Re: [PATCH] HID: usbhid: fix recurrent out-of-bounds bug in usbhid_parse()
From: Jiri Kosina
Date: Tue Jun 04 2024 - 10:15:32 EST
On Tue, 4 Jun 2024, Kees Cook wrote:
> This isn't the right solution. The problem is that hid_class_descriptor
> is a flexible array but was sized as a single element fake flexible
> array:
>
> struct hid_descriptor {
> __u8 bLength;
> __u8 bDescriptorType;
> __le16 bcdHID;
> __u8 bCountryCode;
> __u8 bNumDescriptors;
>
> struct hid_class_descriptor desc[1];
> } __attribute__ ((packed));
>
> This likely needs to be:
>
> struct hid_class_descriptor desc[] __counted_by(bNumDescriptors);
>
> And then check for any sizeof() uses of the struct that might have changed.
Ah, you are of course right, not sure what I was thinking. Thanks a lot
for catching my brainfart.
I am dropping the patch for now; Nikita, will you please send a refreshed
one?
--
Jiri Kosina
SUSE Labs