Re: usb/hid: slab-out-of-bounds read in usbhid_parse

2017-09-20 Thread Jaejoong Kim
Hi Alan 2017-09-21 0:50 GMT+09:00 Alan Stern : > On Wed, 20 Sep 2017, Kim Jaejoong wrote: > >> To. usb & input guys. >> >> While dig this report, i was wondering about bNumDescriptors in HID >> descriptor. >> HID document from usb.org said, 'this number must be at least one (1) >> as a Report des

Re: usb/hid: slab-out-of-bounds read in usbhid_parse

2017-09-20 Thread Alan Stern
On Wed, 20 Sep 2017, Kim Jaejoong wrote: > To. usb & input guys. > > While dig this report, i was wondering about bNumDescriptors in HID > descriptor. > HID document from usb.org said, 'this number must be at least one (1) > as a Report descriptor will always be present.' > > There is no mentio

Re: usb/hid: slab-out-of-bounds read in usbhid_parse

2017-09-20 Thread Andrey Konovalov
On Wed, Sep 20, 2017 at 6:57 AM, Kim Jaejoong wrote: > Hi Andrey > > 2017-09-19 21:38 GMT+09:00 Andrey Konovalov : >> Hi Kim, >> >> I'm not sure. Is there a check on the bLength field of a >> hid_descriptor struct? Can it be less than sizeof(struct >> hid_descriptor)? If so, we still do an out-of-

Re: usb/hid: slab-out-of-bounds read in usbhid_parse

2017-09-19 Thread Kim Jaejoong
Hi Andrey 2017-09-19 21:38 GMT+09:00 Andrey Konovalov : > On Tue, Sep 19, 2017 at 1:47 PM, Kim Jaejoong wrote: >> Hi, Andrey Konovalov >> >> Thanks for the report. >> >> 2017-09-19 2:33 GMT+09:00 Andrey Konovalov : >>> Hi! >>> >>> I've got the following crash while fuzzing the kernel with syzkall

Re: usb/hid: slab-out-of-bounds read in usbhid_parse

2017-09-19 Thread Andrey Konovalov
On Tue, Sep 19, 2017 at 1:47 PM, Kim Jaejoong wrote: > Hi, Andrey Konovalov > > Thanks for the report. > > 2017-09-19 2:33 GMT+09:00 Andrey Konovalov : >> Hi! >> >> I've got the following crash while fuzzing the kernel with syzkaller. >> >> On commit ebb2c2437d8008d46796902ff390653822af6cc4 (Sep 1

Re: usb/hid: slab-out-of-bounds read in usbhid_parse

2017-09-19 Thread Kim Jaejoong
Hi, Andrey Konovalov Thanks for the report. 2017-09-19 2:33 GMT+09:00 Andrey Konovalov : > Hi! > > I've got the following crash while fuzzing the kernel with syzkaller. > > On commit ebb2c2437d8008d46796902ff390653822af6cc4 (Sep 18). > > It seems that there's no proper check on the hdesc->bNumDes

usb/hid: slab-out-of-bounds read in usbhid_parse

2017-09-18 Thread Andrey Konovalov
Hi! I've got the following crash while fuzzing the kernel with syzkaller. On commit ebb2c2437d8008d46796902ff390653822af6cc4 (Sep 18). It seems that there's no proper check on the hdesc->bNumDescriptors value in usbhid_parse(). it iterates over hdesc->desc and accesses hdesc->desc[n] fields, whi