Re: [Linux-kernel-mentees] [PATCH v1] usbhid: Fix slab-out-of-bounds write in hiddev_ioctl_usage()

From: Dan Carpenter
Date: Mon Jul 20 2020 - 07:54:19 EST

Next message: Christian Brauner: "Re: [PATCH v6 0/7] capabilities: Introduce CAP_CHECKPOINT_RESTORE"
Previous message: Jonathan Cameron: "Re: [PATCH v8 6/6] IIO: Ingenic JZ47xx: Add touchscreen mode."
In reply to: Peilin Ye: "[Linux-kernel-mentees] [PATCH v1] usbhid: Fix slab-out-of-bounds write in hiddev_ioctl_usage()"
Next in thread: Dan Carpenter: "Re: [Linux-kernel-mentees] [PATCH v1] usbhid: Fix slab-out-of-bounds write in hiddev_ioctl_usage()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Sat, Jul 18, 2020 at 07:12:18PM -0400, Peilin Ye wrote:
> `uref->usage_index` is not always being properly checked, causing
> hiddev_ioctl_usage() to go out of bounds under some cases. Fix it.
>

Yeah. This code is not obvious. It doesn't come from the user directly
so we don't have to worry about nospec. It comes from hiddev_lookup_usage()
where we set:

uref->usage_index = j;

We know that j is less than field->maxusage but we do need to check
against field->report_count like your patch does... The two arrays
are allocated in hid_register_field().

I don't know the code well enough to say how these arrays are used or
why the one is larger than the other so I can't give a proper
reviewed-by. But the patch looks reasonable and doesn't introduce any
bugs which weren't there in the original code.

regards,
dan carpenter

Next message: Christian Brauner: "Re: [PATCH v6 0/7] capabilities: Introduce CAP_CHECKPOINT_RESTORE"
Previous message: Jonathan Cameron: "Re: [PATCH v8 6/6] IIO: Ingenic JZ47xx: Add touchscreen mode."
In reply to: Peilin Ye: "[Linux-kernel-mentees] [PATCH v1] usbhid: Fix slab-out-of-bounds write in hiddev_ioctl_usage()"
Next in thread: Dan Carpenter: "Re: [Linux-kernel-mentees] [PATCH v1] usbhid: Fix slab-out-of-bounds write in hiddev_ioctl_usage()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]