lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <alpine.LNX.2.00.1212061101100.28002@pobox.suse.cz>
Date:	Thu, 6 Dec 2012 11:01:48 +0100 (CET)
From:	Jiri Kosina <jkosina@...e.cz>
To:	Jean Delvare <khali@...ux-fr.org>
Cc:	Benjamin Tissoires <benjamin.tissoires@...il.com>,
	linux-input@...r.kernel.org, linux-i2c@...r.kernel.org,
	linux-kernel@...r.kernel.org
Subject: Re: [PATCH v2 4/4] HID: i2c-hid: fix i2c_hid_get_raw_report count
 mismatches

On Wed, 5 Dec 2012, Jean Delvare wrote:

> > The previous memcpy implementation relied on the size advertized by the
> > device. There were no guarantees that buf was big enough.
> > 
> > Some gymnastic is also required with the +2/-2 to take into account
> > the first 2 bytes of the returned buffer where the total returned
> > length is supplied by the device.
> > 
> > Signed-off-by: Benjamin Tissoires <benjamin.tissoires@...il.com>
> > ---
> >  drivers/hid/i2c-hid/i2c-hid.c | 16 ++++++++++++----
> >  1 file changed, 12 insertions(+), 4 deletions(-)
> > 
> > diff --git a/drivers/hid/i2c-hid/i2c-hid.c b/drivers/hid/i2c-hid/i2c-hid.c
> > index c6630d4..ce01d59 100644
> > --- a/drivers/hid/i2c-hid/i2c-hid.c
> > +++ b/drivers/hid/i2c-hid/i2c-hid.c
> > @@ -502,23 +502,31 @@ static int i2c_hid_get_raw_report(struct hid_device *hid,
> >  {
> >  	struct i2c_client *client = hid->driver_data;
> >  	struct i2c_hid *ihid = i2c_get_clientdata(client);
> > +	size_t ret_count, ask_count;
> >  	int ret;
> >  
> >  	if (report_type == HID_OUTPUT_REPORT)
> >  		return -EINVAL;
> >  
> > -	if (count > ihid->bufsize)
> > -		count = ihid->bufsize;
> > +	/* +2 bytes to include the size of the reply in the query buffer */
> > +	ask_count = min(count + 2, (size_t)ihid->bufsize);
> >  
> >  	ret = i2c_hid_get_report(client,
> >  			report_type == HID_FEATURE_REPORT ? 0x03 : 0x01,
> > -			report_number, ihid->inbuf, count);
> > +			report_number, ihid->inbuf, ask_count);
> >  
> >  	if (ret < 0)
> >  		return ret;
> >  
> > -	count = ihid->inbuf[0] | (ihid->inbuf[1] << 8);
> > +	ret_count = ihid->inbuf[0] | (ihid->inbuf[1] << 8);
> >  
> > +	if (!ret_count)
> 
> I'd make this (ret_count <= 2), as this would let you call memcpy with a
> null or even negative length.

Good catch, it doesn't account for the 2 bytes needed for storing the 
reply size.

I have fixed that and applied the patch, thanks everybody!

-- 
Jiri Kosina
SUSE Labs
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