diff mbox series

fix slab-out-of-bounds Write in betop_probe

Message ID 20210816201544.26405-1-asha.16@itfac.mrt.ac.lk
State New
Headers show
Series fix slab-out-of-bounds Write in betop_probe | expand

Commit Message

F.A.Sulaiman Aug. 16, 2021, 8:15 p.m. UTC
This patch resolves the bug 'KASAN: slab-out-of-bounds Write in betop_probe' reported by Syzbot.
This checkes hid_device's input is non empty before it's been used.

Signed-off-by: F.A. SULAIMAN <asha.16@itfac.mrt.ac.lk>
---
 drivers/hid/hid-betopff.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

Comments

kernel test robot Aug. 17, 2021, 12:05 a.m. UTC | #1
Hi "F.A.Sulaiman",

Thank you for the patch! Perhaps something to improve:

[auto build test WARNING on hid/for-next]
[also build test WARNING on v5.14-rc6 next-20210816]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch]

url:    https://github.com/0day-ci/linux/commits/F-A-Sulaiman/fix-slab-out-of-bounds-Write-in-betop_probe/20210817-041818
base:   https://git.kernel.org/pub/scm/linux/kernel/git/hid/hid.git for-next
config: x86_64-randconfig-r023-20210816 (attached as .config)
compiler: clang version 14.0.0 (https://github.com/llvm/llvm-project 44d0a99a12ec7ead4d2f5ef649ba05b40f6d463d)
reproduce (this is a W=1 build):
        wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
        chmod +x ~/bin/make.cross
        # https://github.com/0day-ci/linux/commit/8fc4d7961e182bc2992bee548fa3c33b628ffadd
        git remote add linux-review https://github.com/0day-ci/linux
        git fetch --no-tags linux-review F-A-Sulaiman/fix-slab-out-of-bounds-Write-in-betop_probe/20210817-041818
        git checkout 8fc4d7961e182bc2992bee548fa3c33b628ffadd
        # save the attached .config to linux build tree
        COMPILER_INSTALL_PATH=$HOME/0day COMPILER=clang make.cross ARCH=x86_64 

If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@intel.com>

All warnings (new ones prefixed by >>):

>> drivers/hid/hid-betopff.c:118:20: warning: variable 'dev' set but not used [-Wunused-but-set-variable]

           struct input_dev *dev;
                             ^
   1 warning generated.


vim +/dev +118 drivers/hid/hid-betopff.c

   114	
   115	static int betop_probe(struct hid_device *hdev, const struct hid_device_id *id)
   116	{
   117		struct hid_input *hidinput;
 > 118		struct input_dev *dev;

   119		int ret;
   120	
   121		if (list_empty(&hdev->inputs)) {
   122			hid_err(hdev, "no inputs found\n");
   123			return -ENODEV;
   124		}
   125	
   126		hidinput = list_first_entry(&hdev->inputs, struct hid_input, list);
   127		dev = hidinput->input;
   128	
   129		if (id->driver_data)
   130			hdev->quirks |= HID_QUIRK_MULTI_INPUT;
   131	
   132		ret = hid_parse(hdev);
   133		if (ret) {
   134			hid_err(hdev, "parse failed\n");
   135			goto err;
   136		}
   137	
   138		ret = hid_hw_start(hdev, HID_CONNECT_DEFAULT & ~HID_CONNECT_FF);
   139		if (ret) {
   140			hid_err(hdev, "hw start failed\n");
   141			goto err;
   142		}
   143	
   144		betopff_init(hdev);
   145	
   146		return 0;
   147	err:
   148		return ret;
   149	}
   150	

---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all@lists.01.org
kernel test robot Aug. 17, 2021, 12:35 a.m. UTC | #2
Hi "F.A.Sulaiman",

Thank you for the patch! Perhaps something to improve:

