• Jiri Kosina's avatar
    HID: fix data access in implement() · b2b6cada
    Jiri Kosina authored
    commit 27ce405039bfe6d3f4143415c638f56a3df77dca upstream.
    implement() is setting bytes in LE data stream. In case the data is not
    aligned to 64bits, it reads past the allocated buffer. It doesn't really
    change any value there (it's properly bitmasked), but in case that this
    read past the boundary hits a page boundary, pagefault happens when
    accessing 64bits of 'x' in implement(), and kernel oopses.
    This happens much more often when numbered reports are in use, as the
    initial 8bit skip in the buffer makes the whole process work on values
    which are not aligned to 64bits.
    This problem dates back to attempts in 2005 and 2006 to make implement()
    and extract() as generic as possible, and even back then the problem
    was realized by Adam Kroperlin, but falsely assumed to be impossible
    to cause any harm:
    I have made several attempts at fixing it "on the spot" directly in
    implement(), but the results were horrible; the special casing for processing
    last 64bit chunk and switching to different math makes it unreadable mess.
    I therefore took a path to allocate a few bytes more which will never make
    it into final report, but are there as a cushion for all the 64bit math
    operations happening in implement() and extract().
    All callers of hid_output_report() are converted at the same time to allocate
    the buffer by newly introduced hid_alloc_report_buf() helper.
    Bruno noticed that the whole raw_size test can be dropped as well, as
    hid_alloc_report_buf() makes sure that the buffer is always of a proper
    Reviewed-by: default avatarBenjamin Tissoires <benjamin.tissoires@redhat.com>
    Acked-by: default avatarGustavo Padovan <gustavo.padovan@collabora.co.uk>
    Signed-off-by: default avatarJiri Kosina <jkosina@suse.cz>
    Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
hid-picolcd_debugfs.c 27.1 KB