On Mon, Oct 23, 2017 at 01:24:23PM +0200, Andrey Konovalov wrote: > Hi! > > I've got the following report while fuzzing the kernel with syzkaller. > > On commit 3e0cc09a3a2c40ec1ffb6b4e12da86e98feccb11 (4.14-rc5+). > > parse_hid_report_descriptor() has a while (i < length) loop, which > only guarantees that there's at least 1 byte in the buffer, but the > loop body can read multiple bytes which causes out-of-bounds access.
Ugh, this whole driver should be moved over to HID, but I am not sure who has hardware to test... I just sent a patch plugging this hole. Thanks for the report. -- Dmitry
