linux/drivers/hid
Dmitry Torokhov 3b654288b1 HID: i2c-hid: fix OOB write in i2c_hid_set_or_send_report()
Even though hid_hw_* checks that passed in data_len is less than
HID_MAX_BUFFER_SIZE it is not enough, as i2c-hid does not necessarily
allocate buffers of HID_MAX_BUFFER_SIZE but rather checks all device
reports and select largest size. In-kernel users normally just send as much
data as report needs, so there is no problem, but hidraw users can do
whatever they please:

BUG: KASAN: slab-out-of-bounds in memcpy+0x34/0x54 at addr ffffffc07135ea80
Write of size 4101 by task syz-executor/8747
CPU: 2 PID: 8747 Comm: syz-executor Tainted: G    BU         3.18.0 #37
Hardware name: Google Tegra210 Smaug Rev 1,3+ (DT)
Call trace:
[<ffffffc00020ebcc>] dump_backtrace+0x0/0x258 arch/arm64/kernel/traps.c:83
[<ffffffc00020ee40>] show_stack+0x1c/0x2c arch/arm64/kernel/traps.c:172
[<     inline     >] __dump_stack lib/dump_stack.c:15
[<ffffffc001958114>] dump_stack+0x90/0x140 lib/dump_stack.c:50
[<     inline     >] print_error_description mm/kasan/report.c:97
[<     inline     >] kasan_report_error mm/kasan/report.c:278
[<ffffffc0004597dc>] kasan_report+0x268/0x530 mm/kasan/report.c:305
[<ffffffc0004592e8>] __asan_storeN+0x20/0x150 mm/kasan/kasan.c:718
[<ffffffc0004594e0>] memcpy+0x30/0x54 mm/kasan/kasan.c:299
[<ffffffc001306354>] __i2c_hid_command+0x2b0/0x7b4 drivers/hid/i2c-hid/i2c-hid.c:178
[<     inline     >] i2c_hid_set_or_send_report drivers/hid/i2c-hid/i2c-hid.c:321
[<ffffffc0013079a0>] i2c_hid_output_raw_report.isra.2+0x3d4/0x4b8 drivers/hid/i2c-hid/i2c-hid.c:589
[<ffffffc001307ad8>] i2c_hid_output_report+0x54/0x68 drivers/hid/i2c-hid/i2c-hid.c:602
[<     inline     >] hid_hw_output_report include/linux/hid.h:1039
[<ffffffc0012cc7a0>] hidraw_send_report+0x400/0x414 drivers/hid/hidraw.c:154
[<ffffffc0012cc7f4>] hidraw_write+0x40/0x64 drivers/hid/hidraw.c:177
[<ffffffc0004681dc>] vfs_write+0x1d4/0x3cc fs/read_write.c:534
[<     inline     >] SYSC_pwrite64 fs/read_write.c:627
[<ffffffc000468984>] SyS_pwrite64+0xec/0x144 fs/read_write.c:614
Object at ffffffc07135ea80, in cache kmalloc-512
Object allocated with size 268 bytes.

Let's check data length against the buffer size before attempting to copy
data over.

Cc: stable@vger.kernel.org
Reported-by: Alexander Potapenko <glider@google.com>
Signed-off-by: Dmitry Torokhov <dtor@chromium.org>
Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
2016-03-15 14:27:10 +01:00
..
