diff options
author | Amulya Y <ayarlagadda@nvidia.com> | 2018-04-06 15:48:49 -0700 |
---|---|---|
committer | Winnie Hsu <whsu@nvidia.com> | 2018-04-19 10:58:40 -0700 |
commit | e592ed68b3c3c27d74d5592f99b423596755263a (patch) | |
tree | 34fc0479c1250637ab53b1cbd68f06572d7b0de9 /drivers | |
parent | ac43b10b632fac3412f18100e463e2129318bd3a (diff) |
HID: core: prevent out-of-bound readings
Plugging a Logitech DJ receiver with KASAN activated raises a bunch of
out-of-bound readings.
The fields are allocated up to MAX_USAGE, meaning that potentially, we do
not have enough fields to fit the incoming values.
Add checks and silence KASAN.
Bug 1823317
Bug 1935735
Change-Id: Ib3ba92572acbdd4c9ec265e54a45f92606107700
Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Signed-off-by: Amulya Yarlagadda <ayarlagadda@nvidia.com>
Reviewed-on: http://git-master/r/1259928
(cherry picked from commit fbc389a39540e177bfa4d49b9214dfe408ef2d4a)
Reviewed-on: https://git-master.nvidia.com/r/1690285
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bibek Basu <bbasu@nvidia.com>
Reviewed-by: Winnie Hsu <whsu@nvidia.com>
Diffstat (limited to 'drivers')
-rw-r--r-- | drivers/hid/hid-core.c | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c index 46b7b12376f9..dcea21ed9cd6 100644 --- a/drivers/hid/hid-core.c +++ b/drivers/hid/hid-core.c @@ -1138,6 +1138,7 @@ static void hid_input_field(struct hid_device *hid, struct hid_field *field, /* Ignore report if ErrorRollOver */ if (!(field->flags & HID_MAIN_ITEM_VARIABLE) && value[n] >= min && value[n] <= max && + value[n] - min < field->maxusage && field->usage[value[n] - min].hid == HID_UP_KEYBOARD + 1) goto exit; } @@ -1150,11 +1151,13 @@ static void hid_input_field(struct hid_device *hid, struct hid_field *field, } if (field->value[n] >= min && field->value[n] <= max + && field->value[n] - min < field->maxusage && field->usage[field->value[n] - min].hid && search(value, field->value[n], count)) hid_process_event(hid, field, &field->usage[field->value[n] - min], 0, interrupt); if (value[n] >= min && value[n] <= max + && value[n] - min < field->maxusage && field->usage[value[n] - min].hid && search(field->value, value[n], count)) hid_process_event(hid, field, &field->usage[value[n] - min], 1, interrupt); |