lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date:   Fri, 8 Jan 2021 14:52:09 +0100 (CET)
From:   Jiri Kosina <jikos@...nel.org>
To:     Randy Dunlap <rdunlap@...radead.org>
cc:     linux-kernel@...r.kernel.org,
        syzbot+1e911ad71dd4ea72e04a@...kaller.appspotmail.com,
        Benjamin Tissoires <benjamin.tissoires@...hat.com>,
        linux-input@...r.kernel.org
Subject: Re: [PATCH] HID: core: detect and skip invalid inputs to snto32()

On Wed, 16 Dec 2020, Randy Dunlap wrote:

> Prevent invalid (0, 0) inputs to hid-core's snto32() function.
> 
> Maybe it is just the dummy device here that is causing this, but
> there are hundreds of calls to snto32(0, 0). Having n (bits count)
> of 0 is causing the current UBSAN trap with a shift value of
> 0xffffffff (-1, or n - 1 in this function).
> 
> Either of the value to shift being 0 or the bits count being 0 can be
> handled by just returning 0 to the caller, avoiding the following
> complex shift + OR operations:
> 
> 	return value & (1 << (n - 1)) ? value | (~0U << n) : value;
> 
> Fixes: dde5845a529f ("[PATCH] Generic HID layer - code split")
> Signed-off-by: Randy Dunlap <rdunlap@...radead.org>
> Reported-by: syzbot+1e911ad71dd4ea72e04a@...kaller.appspotmail.com
> Cc: Jiri Kosina <jikos@...nel.org>
> Cc: Benjamin Tissoires <benjamin.tissoires@...hat.com>
> Cc: linux-input@...r.kernel.org
> ---
>  drivers/hid/hid-core.c |    3 +++
>  1 file changed, 3 insertions(+)
> 
> --- lnx-510.orig/drivers/hid/hid-core.c
> +++ lnx-510/drivers/hid/hid-core.c
> @@ -1307,6 +1307,9 @@ EXPORT_SYMBOL_GPL(hid_open_report);
>  
>  static s32 snto32(__u32 value, unsigned n)
>  {
> +	if (!value || !n)
> +		return 0;
> +

Given the fact that this has been in the code basically since ever, we're 
probably fine, but it's good to have this fixed nevertheless. Applied 
conservatively to hid.git#for-5.12/core.

Thanks,

-- 
Jiri Kosina
SUSE Labs

Powered by blists - more mailing lists