lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <nycvar.YFH.7.76.2411061730050.20286@cbobk.fhfr.pm>
Date: Wed, 6 Nov 2024 17:30:54 +0100 (CET)
From: Jiri Kosina <jikos@...nel.org>
To: Jiri Slaby <jirislaby@...nel.org>
cc: Nolan Nicholson <nolananicholson@...il.com>, stable@...r.kernel.org, 
    bentiss@...nel.org, linux-usb@...r.kernel.org, linux-input@...r.kernel.org, 
    linux-kernel@...r.kernel.org, anssi.hannula@...il.com
Subject: Re: hid-pidff.c: null-pointer deref if optional HID reports are not
 present

On Tue, 5 Nov 2024, Jiri Slaby wrote:

> > (This is my first time reporting a Linux bug; please accept my apologies for
> > any mistakes in the process.)
> > 
> > When initializing a HID PID device, hid-pidff.c checks for eight required
> > HID reports and five optional reports. If the eight required reports are
> > present, the hid_pidff_init() function then attempts to find the necessary
> > fields in each required or optional report, using the pidff_find_fields()
> > function. However, if any of the five optional reports is not present,
> > pidff_find_fields() will trigger a null-pointer dereference.
> > 
> > I recently implemented the descriptors for a USB HID device with PID
> > force-feedback capability. After implementing the required report
> > descriptors but not the optional ones, I got an OOPS from the
> > pidff_find_fields function. I saved the OOPS from my Ubuntu installation,
> > and have attached it here. I later reproduced the issue on 6.11.6.
> > 
> > I was able to work around the issue by having my device present all of the
> > optional report descriptors as well as all of the required ones.
> 
> Indeed. The code checks the required ones in pidff_reports_ok(). But the
> optional ones are not checked at all and are directly accessed in both
> pidff_init_fields() and also likely pidff_find_special_fields().

Thanks for the report.

Nolan, will you be willing to create a patch implement a proper checking, 
test it with your device that's triggering it, and submit it in order to 
be applied?

Thanks,

-- 
Jiri Kosina
SUSE Labs

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