• Alan Stern's avatar
    HID: Fix slab-out-of-bounds read in hid_field_extract · 8ec321e9
    Alan Stern authored
    The syzbot fuzzer found a slab-out-of-bounds bug in the HID report
    handler.  The bug was caused by a report descriptor which included a
    field with size 12 bits and count 4899, for a total size of 7349
    bytes.
    
    The usbhid driver uses at most a single-page 4-KB buffer for reports.
    In the test there wasn't any problem about overflowing the buffer,
    since only one byte was received from the device.  Rather, the bug
    occurred when the HID core tried to extract the data from the report
    fields, which caused it to try reading data beyond the end of the
    allocated buffer.
    
    This patch fixes the problem by rejecting any report whose total
    length exceeds the HID_MAX_BUFFER_SIZE limit (minus one byte to allow
    for a possible report index).  In theory a device could have a report
    longer than that, but if there was such a thing we wouldn't handle it
    correctly anyway.
    
    Reported-and-tested-by: syzbot+09ef48aa58261464b621@syzkaller.appspotmail.com
    Signed-off-by: default avatarAlan Stern <stern@rowland.harvard.edu>
    CC: <stable@vger.kernel.org>
    Signed-off-by: default avatarJiri Kosina <jkosina@suse.cz>
    8ec321e9
hid-core.c 64.1 KB