lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date:   Mon, 13 Nov 2017 18:07:31 +0800
From:   Chen Yu <chenyu56@...wei.com>
To:     <jikos@...nel.org>, <linux-input@...r.kernel.org>,
        lkml <linux-kernel@...r.kernel.org>, <huangbobupt@....com>
CC:     <wangbinghui@...ilicon.com>
Subject: HID:panic in hid-betopff.c

Hi,

There is a possible panic in function hid_betopff_play():

static int hid_betopff_play(struct input_dev *dev, void *data,
                         struct ff_effect *effect)
{
        struct hid_device *hid = input_get_drvdata(dev);
        struct betopff_device *betopff = data;
        __u16 left, right;

        left = effect->u.rumble.strong_magnitude;
        right = effect->u.rumble.weak_magnitude;

        betopff->report->field[2]->value[0] = left / 256;  /// betopff->report->field[2] could be NULL
        betopff->report->field[3]->value[0] = right / 256; /// so as betopff->report->field[3]

        hid_hw_request(hid, betopff->report, HID_REQ_SET_REPORT);

        return 0;
}

In function betopff_init(), calculation of "field_count" seems wrong:

static int betopff_init(struct hid_device *hid)
{
        struct betopff_device *betopff;
        struct hid_report *report;
        struct hid_input *hidinput =
                        list_first_entry(&hid->inputs, struct hid_input, list);
        struct list_head *report_list =
                        &hid->report_enum[HID_OUTPUT_REPORT].report_list;
        struct input_dev *dev = hidinput->input;
        int field_count = 0;
        int error;
        int i, j;

        if (list_empty(report_list)) {
                hid_err(hid, "no output reports found\n");
                return -ENODEV;
        }

        report = list_first_entry(report_list, struct hid_report, list);
        /*
         * Actually there are 4 fields for 4 Bytes as below:
         * -----------------------------------------
         * Byte0  Byte1  Byte2    Byte3
         * 0x00   0x00   left_motor right_motor
         * -----------------------------------------
         * Do init them with default value.
         */
        for (i = 0; i < report->maxfield; i++) {
                for (j = 0; j < report->field[i]->report_count; j++) {
                        report->field[i]->value[j] = 0x00;
                        field_count++;                      /// this line should out of this loop
                }
        }

        if (field_count < 4) {
                hid_err(hid, "not enough fields in the report: %d\n",
                                field_count);
                return -ENODEV;
        }

Do I misunderstand the code here?

Thanks and Regards
Yu Chen

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