[auto build test WARNING on hid/for-next]
[also build test WARNING on v5.14-rc6 next-20210816]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch]

url:    https://github.com/0day-ci/linux/commits/F-A-Sulaiman/fix-slab-out-of-bounds-Write-in-betop_probe/20210817-041818
base:   https://git.kernel.org/pub/scm/linux/kernel/git/hid/hid.git for-next
config: i386-allyesconfig (attached as .config)
compiler: gcc-9 (Debian 9.3.0-22) 9.3.0
reproduce (this is a W=1 build):
        # https://github.com/0day-ci/linux/commit/8fc4d7961e182bc2992bee548fa3c33b628ffadd
        git remote add linux-review https://github.com/0day-ci/linux
        git fetch --no-tags linux-review F-A-Sulaiman/fix-slab-out-of-bounds-Write-in-betop_probe/20210817-041818
        git checkout 8fc4d7961e182bc2992bee548fa3c33b628ffadd
        # save the attached .config to linux build tree
        make W=1 ARCH=i386 

If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@intel.com>

All warnings (new ones prefixed by >>):

   drivers/hid/hid-betopff.c: In function 'betop_probe':
>> drivers/hid/hid-betopff.c:118:20: warning: variable 'dev' set but not used [-Wunused-but-set-variable]

     118 |  struct input_dev *dev;
         |                    ^~~


vim +/dev +118 drivers/hid/hid-betopff.c

   114	
   115	static int betop_probe(struct hid_device *hdev, const struct hid_device_id *id)
   116	{
   117		struct hid_input *hidinput;
 > 118		struct input_dev *dev;

   119		int ret;
   120	
   121		if (list_empty(&hdev->inputs)) {
   122			hid_err(hdev, "no inputs found\n");
   123			return -ENODEV;
   124		}
   125	
   126		hidinput = list_first_entry(&hdev->inputs, struct hid_input, list);
   127		dev = hidinput->input;
   128	
   129		if (id->driver_data)
   130			hdev->quirks |= HID_QUIRK_MULTI_INPUT;
   131	
   132		ret = hid_parse(hdev);
   133		if (ret) {
   134			hid_err(hdev, "parse failed\n");
   135			goto err;
   136		}
   137	
   138		ret = hid_hw_start(hdev, HID_CONNECT_DEFAULT & ~HID_CONNECT_FF);
   139		if (ret) {
   140			hid_err(hdev, "hw start failed\n");
   141			goto err;
   142		}
   143	
   144		betopff_init(hdev);
   145	
   146		return 0;
   147	err:
   148		return ret;
   149	}
   150	

---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all@lists.01.org
kernel test robot Aug. 17, 2021, 8:58 p.m. UTC | #3
Hi "F.A.Sulaiman",

Thank you for the patch! Perhaps something to improve:

[auto build test WARNING on hid/for-next]
[also build test WARNING on v5.14-rc6 next-20210817]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch]

url:    https://github.com/0day-ci/linux/commits/F-A-Sulaiman/fix-slab-out-of-bounds-Write-in-betop_probe/20210817-041818
base:   https://git.kernel.org/pub/scm/linux/kernel/git/hid/hid.git for-next
config: x86_64-randconfig-c007-20210816 (attached as .config)
compiler: clang version 14.0.0 (https://github.com/llvm/llvm-project 44d0a99a12ec7ead4d2f5ef649ba05b40f6d463d)
reproduce (this is a W=1 build):
        wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
        chmod +x ~/bin/make.cross
        # https://github.com/0day-ci/linux/commit/8fc4d7961e182bc2992bee548fa3c33b628ffadd
        git remote add linux-review https://github.com/0day-ci/linux
        git fetch --no-tags linux-review F-A-Sulaiman/fix-slab-out-of-bounds-Write-in-betop_probe/20210817-041818
        git checkout 8fc4d7961e182bc2992bee548fa3c33b628ffadd
        # save the attached .config to linux build tree
        COMPILER_INSTALL_PATH=$HOME/0day COMPILER=clang make.cross ARCH=x86_64 clang-analyzer 

