Re: [PATCH] HID: uhid: fix a missing-check bug

Hey On Sat, May 5, 2018 at 6:17 AM, Wenwen Wang wrote: > In uhid_event_from_user(), if it is in_compat_syscall(), the 'type' of the > event is first fetched from the 'buffer' in userspace and checked. If the > 'type' is UHID_CREATE, it is a messed up request with compat

Re: [PATCH] HID: uhid: fix a missing-check bug

Hey On Sat, May 5, 2018 at 6:17 AM, Wenwen Wang wrote: > In uhid_event_from_user(), if it is in_compat_syscall(), the 'type' of the > event is first fetched from the 'buffer' in userspace and checked. If the > 'type' is UHID_CREATE, it is a messed up request with compat pointer, which > could be

[PATCH] HID: uhid: fix a missing-check bug

In uhid_event_from_user(), if it is in_compat_syscall(), the 'type' of the event is first fetched from the 'buffer' in userspace and checked. If the 'type' is UHID_CREATE, it is a messed up request with compat pointer, which could be more than 256 bytes, so it is better allocated from the heap, as

[PATCH] HID: uhid: fix a missing-check bug

In uhid_event_from_user(), if it is in_compat_syscall(), the 'type' of the event is first fetched from the 'buffer' in userspace and checked. If the 'type' is UHID_CREATE, it is a messed up request with compat pointer, which could be more than 256 bytes, so it is better allocated from the heap, as