Re: [PATCH] HID: usbhid: fix recurrent out-of-bounds bug in usbhid_parse()

From: Jiri Kosina
Date: Tue Jun 04 2024 - 10:15:32 EST

Next message: Baoquan He: "Re: [PATCH v4 3/7] crash_dump: store dm keys in kdump reserved memory"
Previous message: Greg Kroah-Hartman: "Re: [PATCH v5 06/11] platform: Add test managed platform_device/driver APIs"
In reply to: Kees Cook: "Re: [PATCH] HID: usbhid: fix recurrent out-of-bounds bug in usbhid_parse()"
Next in thread: Nikita Zhandarovich: "Re: [PATCH] HID: usbhid: fix recurrent out-of-bounds bug in usbhid_parse()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, 4 Jun 2024, Kees Cook wrote:

> This isn't the right solution. The problem is that hid_class_descriptor
> is a flexible array but was sized as a single element fake flexible
> array:
>
> struct hid_descriptor {
> __u8 bLength;
> __u8 bDescriptorType;
> __le16 bcdHID;
> __u8 bCountryCode;
> __u8 bNumDescriptors;
>
> struct hid_class_descriptor desc[1];
> } __attribute__ ((packed));
>
> This likely needs to be:
>
> struct hid_class_descriptor desc[] __counted_by(bNumDescriptors);
>
> And then check for any sizeof() uses of the struct that might have changed.

Ah, you are of course right, not sure what I was thinking. Thanks a lot
for catching my brainfart.

I am dropping the patch for now; Nikita, will you please send a refreshed
one?

--
Jiri Kosina
SUSE Labs

Next message: Baoquan He: "Re: [PATCH v4 3/7] crash_dump: store dm keys in kdump reserved memory"
Previous message: Greg Kroah-Hartman: "Re: [PATCH v5 06/11] platform: Add test managed platform_device/driver APIs"
In reply to: Kees Cook: "Re: [PATCH] HID: usbhid: fix recurrent out-of-bounds bug in usbhid_parse()"
Next in thread: Nikita Zhandarovich: "Re: [PATCH] HID: usbhid: fix recurrent out-of-bounds bug in usbhid_parse()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]