Re: [syzbot] [PATCH] usbhid: fix array-index-out-of-bounds in usbhid_parse UBSAN warning

From: syzbot
Date: Sat Dec 23 2023 - 15:00:00 EST

Next message: Alan Stern: "Re: [PATCH v2] usb: core: Add quirk for Logitech Rallybar"
Previous message: Javier Carrasco: "Re: [PATCH 0/2] iio: light: add support for AMS AS7331"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

For archival purposes, forwarding an incoming command email to
linux-kernel@xxxxxxxxxxxxxxx, syzkaller-bugs@xxxxxxxxxxxxxxxx.

***

Subject: [PATCH] usbhid: fix array-index-out-of-bounds in usbhid_parse UBSAN warning
Author: tintinm2017@xxxxxxxxx

#syz test: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

Look at the bug https://syzkaller.appspot.com/bug?extid=c52569baf0c843f35495 reported by syzbot. Tested a patch through syzbot, which gives an error.
Requesting help from the maintainers to understand what is really going wrong in the code.

Based on my understanding, I believe the value of the number of descriptors is calculated incorrectly before the for loop.

Signed-off-by: Attreyee Mukherjee <tintinm2017@xxxxxxxxx>
---
drivers/hid/usbhid/hid-core.c | 2 ++
1 file changed, 2 insertions(+)

diff --git a/drivers/hid/usbhid/hid-core.c b/drivers/hid/usbhid/hid-core.c
index a90ed2ceae84..582ddbef448f 100644
--- a/drivers/hid/usbhid/hid-core.c
+++ b/drivers/hid/usbhid/hid-core.c
@@ -1021,6 +1021,8 @@ static int usbhid_parse(struct hid_device *hid)
(hdesc->bLength - offset) / sizeof(struct hid_class_descriptor));

for (n = 0; n < num_descriptors; n++)
+ if (n >= ARRAY_SIZE(hdesc->desc))
+ break;
if (hdesc->desc[n].bDescriptorType == HID_DT_REPORT)
rsize = le16_to_cpu(hdesc->desc[n].wDescriptorLength);

--
2.34.1

Next message: Alan Stern: "Re: [PATCH v2] usb: core: Add quirk for Logitech Rallybar"
Previous message: Javier Carrasco: "Re: [PATCH 0/2] iio: light: add support for AMS AS7331"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]