i2c-hid HID: i2c-hid: fix OOB write in i2c_hid_set_or_send_report() 2016-03-15 14:27:10 +01:00
usbhid Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/hid 2016-01-14 16:20:42 -08:00
hid-a4tech.c HID: trivial devm conversion for special hid drivers 2013-07-31 10:12:28 +02:00
hid-apple.c HID: apple: Add support for the 2015 Macbook Pro 2015-07-27 15:43:46 -07:00
hid-appleir.c HID: hid-input: allow input_configured callback return errors 2015-11-05 09:51:50 -08:00
hid-aureal.c HID: fix some indenting issues 2015-10-21 13:15:53 +02:00
hid-axff.c HID: enable Mayflash USB Gamecube Adapter 2013-11-12 19:06:23 +01:00
hid-belkin.c
hid-betopff.c HID: betop: add drivers/hid/hid-betopff.c 2014-12-22 15:00:25 +01:00
hid-cherry.c HID: fix a couple of off-by-ones 2014-08-21 10:43:28 -05:00
hid-chicony.c HID: chicony: Add support for Acer Aspire Switch 12 2015-07-29 14:12:26 +02:00
hid-core.c Merge branches 'for-4.4/upstream-fixes', 'for-4.5/async-suspend', 'for-4.5/container-of-cleanups', 'for-4.5/core', 'for-4.5/i2c-hid', 'for-4.5/logitech', 'for-4.5/multitouch', 'for-4.5/sony', 'for-4.5/upstream' and 'for-4.5/wacom' into for-linus 2016-01-14 16:11:06 +01:00
hid-corsair.c HID: corsair: Convert to use module_hid_driver 2015-12-28 13:10:58 +01:00
hid-cp2112.c HID: use to_hid_device() 2015-12-28 13:41:44 +01:00
hid-cypress.c HID: cypress: use swap() in cp_report_fixup() 2015-06-18 11:00:42 +02:00
hid-debug.c HID: debug: improve hid_debug_event() 2015-11-27 00:02:59 +01:00
hid-dr.c HID: dragonrise: fix HID Descriptor for 0x0006 PID 2015-09-04 14:52:09 +02:00
hid-elecom.c HID: fix some indenting issues 2015-10-21 13:15:53 +02:00
hid-elo.c HID: hid-input: allow input_configured callback return errors 2015-11-05 09:51:50 -08:00
hid-emsff.c
hid-ezkey.c
hid-gaff.c
hid-gembird.c HID: gembird: add new driver to fix Gembird JPD-DualForce 2 2015-08-18 15:03:43 +02:00
hid-generic.c
hid-gfrm.c HID: hid-gfrm: avoid warning for input_configured API change 2015-11-05 10:15:35 -08:00
hid-gt683r.c HID: use to_hid_device() 2015-12-28 13:41:44 +01:00
hid-gyration.c
hid-holtek-kbd.c
hid-holtek-mouse.c HID: Add Holtek USB ID 04d9:a0c2 ETEKCITY Scroll 2014-09-08 09:48:56 +02:00
hid-holtekff.c HID: hid-holtekff: don't push static constants on stack for %*ph 2013-08-05 11:29:57 +02:00
hid-hyperv.c HID: hyperv: match wait_for_completion_timeout return type 2015-01-26 14:25:41 +01:00
hid-icade.c HID: icade: u16 which never < 0 2013-04-24 16:32:27 +02:00
hid-ids.h Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/hid 2016-01-14 16:20:42 -08:00
hid-input.c Merge branches 'for-4.4/upstream-fixes', 'for-4.5/async-suspend', 'for-4.5/container-of-cleanups', 'for-4.5/core', 'for-4.5/i2c-hid', 'for-4.5/logitech', 'for-4.5/multitouch', 'for-4.5/sony', 'for-4.5/upstream' and 'for-4.5/wacom' into for-linus 2016-01-14 16:11:06 +01:00
hid-kensington.c
hid-keytouch.c
hid-kye.c HID: kye: Fix report descriptor for Genius PenSketch M912 2015-02-17 13:13:45 +01:00
hid-lcpower.c
hid-lenovo.c HID: use to_hid_device() 2015-12-28 13:41:44 +01:00
hid-lg2ff.c HID: logitech - lg2ff: Add IDs for Formula Vibration Feedback Wheel 2013-10-09 12:06:02 +02:00
hid-lg3ff.c HID: LG: validate HID output report details 2013-09-13 15:12:39 +02:00
hid-lg4ff.c HID: use to_hid_device() 2015-12-28 13:41:44 +01:00
hid-lg4ff.h HID: hid-lg4ff: Remove double underscore prefix from numeric types 2015-05-07 16:27:07 +02:00
hid-lg.c HID: lg: restrict filtering out of first interface to G29 only 2015-12-02 14:51:00 +01:00