If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@intel.com>


clang-analyzer warnings: (new ones prefixed by >>)
   set_temp_reg(HYST, temp_hyst);
   ^
   drivers/hwmon/asb100.c:443:19: note: expanded from macro 'set_temp_reg'
                   data->reg[nr] = LM75_TEMP_TO_REG(val); \
                                   ^~~~~~~~~~~~~~~~~~~~~
   drivers/hwmon/lm75.h:27:14: note: Assuming '__UNIQUE_ID___x271' is <= '__UNIQUE_ID___y272'
           int ntemp = clamp_val(temp, LM75_TEMP_MIN, LM75_TEMP_MAX);
                       ^
   include/linux/minmax.h:137:32: note: expanded from macro 'clamp_val'
   #define clamp_val(val, lo, hi) clamp_t(typeof(val), val, lo, hi)
                                  ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
   include/linux/minmax.h:124:48: note: expanded from macro 'clamp_t'
   #define clamp_t(type, val, lo, hi) min_t(type, max_t(type, val, lo), hi)
                                      ~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~
   include/linux/minmax.h:112:27: note: expanded from macro 'max_t'
   #define max_t(type, x, y)       __careful_cmp((type)(x), (type)(y), >)
                                   ^
   note: (skipping 3 expansions in backtrace; use -fmacro-backtrace-limit=0 to see all)
   include/linux/minmax.h:104:48: note: expanded from macro 'min_t'
   #define min_t(type, x, y)       __careful_cmp((type)(x), (type)(y), <)
                                   ~~~~~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~
   include/linux/minmax.h:38:14: note: expanded from macro '__careful_cmp'
                   __cmp_once(x, y, __UNIQUE_ID(__x), __UNIQUE_ID(__y), op))
                   ~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
   include/linux/minmax.h:31:25: note: expanded from macro '__cmp_once'
                   typeof(x) unique_x = (x);               \
                                         ^
   drivers/hwmon/lm75.h:27:14: note: '?' condition is false
           int ntemp = clamp_val(temp, LM75_TEMP_MIN, LM75_TEMP_MAX);
                       ^
   include/linux/minmax.h:137:32: note: expanded from macro 'clamp_val'
   #define clamp_val(val, lo, hi) clamp_t(typeof(val), val, lo, hi)
                                  ^
   include/linux/minmax.h:124:48: note: expanded from macro 'clamp_t'
   #define clamp_t(type, val, lo, hi) min_t(type, max_t(type, val, lo), hi)
                                                  ^
   include/linux/minmax.h:112:27: note: expanded from macro 'max_t'
   #define max_t(type, x, y)       __careful_cmp((type)(x), (type)(y), >)
                                   ^
   include/linux/minmax.h:38:3: note: expanded from macro '__careful_cmp'
                   __cmp_once(x, y, __UNIQUE_ID(__x), __UNIQUE_ID(__y), op))
                   ^
   include/linux/minmax.h:33:3: note: expanded from macro '__cmp_once'
                   __cmp(unique_x, unique_y, op); })
                   ^
   include/linux/minmax.h:28:26: note: expanded from macro '__cmp'
   #define __cmp(x, y, op) ((x) op (y) ? (x) : (y))
                            ^
   drivers/hwmon/lm75.h:27:14: note: '__UNIQUE_ID___x273' is < '__UNIQUE_ID___y274'
