| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <nycvar.YFH.7.76.2406041614210.24940@cbobk.fhfr.pm>
Date: Tue, 4 Jun 2024 16:15:18 +0200 (CEST)
From: Jiri Kosina <jikos@...nel.org>
To: Kees Cook <kees@...nel.org>
cc: Nikita Zhandarovich <n.zhandarovich@...tech.ru>,
Benjamin Tissoires <bentiss@...nel.org>, Kees Cook <keescook@...omium.org>,
linux-usb@...r.kernel.org, linux-input@...r.kernel.org,
syzkaller-bugs@...glegroups.com, linux-kernel@...r.kernel.org,
syzbot+c52569baf0c843f35495@...kaller.appspotmail.com,
linux-hardening@...r.kernel.org
Subject: Re: [PATCH] HID: usbhid: fix recurrent out-of-bounds bug in
usbhid_parse()
On Tue, 4 Jun 2024, Kees Cook wrote:
> This isn't the right solution. The problem is that hid_class_descriptor
> is a flexible array but was sized as a single element fake flexible
> array:
>
> struct hid_descriptor {
> __u8 bLength;
> __u8 bDescriptorType;
> __le16 bcdHID;
> __u8 bCountryCode;
> __u8 bNumDescriptors;
>
> struct hid_class_descriptor desc[1];
> } __attribute__ ((packed));
>
> This likely needs to be:
>
> struct hid_class_descriptor desc[] __counted_by(bNumDescriptors);
>
> And then check for any sizeof() uses of the struct that might have changed.
Ah, you are of course right, not sure what I was thinking. Thanks a lot
for catching my brainfart.
I am dropping the patch for now; Nikita, will you please send a refreshed
one?
--
Jiri Kosina
SUSE Labs
Powered by blists - more mailing lists