| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 4 Jun 2024 10:09:43 -0700
From: Nikita Zhandarovich <n.zhandarovich@...tech.ru>
To: Jiri Kosina <jikos@...nel.org>, Kees Cook <kees@...nel.org>
CC: Benjamin Tissoires <bentiss@...nel.org>, Kees Cook
<keescook@...omium.org>, <linux-usb@...r.kernel.org>,
<linux-input@...r.kernel.org>, <syzkaller-bugs@...glegroups.com>,
<linux-kernel@...r.kernel.org>,
<syzbot+c52569baf0c843f35495@...kaller.appspotmail.com>,
<linux-hardening@...r.kernel.org>
Subject: Re: [PATCH] HID: usbhid: fix recurrent out-of-bounds bug in
usbhid_parse()
Hi,
On 6/4/24 07:15, Jiri Kosina wrote:
> On Tue, 4 Jun 2024, Kees Cook wrote:
>
>> This isn't the right solution. The problem is that hid_class_descriptor
>> is a flexible array but was sized as a single element fake flexible
>> array:
>>
>> struct hid_descriptor {
>> __u8 bLength;
>> __u8 bDescriptorType;
>> __le16 bcdHID;
>> __u8 bCountryCode;
>> __u8 bNumDescriptors;
>>
>> struct hid_class_descriptor desc[1];
>> } __attribute__ ((packed));
>>
>> This likely needs to be:
>>
>> struct hid_class_descriptor desc[] __counted_by(bNumDescriptors);
>>
>> And then check for any sizeof() uses of the struct that might have changed.
>
> Ah, you are of course right, not sure what I was thinking. Thanks a lot
> for catching my brainfart.
>
> I am dropping the patch for now; Nikita, will you please send a refreshed
> one?
>
Thanks for catching my mistake.
I'll gladly send a revised version, hoping to do it very soon.
Regards,
Nikita
Powered by blists - more mailing lists