lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:	Thu, 24 Apr 2014 18:26:38 -0400
From:	Benjamin Tissoires <benjamin.tissoires@...hat.com>
To:	Andrew Duggan <aduggan@...aptics.com>,
	Christopher Heiny <cheiny@...aptics.com>,
	Jiri Kosina <jkosina@...e.cz>, linux-input@...r.kernel.org,
	linux-kernel@...r.kernel.org
Subject: [PATCH] HID: rmi: do not fetch more than 16 bytes in a query

A firmware bug is present on the XPS Haswell edition which silently
split the request in two responses when the caller ask for a read of
more than 16 bytes.
The FW sends the first 16 then the 4 next, but it says that it answered
the 20 bytes in the first report.

This occurs only on the retrieving of the min/max of X and Y of the F11
function.
We only use the first 10 bytes of the Ctrl register, so we can get only
those 10 bytes to prevent the bug from happening.

Resolves:
https://bugzilla.redhat.com/show_bug.cgi?id=1090161

Signed-off-by: Benjamin Tissoires <benjamin.tissoires@...hat.com>
---
 drivers/hid/hid-rmi.c | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/drivers/hid/hid-rmi.c b/drivers/hid/hid-rmi.c
index 7da9509..cee89c9 100644
--- a/drivers/hid/hid-rmi.c
+++ b/drivers/hid/hid-rmi.c
@@ -613,10 +613,15 @@ static int rmi_populate_f11(struct hid_device *hdev)
 		}
 	}
 
-	/* retrieve the ctrl registers */
-	ret = rmi_read_block(hdev, data->f11.control_base_addr, buf, 20);
+	/*
+	 * retrieve the ctrl registers
+	 * the ctrl register has a size of 20 but a fw bug split it into 16 + 4,
+	 * and there is no way to know if the first 20 bytes are here or not.
+	 * We use only the first 10 bytes, so get only them.
+	 */
+	ret = rmi_read_block(hdev, data->f11.control_base_addr, buf, 10);
 	if (ret) {
-		hid_err(hdev, "can not read ctrl block of size 20: %d.\n", ret);
+		hid_err(hdev, "can not read ctrl block of size 10: %d.\n", ret);
 		return ret;
 	}
 
-- 
1.9.0

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