tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

HID: playstation: validate num_touch_reports in DualShock 4 reports

The DualShock 4 HID driver fails to validate the num_touch_reports field
received from the device in both USB and Bluetooth input reports.
A malicious device could set this field to a value larger than the
allocated size of the touch_reports array (3 for USB, 4 for Bluetooth),
leading to an out-of-bounds read in dualshock4_parse_report().

This can result in kernel memory disclosure when processing malicious
HID reports.

Validate num_touch_reports against the array size for the respective
connection types before processing the touch data.

Signed-off-by: Benoît Sevens <bsevens@google.com>
Signed-off-by: Jiri Kosina <jkosina@suse.com>

authored by

Benoît Sevens and committed by
Jiri Kosina 82a4fc46 8df2c1b4

+12
+12
drivers/hid/hid-playstation.c
··· 2377 2377 struct dualshock4_input_report_usb *usb = 2378 2378 (struct dualshock4_input_report_usb *)data; 2379 2379 2380 + if (usb->num_touch_reports > ARRAY_SIZE(usb->touch_reports)) { 2381 + hid_err(hdev, "DualShock4 USB input report has invalid num_touch_reports=%d\n", 2382 + usb->num_touch_reports); 2383 + return -EINVAL; 2384 + } 2385 + 2380 2386 ds4_report = &usb->common; 2381 2387 num_touch_reports = usb->num_touch_reports; 2382 2388 touch_reports = usb->touch_reports; ··· 2395 2389 if (!ps_check_crc32(PS_INPUT_CRC32_SEED, data, size - 4, report_crc)) { 2396 2390 hid_err(hdev, "DualShock4 input CRC's check failed\n"); 2397 2391 return -EILSEQ; 2392 + } 2393 + 2394 + if (bt->num_touch_reports > ARRAY_SIZE(bt->touch_reports)) { 2395 + hid_err(hdev, "DualShock4 BT input report has invalid num_touch_reports=%d\n", 2396 + bt->num_touch_reports); 2397 + return -EINVAL; 2398 2398 } 2399 2399 2400 2400 ds4_report = &bt->common;