| Message ID | 20180720131023.15081-2-colin.king@canonical.com |
|---|---|
| State | New |
| Headers | show |
| Series | Input: gtco - fix potential out-of-bound access | expand |
On 20.07.2018 15:10, Colin King wrote: > From: Dmitry Torokhov <dmitry.torokhov@gmail.com> > > CVE-2017-16643 > > parse_hid_report_descriptor() has a while (i < length) loop, which > only guarantees that there's at least 1 byte in the buffer, but the > loop body can read multiple bytes which causes out-of-bounds access. > > Reported-by: Andrey Konovalov <andreyknvl@google.com> > Reviewed-by: Andrey Konovalov <andreyknvl@google.com> > Cc: stable@vger.kernel.org > Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com> > (clean upstream cherry pick from commit a50829479f58416a013a4ccca791336af3c584c7) > Acked-by: Colin Ian King <colin.king@canonical.com> Acked-by: Stefan Bader <stefan.bader@canonical.com> > --- -> (cherry picked from commit a50829479f58416a013a4ccca791336af3c584c7) > drivers/input/tablet/gtco.c | 17 ++++++++++------- > 1 file changed, 10 insertions(+), 7 deletions(-) > > diff --git a/drivers/input/tablet/gtco.c b/drivers/input/tablet/gtco.c > index b796e89..4b8b9d7 100644 > --- a/drivers/input/tablet/gtco.c > +++ b/drivers/input/tablet/gtco.c > @@ -230,13 +230,17 @@ static void parse_hid_report_descriptor(struct gtco *device, char * report, > > /* Walk this report and pull out the info we need */ > while (i < length) { > - prefix = report[i]; > - > - /* Skip over prefix */ > - i++; > + prefix = report[i++]; > > /* Determine data size and save the data in the proper variable */ > - size = PREF_SIZE(prefix); > + size = (1U << PREF_SIZE(prefix)) >> 1; > + if (i + size > length) { > + dev_err(ddev, > + "Not enough data (need %d, have %d)\n", > + i + size, length); > + break; > + } > + > switch (size) { > case 1: > data = report[i]; > @@ -244,8 +248,7 @@ static void parse_hid_report_descriptor(struct gtco *device, char * report, > case 2: > data16 = get_unaligned_le16(&report[i]); > break; > - case 3: > - size = 4; > + case 4: > data32 = get_unaligned_le32(&report[i]); > break; > } >
Applied to trusty master-next. ...Juerg On 07/20/2018 03:10 PM, Colin King wrote: > From: Dmitry Torokhov <dmitry.torokhov@gmail.com> > > CVE-2017-16643 > > parse_hid_report_descriptor() has a while (i < length) loop, which > only guarantees that there's at least 1 byte in the buffer, but the > loop body can read multiple bytes which causes out-of-bounds access. > > Reported-by: Andrey Konovalov <andreyknvl@google.com> > Reviewed-by: Andrey Konovalov <andreyknvl@google.com> > Cc: stable@vger.kernel.org > Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com> > (clean upstream cherry pick from commit a50829479f58416a013a4ccca791336af3c584c7) > Acked-by: Colin Ian King <colin.king@canonical.com> > --- > drivers/input/tablet/gtco.c | 17 ++++++++++------- > 1 file changed, 10 insertions(+), 7 deletions(-) > > diff --git a/drivers/input/tablet/gtco.c b/drivers/input/tablet/gtco.c > index b796e89..4b8b9d7 100644 > --- a/drivers/input/tablet/gtco.c > +++ b/drivers/input/tablet/gtco.c > @@ -230,13 +230,17 @@ static void parse_hid_report_descriptor(struct gtco *device, char * report, > > /* Walk this report and pull out the info we need */ > while (i < length) { > - prefix = report[i]; > - > - /* Skip over prefix */ > - i++; > + prefix = report[i++]; > > /* Determine data size and save the data in the proper variable */ > - size = PREF_SIZE(prefix); > + size = (1U << PREF_SIZE(prefix)) >> 1; > + if (i + size > length) { > + dev_err(ddev, > + "Not enough data (need %d, have %d)\n", > + i + size, length); > + break; > + } > + > switch (size) { > case 1: > data = report[i]; > @@ -244,8 +248,7 @@ static void parse_hid_report_descriptor(struct gtco *device, char * report, > case 2: > data16 = get_unaligned_le16(&report[i]); > break; > - case 3: > - size = 4; > + case 4: > data32 = get_unaligned_le32(&report[i]); > break; > } >
diff --git a/drivers/input/tablet/gtco.c b/drivers/input/tablet/gtco.c index b796e89..4b8b9d7 100644 --- a/drivers/input/tablet/gtco.c +++ b/drivers/input/tablet/gtco.c @@ -230,13 +230,17 @@ static void parse_hid_report_descriptor(struct gtco *device, char * report, /* Walk this report and pull out the info we need */ while (i < length) { - prefix = report[i]; - - /* Skip over prefix */ - i++; + prefix = report[i++]; /* Determine data size and save the data in the proper variable */ - size = PREF_SIZE(prefix); + size = (1U << PREF_SIZE(prefix)) >> 1; + if (i + size > length) { + dev_err(ddev, + "Not enough data (need %d, have %d)\n", + i + size, length); + break; + } + switch (size) { case 1: data = report[i]; @@ -244,8 +248,7 @@ static void parse_hid_report_descriptor(struct gtco *device, char * report, case 2: data16 = get_unaligned_le16(&report[i]); break; - case 3: - size = 4; + case 4: data32 = get_unaligned_le32(&report[i]); break; }