinput = list_first_entry(&hid->inputs, struct hid_input, list);

	dev = hidinput->input;



	if (list_empty(report_list)) {

		hid_err(hid, "no output reports found\n");

		return -ENODEV;

drivers/hid/hid-dr.c

+9 −3
Original line number Diff line number Diff line
@@ -75,13 +75,19 @@ static int drff_init(struct hid_device *hid) 
{

	struct drff_device *drff;

	struct hid_report *report;

	struct hid_input *hidinput = list_first_entry(&hid->inputs,

						struct hid_input, list);

	struct hid_input *hidinput;

	struct list_head *report_list =

			&hid->report_enum[HID_OUTPUT_REPORT].report_list;

	struct input_dev *dev = hidinput->input;

	struct input_dev *dev;

	int error;



	if (list_empty(&hid->inputs)) {

		hid_err(hid, "no inputs found\n");

		return -ENODEV;

	}

	hidinput = list_first_entry(&hid->inputs, struct hid_input, list);

	dev = hidinput->input;



	if (list_empty(report_list)) {

		hid_err(hid, "no output reports found\n");

		return -ENODEV;

drivers/hid/hid-emsff.c

+9 −3
Original line number Diff line number Diff line
@@ -47,13 +47,19 @@ static int emsff_init(struct hid_device *hid) 
{

	struct emsff_device *emsff;

	struct hid_report *report;

	struct hid_input *hidinput = list_first_entry(&hid->inputs,

						struct hid_input, list);

	struct hid_input *hidinput;

	struct list_head *report_list =

			&hid->report_enum[HID_OUTPUT_REPORT].report_list;

	struct input_dev *dev = hidinput->input;

	struct input_dev *dev;

	int error;



	if (list_empty(&hid->inputs)) {

		hid_err(hid, "no inputs found\n");

		return -ENODEV;

	}

	hidinput = list_first_entry(&hid->inputs, struct hid_input, list);

	dev = hidinput->input;



	if (list_empty(report_list)) {

		hid_err(hid, "no output reports found\n");

		return -ENODEV;

drivers/hid/hid-gaff.c

+9 −3
Original line number Diff line number Diff line
@@ -64,14 +64,20 @@ static int gaff_init(struct hid_device *hid) 
{

	struct gaff_device *gaff;

	struct hid_report *report;

	struct hid_input *hidinput = list_entry(hid->inputs.next,

						struct hid_input, list);

	struct hid_input *hidinput;

	struct list_head *report_list =

			&hid->report_enum[HID_OUTPUT_REPORT].report_list;

	struct list_head *report_ptr = report_list;

	struct input_dev *dev = hidinput->input;

	struct input_dev *dev;

	int error;



	if (list_empty(&hid->inputs)) {

		hid_err(hid, "no inputs found\n");

		return -ENODEV;

	}

	hidinput = list_entry(hid->inputs.next, struct hid_input, list);

	dev = hidinput->input;



	if (list_empty(report_list)) {

		hid_err(hid, "no output reports found\n");

		return -ENODEV;

drivers/hid/hid-holtekff.c

+9 −3
Original line number Diff line number Diff line
@@ -124,13 +124,19 @@ static int holtekff_init(struct hid_device *hid) 
{

	struct holtekff_device *holtekff;

	struct hid_report *report;

	struct hid_input *hidinput = list_entry(hid->inputs.next,

						struct hid_input, list);

	struct hid_input *hidinput;

	struct list_head *report_list =

			&hid->report_enum[HID_OUTPUT_REPORT].report_list;

	struct input_dev *dev = hidinput->input;

	struct input_dev *dev;

	int error;



	if (list_empty(&hid->inputs)) {

		hid_err(hid, "no inputs found\n");

		return -ENODEV;

	}

	hidinput = list_entry(hid->inputs.next, struct hid_input, list);

	dev = hidinput->input;



	if (list_empty(report_list)) {

		hid_err(hid, "no output report found\n");

		return -ENODEV;

CRA Git | Maintained and supported by SUSTech CRA and CCSE