hid-lg.h HID: hid-lg4ff: Introduce a module parameter to disable automatic switch of compatibility mode 2015-02-18 21:14:54 +01:00
hid-lgff.c HID: LG: validate HID output report details 2013-09-13 15:12:39 +02:00
hid-logitech-dj.c HID: logitech-dj: check report length 2014-12-17 08:50:12 +01:00
hid-logitech-hidpp.c HID: move to_hid_device() to hid.h 2015-12-28 13:41:11 +01:00
hid-magicmouse.c HID: hid-input: allow input_configured callback return errors 2015-11-05 09:51:50 -08:00
hid-microsoft.c HID: Add new Microsoft Type Cover 3 product ID 2015-09-23 11:47:24 +02:00
hid-monterey.c HID: fix a couple of off-by-ones 2014-08-21 10:43:28 -05:00
hid-multitouch.c Merge branches 'for-4.4/upstream-fixes', 'for-4.5/async-suspend', 'for-4.5/container-of-cleanups', 'for-4.5/core', 'for-4.5/i2c-hid', 'for-4.5/logitech', 'for-4.5/multitouch', 'for-4.5/sony', 'for-4.5/upstream' and 'for-4.5/wacom' into for-linus 2016-01-14 16:11:06 +01:00
hid-ntrig.c HID: use to_hid_device() 2015-12-28 13:41:44 +01:00
hid-ortek.c
hid-penmount.c HID: add support for PenMount HID TouchScreen Driver 2014-09-04 11:23:51 +02:00
hid-petalynx.c HID: fix a couple of off-by-ones 2014-08-21 10:43:28 -05:00
hid-picolcd_backlight.c HID: picoLCD: Deletion of unnecessary checks before three function calls 2015-06-29 14:51:12 +02:00
hid-picolcd_cir.c HID: picoLCD: Deletion of unnecessary checks before three function calls 2015-06-29 14:51:12 +02:00
hid-picolcd_core.c HID: picolcd: be more verbose when reporting report size error 2014-08-27 23:27:10 +02:00
hid-picolcd_debugfs.c HID: picolcd: remove unnecessary NULL test before debugfs_remove 2014-06-30 09:54:22 +02:00
hid-picolcd_fb.c drivers/hid/hid-picolcd_fb: avoid world-writable sysfs files. 2014-05-14 10:53:56 +09:30
hid-picolcd_lcd.c HID: picoLCD: Deletion of unnecessary checks before three function calls 2015-06-29 14:51:12 +02:00
hid-picolcd_leds.c HID: use to_hid_device() 2015-12-28 13:41:44 +01:00
hid-picolcd.h Merge branches 'for-3.10/multitouch', 'for-3.10/roccat' and 'for-3.10/upstream' into for-linus 2013-04-30 10:19:07 +02:00
hid-pl.c HID: pantherlord: validate output report details 2013-09-04 11:58:32 +02:00
hid-plantronics.c HID: plantronics: Update to map volume up/down controls 2015-06-12 15:04:17 +02:00
hid-primax.c
hid-prodikeys.c HID: use to_hid_device() 2015-12-28 13:41:44 +01:00
hid-rmi.c HID: hid-input: allow input_configured callback return errors 2015-11-05 09:51:50 -08:00
hid-roccat-arvo.c HID: use kobj_to_dev() 2015-12-28 13:41:51 +01:00
hid-roccat-arvo.h
hid-roccat-common.c HID: use kobj_to_dev() 2015-12-28 13:41:51 +01:00
hid-roccat-common.h HID: roccat: generalize some common code 2013-10-30 14:17:31 +01:00
hid-roccat-isku.c HID: use kobj_to_dev() 2015-12-28 13:41:51 +01:00
hid-roccat-isku.h
hid-roccat-kone.c HID: use kobj_to_dev() 2015-12-28 13:41:51 +01:00
hid-roccat-kone.h HID: roccat: added media key support for Kone 2013-04-08 10:33:13 +02:00
hid-roccat-koneplus.c HID: use kobj_to_dev() 2015-12-28 13:41:51 +01:00
hid-roccat-koneplus.h
hid-roccat-konepure.c HID: roccat: generalize some common code 2013-10-30 14:17:31 +01:00
hid-roccat-kovaplus.c HID: use kobj_to_dev() 2015-12-28 13:41:51 +01:00
hid-roccat-kovaplus.h
hid-roccat-lua.c HID: use kobj_to_dev() 2015-12-28 13:41:51 +01:00
hid-roccat-lua.h
hid-roccat-pyra.c HID: use kobj_to_dev() 2015-12-28 13:41:51 +01:00
hid-roccat-pyra.h