           int ntemp = clamp_val(temp, LM75_TEMP_MIN, LM75_TEMP_MAX);
                       ^
   include/linux/minmax.h:137:32: note: expanded from macro 'clamp_val'
   #define clamp_val(val, lo, hi) clamp_t(typeof(val), val, lo, hi)
                                  ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
   include/linux/minmax.h:124:36: note: expanded from macro 'clamp_t'
   #define clamp_t(type, val, lo, hi) min_t(type, max_t(type, val, lo), hi)
                                      ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
   include/linux/minmax.h:104:27: note: expanded from macro 'min_t'
   #define min_t(type, x, y)       __careful_cmp((type)(x), (type)(y), <)
                                   ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
   include/linux/minmax.h:38:3: note: expanded from macro '__careful_cmp'
                   __cmp_once(x, y, __UNIQUE_ID(__x), __UNIQUE_ID(__y), op))
                   ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
   include/linux/minmax.h:33:3: note: expanded from macro '__cmp_once'
                   __cmp(unique_x, unique_y, op); })
                   ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~
   include/linux/minmax.h:28:26: note: expanded from macro '__cmp'
   #define __cmp(x, y, op) ((x) op (y) ? (x) : (y))
                            ^~~
   drivers/hwmon/lm75.h:27:14: note: '?' condition is true
           int ntemp = clamp_val(temp, LM75_TEMP_MIN, LM75_TEMP_MAX);
                       ^
   include/linux/minmax.h:137:32: note: expanded from macro 'clamp_val'
   #define clamp_val(val, lo, hi) clamp_t(typeof(val), val, lo, hi)
                                  ^
   include/linux/minmax.h:124:36: note: expanded from macro 'clamp_t'
   #define clamp_t(type, val, lo, hi) min_t(type, max_t(type, val, lo), hi)
                                      ^
   include/linux/minmax.h:104:27: note: expanded from macro 'min_t'
   #define min_t(type, x, y)       __careful_cmp((type)(x), (type)(y), <)
                                   ^
   include/linux/minmax.h:38:3: note: expanded from macro '__careful_cmp'
                   __cmp_once(x, y, __UNIQUE_ID(__x), __UNIQUE_ID(__y), op))
                   ^
   include/linux/minmax.h:33:3: note: expanded from macro '__cmp_once'
                   __cmp(unique_x, unique_y, op); })
                   ^
   include/linux/minmax.h:28:26: note: expanded from macro '__cmp'
   #define __cmp(x, y, op) ((x) op (y) ? (x) : (y))
                            ^
   drivers/hwmon/lm75.h:29:12: note: 'ntemp' is < 0
           ntemp += (ntemp < 0 ? -250 : 250);
                     ^~~~~
   drivers/hwmon/lm75.h:29:12: note: '?' condition is true
   drivers/hwmon/lm75.h:30:29: note: The result of the left shift is undefined because the left operand is negative
           return (u16)((ntemp / 500) << 7);
                        ~~~~~~~~~~~~~ ^
   Suppressed 3 warnings (3 in non-user code).
   Use -header-filter=.* to display errors from all non-system headers. Use -system-headers to display errors from system headers as well.
   5 warnings generated.
>> drivers/hid/hid-betopff.c:127:2: warning: Value stored to 'dev' is never read [clang-analyzer-deadcode.DeadStores]

