Message ID | 20210822134319.3738-1-asha.16@itfac.mrt.ac.lk |
---|---|
State | New |
Headers | show |
Series | [v2] HID: betop: fix slab-out-of-bounds Write in betop_probe | expand |
On 8/22/21 4:43 PM, F.A.Sulaiman wrote: > Syzbot reported slab-out-of-bounds Write bug in hid-betopff driver. > The problem is the driver assumes the device must have an input report but > some malicious devices violate this assumption. > > So this patch checks hid_device's input is non empty before it's been used. > > Reported-by: syzbot+07efed3bc5a1407bd742@syzkaller.appspotmail.com > Signed-off-by: F.A. SULAIMAN <asha.16@itfac.mrt.ac.lk> > --- > drivers/hid/hid-betopff.c | 5 +++++ > 1 file changed, 5 insertions(+) > > diff --git a/drivers/hid/hid-betopff.c b/drivers/hid/hid-betopff.c > index 0790fbd3fc9a..2d62bde21413 100644 > --- a/drivers/hid/hid-betopff.c > +++ b/drivers/hid/hid-betopff.c > @@ -116,6 +116,11 @@ static int betop_probe(struct hid_device *hdev, const struct hid_device_id *id) > { > int ret; > > + if (list_empty(&hdev->inputs)) { > + hid_err(hdev, "no inputs found\n"); > + return -ENODEV; > + } > + > if (id->driver_data) > hdev->quirks |= HID_QUIRK_MULTI_INPUT; > > I am still able to trigger reported slab-out-bound with this patch applied, please move this sanity check inside betopff_init(). Jiri, does it make sense to add proper error handling of betopff_init()? Nowadays betop_probe() just ignores betopff_init() return value. It looks wrong to me. I think, Asha can prepare a patch series with these 2 changes With regards, Pavel Skripkin
diff --git a/drivers/hid/hid-betopff.c b/drivers/hid/hid-betopff.c index 0790fbd3fc9a..2d62bde21413 100644 --- a/drivers/hid/hid-betopff.c +++ b/drivers/hid/hid-betopff.c @@ -116,6 +116,11 @@ static int betop_probe(struct hid_device *hdev, const struct hid_device_id *id) { int ret; + if (list_empty(&hdev->inputs)) { + hid_err(hdev, "no inputs found\n"); + return -ENODEV; + } + if (id->driver_data) hdev->quirks |= HID_QUIRK_MULTI_INPUT;
Syzbot reported slab-out-of-bounds Write bug in hid-betopff driver. The problem is the driver assumes the device must have an input report but some malicious devices violate this assumption. So this patch checks hid_device's input is non empty before it's been used. Reported-by: syzbot+07efed3bc5a1407bd742@syzkaller.appspotmail.com Signed-off-by: F.A. SULAIMAN <asha.16@itfac.mrt.ac.lk> --- drivers/hid/hid-betopff.c | 5 +++++ 1 file changed, 5 insertions(+)