kernel / kernel-source

Clone
Source Code
GIT

Blame patches.suse/HID-core-fix-shift-out-of-bounds-in-hid_report_raw_e.patch

ALP-current ALP-current-GA ALP-current-RT ALP-current-RT-GA SLE12-SP5 SLE12-SP5-AZURE SLE12-SP5-RT SLE15-SP2-EB SLE15-SP3-RT-LTSS SLE15-SP4-RT-LTSS SLE15-SP5 SLE15-SP5-AZURE SLE15-SP5-RT SLE15-SP6 SLE15-SP6-AZURE SLE15-SP6-AZURE-GA SLE15-SP6-GA SLE15-SP6-RT SLE15-SP6-RT-GA linux-next master packaging scripts slowroll stable vanilla
  1.   9b5c31876c5ad1f72d25896d902664beba18e032
  2.   patches.suse
  3.   HID-core-fix-shift-out-of-bounds-in-hid_report_raw_e.patch
Blob History Raw
Takashi Iwai cfd463 
From ec61b41918587be530398b0d1c9a0d16619397e5 Mon Sep 17 00:00:00 2001
Takashi Iwai cfd463 
From: ZhangPeng <zhangpeng362@huawei.com>
Takashi Iwai cfd463 
Date: Wed, 16 Nov 2022 07:14:28 +0000
Takashi Iwai cfd463 
Subject: [PATCH] HID: core: fix shift-out-of-bounds in hid_report_raw_event
Takashi Iwai cfd463 
Git-commit: ec61b41918587be530398b0d1c9a0d16619397e5
Takashi Iwai cfd463 
Patch-mainline: v6.1
Takashi Iwai cfd463 
References: git-fixes
Takashi Iwai cfd463
Takashi Iwai cfd463 
Syzbot reported shift-out-of-bounds in hid_report_raw_event.
Takashi Iwai cfd463
Takashi Iwai cfd463 
microsoft 0003:045E:07DA.0001: hid_field_extract() called with n (128) >
Takashi Iwai cfd463 
32! (swapper/0)
Takashi Iwai cfd463 
======================================================================
Takashi Iwai cfd463 
Ubsan: shift-out-of-bounds in drivers/hid/hid-core.c:1323:20
Takashi Iwai cfd463 
shift exponent 127 is too large for 32-bit type 'int'
Takashi Iwai cfd463 
Cpu: 0 PID: 0 Comm: swapper/0 Not tainted
Takashi Iwai cfd463 
6.1.0-rc4-syzkaller-00159-g4bbf3422df78 #0
Takashi Iwai cfd463 
Hardware name: Google Compute Engine/Google Compute Engine, BIOS
Takashi Iwai cfd463 
Google 10/26/2022
Takashi Iwai cfd463 
Call Trace:
Takashi Iwai cfd463 
 <IRQ>
Takashi Iwai cfd463 
 __dump_stack lib/dump_stack.c:88 [inline]
Takashi Iwai cfd463 
 dump_stack_lvl+0x1e3/0x2cb lib/dump_stack.c:106
Takashi Iwai cfd463 
 ubsan_epilogue lib/ubsan.c:151 [inline]
Takashi Iwai cfd463 
 __ubsan_handle_shift_out_of_bounds+0x3a6/0x420 lib/ubsan.c:322
Takashi Iwai cfd463 
 snto32 drivers/hid/hid-core.c:1323 [inline]
Takashi Iwai cfd463 
 hid_input_fetch_field drivers/hid/hid-core.c:1572 [inline]
Takashi Iwai cfd463 
 hid_process_report drivers/hid/hid-core.c:1665 [inline]
Takashi Iwai cfd463 
 hid_report_raw_event+0xd56/0x18b0 drivers/hid/hid-core.c:1998
Takashi Iwai cfd463 
 hid_input_report+0x408/0x4f0 drivers/hid/hid-core.c:2066
Takashi Iwai cfd463 
 hid_irq_in+0x459/0x690 drivers/hid/usbhid/hid-core.c:284
Takashi Iwai cfd463 