           dev = hidinput->input;
           ^     ~~~~~~~~~~~~~~~
   drivers/hid/hid-betopff.c:127:2: note: Value stored to 'dev' is never read
           dev = hidinput->input;
           ^     ~~~~~~~~~~~~~~~
   Suppressed 4 warnings (3 in non-user code, 1 with check filters).
   Use -header-filter=.* to display errors from all non-system headers. Use -system-headers to display errors from system headers as well.
   3 warnings generated.
   Suppressed 3 warnings (3 in non-user code).
   Use -header-filter=.* to display errors from all non-system headers. Use -system-headers to display errors from system headers as well.
   4 warnings generated.
   include/linux/hid.h:1007:9: warning: Access to field 'name' results in a dereference of a null pointer (loaded from variable 'input') [clang-analyzer-core.NullDereference]
                                       input->name, c, type);
                                       ^
   drivers/hid/hid-corsair.c:630:6: note: Assuming the condition is false
           if ((usage->hid & HID_USAGE_PAGE) != HID_UP_KEYBOARD)
               ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
   drivers/hid/hid-corsair.c:630:2: note: Taking false branch
           if ((usage->hid & HID_USAGE_PAGE) != HID_UP_KEYBOARD)
           ^
   drivers/hid/hid-corsair.c:634:6: note: 'gkey' is not equal to 0
           if (gkey != 0) {
               ^~~~
   drivers/hid/hid-corsair.c:634:2: note: Taking true branch
           if (gkey != 0) {
           ^
   drivers/hid/hid-corsair.c:635:3: note: Calling 'hid_map_usage_clear'
                   hid_map_usage_clear(input, usage, bit, max, EV_KEY,
                   ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
   include/linux/hid.h:1035:2: note: Calling 'hid_map_usage'
           hid_map_usage(hidinput, usage, bit, max, type, c);
           ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
   include/linux/hid.h:982:2: note: 'input' initialized here
           struct input_dev *input = hidinput->input;
           ^~~~~~~~~~~~~~~~~~~~~~~
   include/linux/hid.h:986:2: note: Control jumps to 'case 1:'  at line 995
           switch (type) {
           ^
   include/linux/hid.h:998:3: note:  Execution continues on line 1005
                   break;
                   ^
   include/linux/hid.h:1005:15: note: Assuming 'c' is <= 'limit'
           if (unlikely(c > limit || !bmap)) {
                        ^
   include/linux/compiler.h:78:42: note: expanded from macro 'unlikely'
   # define unlikely(x)    __builtin_expect(!!(x), 0)
                                               ^
   include/linux/hid.h:1005:15: note: Left side of '||' is false
           if (unlikely(c > limit || !bmap)) {
                        ^
   include/linux/hid.h:1005:28: note: Assuming 'bmap' is null
           if (unlikely(c > limit || !bmap)) {
                                     ^
   include/linux/compiler.h:78:42: note: expanded from macro 'unlikely'
   # define unlikely(x)    __builtin_expect(!!(x), 0)
                                               ^
   include/linux/hid.h:1005:28: note: Assuming pointer value is null
           if (unlikely(c > limit || !bmap)) {
                                     ^
   include/linux/compiler.h:78:42: note: expanded from macro 'unlikely'
   # define unlikely(x)    __builtin_expect(!!(x), 0)
                                               ^
   include/linux/hid.h:1005:2: note: Taking true branch
           if (unlikely(c > limit || !bmap)) {
           ^
   include/linux/hid.h:1006:3: note: Assuming the condition is true
                   pr_warn_ratelimited("%s: Invalid code %d type %d\n",
                   ^
   include/linux/printk.h:574:2: note: expanded from macro 'pr_warn_ratelimited'
           printk_ratelimited(KERN_WARNING pr_fmt(fmt), ##__VA_ARGS__)
           ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
   include/linux/printk.h:557:6: note: expanded from macro 'printk_ratelimited'
           if (__ratelimit(&_rs))                                          \
               ^~~~~~~~~~~~~~~~~
   include/linux/ratelimit_types.h:41:28: note: expanded from macro '__ratelimit'
   #define __ratelimit(state) ___ratelimit(state, __func__)
                              ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~
   include/linux/hid.h:1006:3: note: Taking true branch
                   pr_warn_ratelimited("%s: Invalid code %d type %d\n",
                   ^
   include/linux/printk.h:574:2: note: expanded from macro 'pr_warn_ratelimited'
           printk_ratelimited(KERN_WARNING pr_fmt(fmt), ##__VA_ARGS__)
           ^
   include/linux/printk.h:557:2: note: expanded from macro 'printk_ratelimited'
           if (__ratelimit(&_rs))                                          \
           ^
   include/linux/hid.h:1007:9: note: Access to field 'name' results in a dereference of a null pointer (loaded from variable 'input')
                                       input->name, c, type);
                                       ^
   include/linux/printk.h:574:49: note: expanded from macro 'pr_warn_ratelimited'
           printk_ratelimited(KERN_WARNING pr_fmt(fmt), ##__VA_ARGS__)
                                                          ^~~~~~~~~~~
   include/linux/printk.h:558:17: note: expanded from macro 'printk_ratelimited'
                   printk(fmt, ##__VA_ARGS__);                             \
                                 ^~~~~~~~~~~
   Suppressed 3 warnings (3 in non-user code).
   Use -header-filter=.* to display errors from all non-system headers. Use -system-headers to display errors from system headers as well.
   4 warnings generated.
   kernel/static_call.c:275:47: warning: Access to field 'func' results in a dereference of a null pointer (loaded from variable 'key') [clang-analyzer-core.NullDereference]
                   arch_static_call_transform(site_addr, NULL, key->func,