hid-roccat-ryos.c HID: roccat: add support for Ryos MK keyboards 2013-10-30 14:17:31 +01:00
hid-roccat-savu.c HID: roccat: generalize some common code 2013-10-30 14:17:31 +01:00
hid-roccat-savu.h HID: roccat: generalize some common code 2013-10-30 14:17:31 +01:00
hid-roccat.c HID: roccat: check cdev_add return value 2013-06-18 11:00:36 +02:00
hid-saitek.c HID: saitek: mode button quirk for Mad Catz R.A.T.5 2015-09-04 14:44:44 +02:00
hid-samsung.c
hid-sensor-custom.c HID: sensor: Custom and Generic sensor support 2015-04-10 22:22:55 +02:00
hid-sensor-hub.c HID: sensor-hub: Add quirk for Lenovo Yoga 900 with ITE Chips 2016-01-08 10:54:55 +01:00
hid-sjoy.c HID: sjoy: support Super Joy Box 4 2015-05-07 10:47:53 +02:00
hid-sony.c Merge branches 'for-4.4/upstream-fixes', 'for-4.5/async-suspend', 'for-4.5/container-of-cleanups', 'for-4.5/core', 'for-4.5/i2c-hid', 'for-4.5/logitech', 'for-4.5/multitouch', 'for-4.5/sony', 'for-4.5/upstream' and 'for-4.5/wacom' into for-linus 2016-01-14 16:11:06 +01:00
hid-speedlink.c HID: Fix Speedlink VAD Cezanne support for some devices 2013-08-26 13:51:10 +02:00
hid-steelseries.c HID: use to_hid_device() 2015-12-28 13:41:44 +01:00
hid-sunplus.c HID: fix a couple of off-by-ones 2014-08-21 10:43:28 -05:00
hid-thingm.c Merge branches 'for-3.18/always-poll-quirk', 'for-3.18/logitech', 'for-3.18/picolcd', 'for-3.18/rmi', 'for-3.18/sony', 'for-3.18/uhid', 'for-3.18/upstream' and 'for-3.18/wacom' into for-linus 2014-10-06 23:34:40 +02:00
hid-tivo.c HID: tivo: enable all buttons on the TiVo Slide Pro remote 2015-03-15 10:04:27 -04:00
hid-tmff.c
hid-topseed.c
hid-twinhan.c
hid-uclogic.c HID: hid-input: allow input_configured callback return errors 2015-11-05 09:51:50 -08:00
hid-waltop.c
hid-wiimote-core.c HID: wiimote: replace hid_output_raw_report with hid_hw_output_report for output requests 2014-02-17 14:57:17 +01:00
hid-wiimote-debug.c HID: wiimote: fix DRM debug-attr to correctly parse input 2013-06-03 11:07:06 +02:00
hid-wiimote-modules.c HID: wiimote: use dev_to_wii() 2015-12-28 13:41:51 +01:00
hid-wiimote.h HID: use to_hid_device() 2015-12-28 13:41:44 +01:00
hid-xinmo.c HID: use module_hid_driver() to simplify the code 2013-08-26 13:23:04 +02:00
hid-zpff.c HID: zeroplus: validate output report details 2013-09-13 15:11:34 +02:00
hid-zydacron.c HID: trivial devm conversion for special hid drivers 2013-07-31 10:12:28 +02:00
hidraw.c Merge branch 'for-3.15/hid-core-ll-transport-cleanup' into for-linus 2014-04-01 19:05:09 +02:00
Kconfig Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/hid 2015-11-07 12:49:27 -08:00
Makefile Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/hid 2015-11-07 12:49:27 -08:00
uhid.c HID: uHID: fix excepted report type 2014-10-01 20:58:46 +02:00
wacom_sys.c Merge branches 'for-4.4/upstream-fixes', 'for-4.5/async-suspend', 'for-4.5/container-of-cleanups', 'for-4.5/core', 'for-4.5/i2c-hid', 'for-4.5/logitech', 'for-4.5/multitouch', 'for-4.5/sony', 'for-4.5/upstream' and 'for-4.5/wacom' into for-linus 2016-01-14 16:11:06 +01:00
wacom_wac.c Merge branches 'for-4.4/upstream-fixes', 'for-4.5/async-suspend', 'for-4.5/container-of-cleanups', 'for-4.5/core', 'for-4.5/i2c-hid', 'for-4.5/logitech', 'for-4.5/multitouch', 'for-4.5/sony', 'for-4.5/upstream' and 'for-4.5/wacom' into for-linus 2016-01-14 16:11:06 +01:00
wacom_wac.h HID: wacom: Use correct report to query pen ID from INTUOSHT2 devices 2016-01-08 10:15:22 +01:00
wacom.h HID: wacom: Add support for Express Key Remote. 2015-08-28 20:43:20 +02:00