 __usb_hcd_giveback_urb+0x369/0x530 drivers/usb/core/hcd.c:1671
Takashi Iwai cfd463 
 dummy_timer+0x86b/0x3110 drivers/usb/gadget/udc/dummy_hcd.c:1988
Takashi Iwai cfd463 
 call_timer_fn+0xf5/0x210 kernel/time/timer.c:1474
Takashi Iwai cfd463 
 expire_timers kernel/time/timer.c:1519 [inline]
Takashi Iwai cfd463 
 __run_timers+0x76a/0x980 kernel/time/timer.c:1790
Takashi Iwai cfd463 
 run_timer_softirq+0x63/0xf0 kernel/time/timer.c:1803
Takashi Iwai cfd463 
 __do_softirq+0x277/0x75b kernel/softirq.c:571
Takashi Iwai cfd463 
 __irq_exit_rcu+0xec/0x170 kernel/softirq.c:650
Takashi Iwai cfd463 
 irq_exit_rcu+0x5/0x20 kernel/softirq.c:662
Takashi Iwai cfd463 
 sysvec_apic_timer_interrupt+0x91/0xb0 arch/x86/kernel/apic/apic.c:1107
Takashi Iwai cfd463 
======================================================================
Takashi Iwai cfd463
Takashi Iwai cfd463 
If the size of the integer (unsigned n) is bigger than 32 in snto32(),
Takashi Iwai cfd463 
shift exponent will be too large for 32-bit type 'int', resulting in a
Takashi Iwai cfd463 
shift-out-of-bounds bug.
Takashi Iwai cfd463 
Fix this by adding a check on the size of the integer (unsigned n) in
Takashi Iwai cfd463 
snto32(). To add support for n greater than 32 bits, set n to 32, if n
Takashi Iwai cfd463 
is greater than 32.
Takashi Iwai cfd463
Takashi Iwai cfd463 
Reported-by: syzbot+8b1641d2f14732407e23@syzkaller.appspotmail.com
Takashi Iwai cfd463 
Fixes: dde5845a529f ("[PATCH] Generic HID layer - code split")
Takashi Iwai cfd463 
Signed-off-by: ZhangPeng <zhangpeng362@huawei.com>
Takashi Iwai cfd463 
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Takashi Iwai cfd463 
Acked-by: Takashi Iwai <tiwai@suse.de>
Takashi Iwai cfd463
Takashi Iwai cfd463 
---
Takashi Iwai cfd463 
 drivers/hid/hid-core.c | 3 +++
Takashi Iwai cfd463 
 1 file changed, 3 insertions(+)
Takashi Iwai cfd463
Takashi Iwai cfd463 
diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c
Takashi Iwai cfd463 
index 9c1d31f63f85..bd47628da6be 100644
Takashi Iwai cfd463 
--- a/drivers/hid/hid-core.c
Takashi Iwai cfd463 
+++ b/drivers/hid/hid-core.c
Takashi Iwai cfd463 
@@ -1315,6 +1315,9 @@ static s32 snto32(__u32 value, unsigned n)
Takashi Iwai cfd463 
 	if (!value || !n)
Takashi Iwai cfd463 
 		return 0;
Takashi Iwai cfd463
Takashi Iwai cfd463 
+	if (n > 32)
Takashi Iwai cfd463 
+		n = 32;
Takashi Iwai cfd463 
+
Takashi Iwai cfd463 
 	switch (n) {
Takashi Iwai cfd463 
 	case 8:  return ((__s8)value);
Takashi Iwai cfd463 
 	case 16: return ((__s16)value);
Takashi Iwai cfd463 
--
Takashi Iwai cfd463 
2.35.3
Takashi Iwai cfd463
Powered by Pagure 5.13.3
DocumentationAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.