vim +/dev +127 drivers/hid/hid-betopff.c

   114	
   115	static int betop_probe(struct hid_device *hdev, const struct hid_device_id *id)
   116	{
   117		struct hid_input *hidinput;
   118		struct input_dev *dev;
   119		int ret;
   120	
   121		if (list_empty(&hdev->inputs)) {
   122			hid_err(hdev, "no inputs found\n");
   123			return -ENODEV;
   124		}
   125	
   126		hidinput = list_first_entry(&hdev->inputs, struct hid_input, list);
 > 127		dev = hidinput->input;

   128	
   129		if (id->driver_data)
   130			hdev->quirks |= HID_QUIRK_MULTI_INPUT;
   131	
   132		ret = hid_parse(hdev);
   133		if (ret) {
   134			hid_err(hdev, "parse failed\n");
   135			goto err;
   136		}
   137	
   138		ret = hid_hw_start(hdev, HID_CONNECT_DEFAULT & ~HID_CONNECT_FF);
   139		if (ret) {
   140			hid_err(hdev, "hw start failed\n");
   141			goto err;
   142		}
   143	
   144		betopff_init(hdev);
   145	
   146		return 0;
   147	err:
   148		return ret;
   149	}
   150	

---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all@lists.01.org
Jiri Kosina Aug. 19, 2021, 6:47 p.m. UTC | #4
On Tue, 17 Aug 2021, F.A.Sulaiman wrote:

> This patch resolves the bug 'KASAN: slab-out-of-bounds Write in betop_probe' reported by Syzbot.

> This checkes hid_device's input is non empty before it's been used.

> 

> Signed-off-by: F.A. SULAIMAN <asha.16@itfac.mrt.ac.lk>

> ---

>  drivers/hid/hid-betopff.c | 10 ++++++++++

>  1 file changed, 10 insertions(+)

> 

> diff --git a/drivers/hid/hid-betopff.c b/drivers/hid/hid-betopff.c

> index 467d789f9bc2..27b57aef9a0a 100644

> --- a/drivers/hid/hid-betopff.c

> +++ b/drivers/hid/hid-betopff.c

> @@ -121,8 +121,18 @@ static int betopff_init(struct hid_device *hid)

>  

>  static int betop_probe(struct hid_device *hdev, const struct hid_device_id *id)

>  {

> +	struct hid_input *hidinput;

> +	struct input_dev *dev;

>  	int ret;

>  

> +	if (list_empty(&hdev->inputs)) {

> +		hid_err(hdev, "no inputs found\n");

> +		return -ENODEV;

> +	}

> +

> +	hidinput = list_first_entry(&hdev->inputs, struct hid_input, list);

> +	dev = hidinput->input;

> +


Thanks for the fix. Syzbot is right though -- what is the point of the 
above assignment? Could you please resubmit a fixed up version?

Thanks,

-- 
Jiri Kosina
SUSE Labs
Pavel Skripkin Aug. 22, 2021, 4:01 p.m. UTC | #5
On 8/22/21 4:43 PM, F.A.Sulaiman wrote:
> Syzbot reported slab-out-of-bounds Write bug in hid-betopff driver.

> The problem is the driver assumes the device must have an input report but

> some malicious devices violate this assumption.

> 

> So this patch checks hid_device's input is non empty before it's been used.

