lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <1b40561a-580d-406a-bb2c-1398dce7fb90@kernel.org>
Date: Tue, 5 Nov 2024 08:40:43 +0100
From: Jiri Slaby <jirislaby@...nel.org>
To: Nolan Nicholson <nolananicholson@...il.com>, stable@...r.kernel.org
Cc: jikos@...nel.org, bentiss@...nel.org, linux-usb@...r.kernel.org,
 linux-input@...r.kernel.org, linux-kernel@...r.kernel.org,
 anssi.hannula@...il.com
Subject: Re: hid-pidff.c: null-pointer deref if optional HID reports are not
 present

Cc Anssi

On 05. 11. 24, 1:30, Nolan Nicholson wrote:
> Hello,
> 
> (This is my first time reporting a Linux bug; please accept my apologies 
> for any mistakes in the process.)
> 
> When initializing a HID PID device, hid-pidff.c checks for eight 
> required HID reports and five optional reports. If the eight required 
> reports are present, the hid_pidff_init() function then attempts to find 
> the necessary fields in each required or optional report, using the 
> pidff_find_fields() function. However, if any of the five optional 
> reports is not present, pidff_find_fields() will trigger a null-pointer 
> dereference.
> 
> I recently implemented the descriptors for a USB HID device with PID 
> force-feedback capability. After implementing the required report 
> descriptors but not the optional ones, I got an OOPS from the 
> pidff_find_fields function. I saved the OOPS from my Ubuntu 
> installation, and have attached it here. I later reproduced the issue on 
> 6.11.6.
> 
> I was able to work around the issue by having my device present all of 
> the optional report descriptors as well as all of the required ones.

Indeed. The code checks the required ones in pidff_reports_ok(). But the 
optional ones are not checked at all and are directly accessed in both 
pidff_init_fields() and also likely pidff_find_special_fields().

thanks,
-- 
js
suse labs


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