tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

HID: logitech-hidpp: Check bounds when deleting force-feedback effects

Without this bounds check, this might otherwise overwrite index -1.

Triggering this condition requires action both from the USB device and from
userspace, which reduces the scenarios in which it can be exploited.

Cc: Lee Jones <lee@kernel.org>
Signed-off-by: Günther Noack <gnoack@google.com>
Reviewed-by: Lee Jones <lee@kernel.org>
Signed-off-by: Jiri Kosina <jkosina@suse.com>

authored by

Günther Noack and committed by
Jiri Kosina e606d832 45065a50

+9 -6
+9 -6
drivers/hid/hid-logitech-hidpp.c
··· 2502 2502 } 2503 2503 break; 2504 2504 case HIDPP_FF_DESTROY_EFFECT: 2505 - if (wd->effect_id >= 0) 2506 - /* regular effect destroyed */ 2507 - data->effect_ids[wd->params[0]-1] = -1; 2508 - else if (wd->effect_id >= HIDPP_FF_EFFECTID_AUTOCENTER) 2509 - /* autocenter spring destroyed */ 2510 - data->slot_autocenter = 0; 2505 + slot = wd->params[0]; 2506 + if (slot > 0 && slot <= data->num_effects) { 2507 + if (wd->effect_id >= 0) 2508 + /* regular effect destroyed */ 2509 + data->effect_ids[slot-1] = -1; 2510 + else if (wd->effect_id >= HIDPP_FF_EFFECTID_AUTOCENTER) 2511 + /* autocenter spring destroyed */ 2512 + data->slot_autocenter = 0; 2513 + } 2511 2514 break; 2512 2515 case HIDPP_FF_SET_GLOBAL_GAINS: 2513 2516 data->gain = (wd->params[0] << 8) + wd->params[1];