> 

> Reported-by: syzbot+07efed3bc5a1407bd742@syzkaller.appspotmail.com

> Signed-off-by: F.A. SULAIMAN <asha.16@itfac.mrt.ac.lk>

> ---

>   drivers/hid/hid-betopff.c | 5 +++++

>   1 file changed, 5 insertions(+)

> 

> diff --git a/drivers/hid/hid-betopff.c b/drivers/hid/hid-betopff.c

> index 0790fbd3fc9a..2d62bde21413 100644

> --- a/drivers/hid/hid-betopff.c

> +++ b/drivers/hid/hid-betopff.c

> @@ -116,6 +116,11 @@ static int betop_probe(struct hid_device *hdev, const struct hid_device_id *id)

>   {

>   	int ret;

>   

> +	if (list_empty(&hdev->inputs)) {

> +		hid_err(hdev, "no inputs found\n");

> +		return -ENODEV;

> +	}

> +

>   	if (id->driver_data)

>   		hdev->quirks |= HID_QUIRK_MULTI_INPUT;

>   

> 


I am still able to trigger reported slab-out-bound with this patch 
applied, please move this sanity check inside betopff_init().


Jiri, does it make sense to add proper error handling of betopff_init()? 
Nowadays betop_probe() just ignores betopff_init() return value. It 
looks wrong to me.


I think, Asha can prepare a patch series with these 2 changes



With regards,
Pavel Skripkin
Pavel Skripkin Aug. 24, 2021, 3:12 p.m. UTC | #6
On 8/24/21 6:07 PM, F.A.Sulaiman wrote:
> Syzbot reported slab-out-of-bounds Write bug in hid-betopff driver.

> The problem is the driver assumes the device must have an input report but

> some malicious devices violate this assumption.

> 

> So this patch checks hid_device's input is non empty before it's been used.

> 

> Reported-by: syzbot+07efed3bc5a1407bd742@syzkaller.appspotmail.com

> Signed-off-by: F.A. SULAIMAN <asha.16@itfac.mrt.ac.lk>



Reviewed-by: Pavel Skripkin <paskripkin@gmail.com>



> ---

>   drivers/hid/hid-betopff.c | 13 ++++++++++---

>   1 file changed, 10 insertions(+), 3 deletions(-)

> 

> diff --git a/drivers/hid/hid-betopff.c b/drivers/hid/hid-betopff.c

> index 0790fbd3fc9a..467d789f9bc2 100644

> --- a/drivers/hid/hid-betopff.c

> +++ b/drivers/hid/hid-betopff.c

> @@ -56,15 +56,22 @@ static int betopff_init(struct hid_device *hid)

>   {

>   	struct betopff_device *betopff;

>   	struct hid_report *report;

> -	struct hid_input *hidinput =

> -			list_first_entry(&hid->inputs, struct hid_input, list);

> +	struct hid_input *hidinput;

>   	struct list_head *report_list =

>   			&hid->report_enum[HID_OUTPUT_REPORT].report_list;

> -	struct input_dev *dev = hidinput->input;

> +	struct input_dev *dev;

>   	int field_count = 0;

>   	int error;

>   	int i, j;

>   

> +	if (list_empty(&hid->inputs)) {

> +		hid_err(hid, "no inputs found\n");

> +		return -ENODEV;

> +	}

> +

> +	hidinput = list_first_entry(&hid->inputs, struct hid_input, list);

> +	dev = hidinput->input;

> +

>   	if (list_empty(report_list)) {

>   		hid_err(hid, "no output reports found\n");

>   		return -ENODEV;

>
diff mbox series

Patch

diff --git a/drivers/hid/hid-betopff.c b/drivers/hid/hid-betopff.c
index 467d789f9bc2..27b57aef9a0a 100644
--- a/drivers/hid/hid-betopff.c
+++ b/drivers/hid/hid-betopff.c
@@ -121,8 +121,18 @@  static int betopff_init(struct hid_device *hid)
 
 static int betop_probe(struct hid_device *hdev, const struct hid_device_id *id)
 {
+	struct hid_input *hidinput;
+	struct input_dev *dev;
 	int ret;
 
+	if (list_empty(&hdev->inputs)) {
+		hid_err(hdev, "no inputs found\n");
+		return -ENODEV;
+	}
+
+	hidinput = list_first_entry(&hdev->inputs, struct hid_input, list);
+	dev = hidinput->input;
+
 	if (id->driver_data)
 		hdev->quirks |= HID_QUIRK_MULTI_INPUT;