From patchwork Tue May 9 14:42:39 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Amit Pundir X-Patchwork-Id: 98928 Delivered-To: patch@linaro.org Received: by 10.140.96.100 with SMTP id j91csp1857548qge; Tue, 9 May 2017 07:43:31 -0700 (PDT) X-Received: by 10.99.160.68 with SMTP id u4mr517575pgn.39.1494341011211; Tue, 09 May 2017 07:43:31 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1494341011; cv=none; d=google.com; s=arc-20160816; b=MR3Y3YcGQPjq/5uYSYEZuwhbQA21oKSeNL5lk3NfQq7MOtIKahYHehbcG60jj/Jmht WFg6TMKotlo/LpwnvlFzMusirIroc2q2rkVz+6n+M/mgkv/cdYg6sscBFrLND7Z+kpNr Gg5yvnDnXl6T/6xnTA9WsdNgC62/UKQVorj9OQ2RZMWV2fbcky5nVZ6Wxgf3C0/QUMnA JDseypyArg+8GYcOVFsfVugwAlR4fUOwIqelg8pIwLDw6q/DJVCSuFp1CDUkzbfqy/W4 xcKtz7LjDw+g9RZaUxMOGBTAwp64OHcylcSQ60E3kvEz51jYas3haOQ2m2SplGx5ZVwQ jfBQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:references:in-reply-to:message-id:date :subject:cc:to:from:dkim-signature:arc-authentication-results; bh=CWm4fyG2ETcAcDlsuk5NX7ToC1oBeB0X5Uxj9j0lhz4=; b=qpZM1B2dXzJ2i0QS25953xybJ/BSjthtAHMEV64djBL8KI4ocbC3U6Wlv2V6vIdwqr gnlEmui8aA8hvcy/myum1zVqToOeMo4RG1K4wSNdDxDy4RBACDMlc1/eCcRsqx0snpIP Wr6RyXoWlQeHuCDIkbmAwafaLukYsqlmzqt7HsmdJ+XRSpIMCgJsD/nkpPAs7imKi78h Y6/6N7/MxjonfT+vO7X6freUATuabNdtGYO+AHi1bcZr1O0uF0csDpeUJkedYgV+1Bte x5hYficHpgIK5lmCzwSWwgYVMmF1WdQlnR+vOveNj30MYEb5RTwZTIULmWUa3byYvt2a sYdg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org; spf=pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id h2si99892pli.322.2017.05.09.07.43.31; Tue, 09 May 2017 07:43:31 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org; spf=pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754234AbdEIOna (ORCPT + 6 others); Tue, 9 May 2017 10:43:30 -0400 Received: from mail-pg0-f46.google.com ([74.125.83.46]:33838 "EHLO mail-pg0-f46.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754199AbdEIOn3 (ORCPT ); Tue, 9 May 2017 10:43:29 -0400 Received: by mail-pg0-f46.google.com with SMTP id u28so771250pgn.1 for ; Tue, 09 May 2017 07:43:29 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=CWm4fyG2ETcAcDlsuk5NX7ToC1oBeB0X5Uxj9j0lhz4=; b=O/7vhxqpmdmFcbEzFczPJ/oFnbe4TEFAPO8eh7SHn+4G/eKEbEhHNU5MlCO+4WLZUb Tdd1RjwMcKdk3QUcNgQXay1pjwdXY1JD2J9Y79+Atn/lYHhyFgy60tio1CFT41320MlN h+87wa/yF+9Nl7H+sUT4H+d3QraZunO4FI1rE= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=CWm4fyG2ETcAcDlsuk5NX7ToC1oBeB0X5Uxj9j0lhz4=; b=oEDTUIbbvCcjjk7L0GoDGRBBu4lO/xpclYR/miTm4/6WVqoKml4Wq/0eYL1XITIz06 5zCM+y3P+bTBKqH7deCC0qX46PT9uK5DYVF53yceZi9x/wJRpLMCG9JPGLnIVOyp/6xI HSvKeNSjGbY9JTYtEFWs61GzjC2oQ2LLOhXt8ed0lbKV62bYDralVHO8Vx2IMKruzKFU pgCAJXFYD/M7CGILcydNU/X/BE9WdKmf99glPMdEqDYUNIuB2UUCdPD4ihRIkPnHIGXF 095W/QJDJ6OmQHukssujI+rTxNu/g8qH8RP3CVhQwR5ST6iY6BS/Ulk9FfNRvsj+3KJR wjdg== X-Gm-Message-State: AODbwcBYzDmzwcKvxUkisYmWtFl4fgCcztxRsyV4BMU91Ze4WXGG4gaP tNvdvk2sH2R3b1QM X-Received: by 10.99.51.74 with SMTP id z71mr493430pgz.137.1494341009209; Tue, 09 May 2017 07:43:29 -0700 (PDT) Received: from localhost.localdomain ([106.51.135.126]) by smtp.gmail.com with ESMTPSA id 11sm341811pfj.59.2017.05.09.07.43.26 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Tue, 09 May 2017 07:43:28 -0700 (PDT) From: Amit Pundir To: Greg KH Cc: stable@vger.kernel.org, Benjamin Tissoires , Jiri Kosina Subject: [PATCH for-3.18 15/24] HID: core: prevent out-of-bound readings Date: Tue, 9 May 2017 20:12:39 +0530 Message-Id: <1494340968-17152-16-git-send-email-amit.pundir@linaro.org> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1494340968-17152-1-git-send-email-amit.pundir@linaro.org> References: <1494340968-17152-1-git-send-email-amit.pundir@linaro.org> Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Benjamin Tissoires commit 50220dead1650609206efe91f0cc116132d59b3f upstream. Plugging a Logitech DJ receiver with KASAN activated raises a bunch of out-of-bound readings. The fields are allocated up to MAX_USAGE, meaning that potentially, we do not have enough fields to fit the incoming values. Add checks and silence KASAN. Signed-off-by: Benjamin Tissoires Signed-off-by: Jiri Kosina Signed-off-by: Amit Pundir --- drivers/hid/hid-core.c | 3 +++ 1 file changed, 3 insertions(+) -- 2.7.4 diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c index 19a3a12f3257..34dda44cb910 100644 --- a/drivers/hid/hid-core.c +++ b/drivers/hid/hid-core.c @@ -1213,6 +1213,7 @@ static void hid_input_field(struct hid_device *hid, struct hid_field *field, /* Ignore report if ErrorRollOver */ if (!(field->flags & HID_MAIN_ITEM_VARIABLE) && value[n] >= min && value[n] <= max && + value[n] - min < field->maxusage && field->usage[value[n] - min].hid == HID_UP_KEYBOARD + 1) goto exit; } @@ -1225,11 +1226,13 @@ static void hid_input_field(struct hid_device *hid, struct hid_field *field, } if (field->value[n] >= min && field->value[n] <= max + && field->value[n] - min < field->maxusage && field->usage[field->value[n] - min].hid && search(value, field->value[n], count)) hid_process_event(hid, field, &field->usage[field->value[n] - min], 0, interrupt); if (value[n] >= min && value[n] <= max + && value[n] - min < field->maxusage && field->usage[value[n] - min].hid && search(field->value, value[n], count)) hid_process_event(hid, field, &field->usage[value[n] - min], 1, interrupt);