tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

HID: logitech-dj: Prevent REPORT_ID_DJ_SHORT related user initiated OOB write

logi_dj_recv_send_report() assumes that all incoming REPORT_ID_DJ_SHORT
reports are 14 Bytes (DJREPORT_SHORT_LENGTH - 1) long. It uses that
assumption to load the associated field's 'value' array with 14 Bytes of
data. However, if a malicious user only sends say 1 Byte of data,
'report_count' will be 1 and only 1 Byte of memory will be allocated to
the 'value' Byte array. When we come to populate 'value[1-13]' we will
experience an OOB write.

Signed-off-by: Lee Jones <lee@kernel.org>
Signed-off-by: Jiri Kosina <jkosina@suse.com>

authored by

Lee Jones and committed by
Jiri Kosina b6a57912 a940aee1

+10
+10
drivers/hid/hid-logitech-dj.c
··· 1859 1859 const struct hid_device_id *id) 1860 1860 { 1861 1861 struct hid_report_enum *input_report_enum; 1862 + struct hid_report_enum *output_report_enum; 1862 1863 struct hid_report *rep; 1863 1864 struct dj_receiver_dev *djrcv_dev; 1864 1865 struct usb_interface *intf; ··· 1902 1901 hdev->quirks |= HID_QUIRK_INPUT_PER_APP; 1903 1902 return hid_hw_start(hdev, HID_CONNECT_DEFAULT); 1904 1903 } 1904 + } 1905 + 1906 + output_report_enum = &hdev->report_enum[HID_OUTPUT_REPORT]; 1907 + rep = output_report_enum->report_id_hash[REPORT_ID_DJ_SHORT]; 1908 + 1909 + if (rep->maxfield < 1 || rep->field[0]->report_count != DJREPORT_SHORT_LENGTH - 1) { 1910 + hid_err(hdev, "Expected size of DJ short report is %d, but got %d", 1911 + DJREPORT_SHORT_LENGTH - 1, rep->field[0]->report_count); 1912 + return -EINVAL; 1905 1913 } 1906 1914 1907 1915 input_report_enum = &hdev->report_enum[HID_INPUT_REPORT];