Re: [syzbot] [PATCH] usbhid: fix array-index-out-of-bounds in usbhid_parse UBSAN warning
From: Kees Cook
Date: Tue Mar 05 2024 - 13:55:38 EST
Hi,
What's happened to getting a new version of this patch? This flaw is
still reachable in -next from what I can see?
Thanks,
-Kees
On Sat, Dec 23, 2023 at 11:59:51AM -0800, syzbot wrote:
> For archival purposes, forwarding an incoming command email to
> linux-kernel@xxxxxxxxxxxxxxx, syzkaller-bugs@xxxxxxxxxxxxxxxx.
>
> ***
>
> Subject: [PATCH] usbhid: fix array-index-out-of-bounds in usbhid_parse UBSAN warning
> Author: tintinm2017@xxxxxxxxx
>
> #syz test: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
>
> Look at the bug https://syzkaller.appspot.com/bug?extid=c52569baf0c843f35495 reported by syzbot. Tested a patch through syzbot, which gives an error.
> Requesting help from the maintainers to understand what is really going wrong in the code.
>
> Based on my understanding, I believe the value of the number of descriptors is calculated incorrectly before the for loop.
>
> Signed-off-by: Attreyee Mukherjee <tintinm2017@xxxxxxxxx>
> ---
> drivers/hid/usbhid/hid-core.c | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/drivers/hid/usbhid/hid-core.c b/drivers/hid/usbhid/hid-core.c
> index a90ed2ceae84..582ddbef448f 100644
> --- a/drivers/hid/usbhid/hid-core.c
> +++ b/drivers/hid/usbhid/hid-core.c
> @@ -1021,6 +1021,8 @@ static int usbhid_parse(struct hid_device *hid)
> (hdesc->bLength - offset) / sizeof(struct hid_class_descriptor));
>
> for (n = 0; n < num_descriptors; n++)
> + if (n >= ARRAY_SIZE(hdesc->desc))
> + break;
> if (hdesc->desc[n].bDescriptorType == HID_DT_REPORT)
> rsize = le16_to_cpu(hdesc->desc[n].wDescriptorLength);
>
> --
> 2.34.1
>
--
Kees Cook