| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <202503090701.715nV1DW-lkp@intel.com>
Date: Sun, 9 Mar 2025 05:49:02 +0800
From: kernel test robot <lkp@...el.com>
To: Terry Junge <linuxhid@...micgizmosystems.com>,
Jiri Kosina <jikos@...nel.org>,
Benjamin Tissoires <bentiss@...nel.org>,
Greg Kroah-Hartman <gregkh@...uxfoundation.org>
Cc: oe-kbuild-all@...ts.linux.dev,
Terry Junge <linuxhid@...micgizmosystems.com>,
Nikita Zhandarovich <n.zhandarovich@...tech.ru>,
Alan Stern <stern@...land.harvard.edu>, Kees Cook <kees@...nel.org>,
"Gustavo A. R. Silva" <gustavoars@...nel.org>,
linux-input@...r.kernel.org, linux-usb@...r.kernel.org,
linux-hyperv@...r.kernel.org, linux-kernel@...r.kernel.org,
linux-hardening@...r.kernel.org, syzkaller-bugs@...glegroups.com,
lvc-project@...uxtesting.org,
syzbot+c52569baf0c843f35495@...kaller.appspotmail.com,
stable@...r.kernel.org
Subject: Re: [PATCH v1] HID: usbhid: Eliminate recurrent out-of-bounds bug in
usbhid_parse()
Hi Terry,
kernel test robot noticed the following build warnings:
[auto build test WARNING on 58c9bf3363e596d744f56616d407278ef5f97f5a]
url: https://github.com/intel-lab-lkp/linux/commits/Terry-Junge/HID-usbhid-Eliminate-recurrent-out-of-bounds-bug-in-usbhid_parse/20250307-130514
base: 58c9bf3363e596d744f56616d407278ef5f97f5a
patch link: https://lore.kernel.org/r/20250307045449.745634-1-linuxhid%40cosmicgizmosystems.com
patch subject: [PATCH v1] HID: usbhid: Eliminate recurrent out-of-bounds bug in usbhid_parse()
config: s390-randconfig-r133-20250308 (https://download.01.org/0day-ci/archive/20250309/202503090701.715nV1DW-lkp@intel.com/config)
compiler: clang version 15.0.7 (https://github.com/llvm/llvm-project 8dfdcc7b7bf66834a761bd8de445840ef68e4d1a)
reproduce: (https://download.01.org/0day-ci/archive/20250309/202503090701.715nV1DW-lkp@intel.com/reproduce)
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp@...el.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202503090701.715nV1DW-lkp@intel.com/
All warnings (new ones prefixed by >>):
>> drivers/hid/usbhid/hid-core.c:1055:4: warning: format specifies type 'unsigned char' but the argument has type 'int' [-Wformat]
hdesc->bNumDescriptors - 1);
^~~~~~~~~~~~~~~~~~~~~~~~~~
include/linux/hid.h:1239:31: note: expanded from macro 'hid_warn'
dev_warn(&(hid)->dev, fmt, ##__VA_ARGS__)
~~~ ^~~~~~~~~~~
include/linux/dev_printk.h:156:70: note: expanded from macro 'dev_warn'
dev_printk_index_wrap(_dev_warn, KERN_WARNING, dev, dev_fmt(fmt), ##__VA_ARGS__)
~~~ ^~~~~~~~~~~
include/linux/dev_printk.h:110:23: note: expanded from macro 'dev_printk_index_wrap'
_p_func(dev, fmt, ##__VA_ARGS__); \
~~~ ^~~~~~~~~~~
1 warning generated.
vim +1055 drivers/hid/usbhid/hid-core.c
979
980 static int usbhid_parse(struct hid_device *hid)
981 {
982 struct usb_interface *intf = to_usb_interface(hid->dev.parent);
983 struct usb_host_interface *interface = intf->cur_altsetting;
984 struct usb_device *dev = interface_to_usbdev (intf);
985 struct hid_descriptor *hdesc;
986 struct hid_class_descriptor *hcdesc;
987 u32 quirks = 0;
988 unsigned int rsize = 0;
989 char *rdesc;
990 int ret;
991
992 quirks = hid_lookup_quirk(hid);
993
994 if (quirks & HID_QUIRK_IGNORE)
995 return -ENODEV;
996
997 /* Many keyboards and mice don't like to be polled for reports,
998 * so we will always set the HID_QUIRK_NOGET flag for them. */
999 if (interface->desc.bInterfaceSubClass == USB_INTERFACE_SUBCLASS_BOOT) {
1000 if (interface->desc.bInterfaceProtocol == USB_INTERFACE_PROTOCOL_KEYBOARD ||
1001 interface->desc.bInterfaceProtocol == USB_INTERFACE_PROTOCOL_MOUSE)
1002 quirks |= HID_QUIRK_NOGET;
1003 }
1004
1005 if (usb_get_extra_descriptor(interface, HID_DT_HID, &hdesc) &&
1006 (!interface->desc.bNumEndpoints ||
1007 usb_get_extra_descriptor(&interface->endpoint[0], HID_DT_HID, &hdesc))) {
1008 dbg_hid("class descriptor not present\n");
1009 return -ENODEV;
1010 }
1011
1012 if (!hdesc->bNumDescriptors ||
1013 hdesc->bLength != sizeof(*hdesc) +
1014 (hdesc->bNumDescriptors - 1) * sizeof(*hcdesc)) {
1015 dbg_hid("hid descriptor invalid, bLen=%hhu bNum=%hhu\n",
1016 hdesc->bLength, hdesc->bNumDescriptors);
1017 return -EINVAL;
1018 }
1019
1020 hid->version = le16_to_cpu(hdesc->bcdHID);
1021 hid->country = hdesc->bCountryCode;
1022
1023 if (hdesc->rpt_desc.bDescriptorType == HID_DT_REPORT)
1024 rsize = le16_to_cpu(hdesc->rpt_desc.wDescriptorLength);
1025
1026 if (!rsize || rsize > HID_MAX_DESCRIPTOR_SIZE) {
1027 dbg_hid("weird size of report descriptor (%u)\n", rsize);
1028 return -EINVAL;
1029 }
1030
1031 rdesc = kmalloc(rsize, GFP_KERNEL);
1032 if (!rdesc)
1033 return -ENOMEM;
1034
1035 hid_set_idle(dev, interface->desc.bInterfaceNumber, 0, 0);
1036
1037 ret = hid_get_class_descriptor(dev, interface->desc.bInterfaceNumber,
1038 HID_DT_REPORT, rdesc, rsize);
1039 if (ret < 0) {
1040 dbg_hid("reading report descriptor failed\n");
1041 kfree(rdesc);
1042 goto err;
1043 }
1044
1045 ret = hid_parse_report(hid, rdesc, rsize);
1046 kfree(rdesc);
1047 if (ret) {
1048 dbg_hid("parsing report descriptor failed\n");
1049 goto err;
1050 }
1051
1052 if (hdesc->bNumDescriptors > 1)
1053 hid_warn(intf,
1054 "%hhu unsupported optional hid class descriptors\n",
> 1055 hdesc->bNumDescriptors - 1);
1056
1057 hid->quirks |= quirks;
1058
1059 return 0;
1060 err:
1061 return ret;
1062 }
1063
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki
Powered by blists - more mailing lists