Re: [PATCH v2 2/3] HID: logitech-hidpp: check WTP report length
On Tue, 16 Dec 2014, Peter Wu wrote: > Malicious USB devices can send bogus reports smaller than the expected > buffer size. Ensure that the length for WTP reports is valid to avoid > reading out of bounds. > > Signed-off-by: Peter Wu > --- > v1: patch 2/3 HID: logitech-{dj,hidpp}: check report length > v2: splitted original report length check patch Applied to for-3.19/upstream-fixes. Thanks, -- Jiri Kosina SUSE Labs -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [PATCH v2 2/3] HID: logitech-hidpp: check WTP report length
On Tue, Dec 16, 2014 at 10:55 AM, Peter Wu wrote: > Malicious USB devices can send bogus reports smaller than the expected > buffer size. Ensure that the length for WTP reports is valid to avoid > reading out of bounds. > > Signed-off-by: Peter Wu > --- > v1: patch 2/3 HID: logitech-{dj,hidpp}: check report length > v2: splitted original report length check patch > --- Reviewed-by: Benjamin Tissoires Cheers, Benjamin > drivers/hid/hid-logitech-hidpp.c | 6 ++ > 1 file changed, 6 insertions(+) > > diff --git a/drivers/hid/hid-logitech-hidpp.c > b/drivers/hid/hid-logitech-hidpp.c > index b32f751..2f1b0ac 100644 > --- a/drivers/hid/hid-logitech-hidpp.c > +++ b/drivers/hid/hid-logitech-hidpp.c > @@ -805,6 +805,11 @@ static int wtp_raw_event(struct hid_device *hdev, u8 > *data, int size) > > switch (data[0]) { > case 0x02: > + if (size < 2) { > + hid_err(hdev, "Received HID report of bad size (%d)", > + size); > + return 1; > + } > if (hidpp->quirks & HIDPP_QUIRK_WTP_PHYSICAL_BUTTONS) { > input_event(wd->input, EV_KEY, BTN_LEFT, > !!(data[1] & 0x01)); > @@ -818,6 +823,7 @@ static int wtp_raw_event(struct hid_device *hdev, u8 > *data, int size) > return wtp_mouse_raw_xy_event(hidpp, &data[7]); > } > case REPORT_ID_HIDPP_LONG: > + /* size is already checked in hidpp_raw_event. */ > if ((report->fap.feature_index != wd->mt_feature_index) || > (report->fap.funcindex_clientid != EVENT_TOUCHPAD_RAW_XY)) > return 1; > -- > 2.1.3 > > -- > To unsubscribe from this list: send the line "unsubscribe linux-input" in > the body of a message to majord...@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
[PATCH v2 2/3] HID: logitech-hidpp: check WTP report length
Malicious USB devices can send bogus reports smaller than the expected buffer size. Ensure that the length for WTP reports is valid to avoid reading out of bounds. Signed-off-by: Peter Wu --- v1: patch 2/3 HID: logitech-{dj,hidpp}: check report length v2: splitted original report length check patch --- drivers/hid/hid-logitech-hidpp.c | 6 ++ 1 file changed, 6 insertions(+) diff --git a/drivers/hid/hid-logitech-hidpp.c b/drivers/hid/hid-logitech-hidpp.c index b32f751..2f1b0ac 100644 --- a/drivers/hid/hid-logitech-hidpp.c +++ b/drivers/hid/hid-logitech-hidpp.c @@ -805,6 +805,11 @@ static int wtp_raw_event(struct hid_device *hdev, u8 *data, int size) switch (data[0]) { case 0x02: + if (size < 2) { + hid_err(hdev, "Received HID report of bad size (%d)", + size); + return 1; + } if (hidpp->quirks & HIDPP_QUIRK_WTP_PHYSICAL_BUTTONS) { input_event(wd->input, EV_KEY, BTN_LEFT, !!(data[1] & 0x01)); @@ -818,6 +823,7 @@ static int wtp_raw_event(struct hid_device *hdev, u8 *data, int size) return wtp_mouse_raw_xy_event(hidpp, &data[7]); } case REPORT_ID_HIDPP_LONG: + /* size is already checked in hidpp_raw_event. */ if ((report->fap.feature_index != wd->mt_feature_index) || (report->fap.funcindex_clientid != EVENT_TOUCHPAD_RAW_XY)) return 1; -- 2.1.3 -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/