[Linux-kernel-mentees] [PATCH v1] usbhid: Fix slab-out-of-bounds write in hiddev_ioctl_usage()
Dan Carpenter
dan.carpenter at oracle.com
Mon Jul 20 11:54:01 UTC 2020
On Sat, Jul 18, 2020 at 07:12:18PM -0400, Peilin Ye wrote:
> `uref->usage_index` is not always being properly checked, causing
> hiddev_ioctl_usage() to go out of bounds under some cases. Fix it.
>
Yeah. This code is not obvious. It doesn't come from the user directly
so we don't have to worry about nospec. It comes from hiddev_lookup_usage()
where we set:
uref->usage_index = j;
We know that j is less than field->maxusage but we do need to check
against field->report_count like your patch does... The two arrays
are allocated in hid_register_field().
I don't know the code well enough to say how these arrays are used or
why the one is larger than the other so I can't give a proper
reviewed-by. But the patch looks reasonable and doesn't introduce any
bugs which weren't there in the original code.
regards,
dan carpenter
More information about the Linux-kernel-mentees
mailing list