[Linux-kernel-mentees] [PATCH v1] usbhid: Fix slab-out-of-bounds write in hiddev_ioctl_usage()

Dan Carpenter dan.carpenter at oracle.com
Mon Jul 20 11:54:01 UTC 2020


On Sat, Jul 18, 2020 at 07:12:18PM -0400, Peilin Ye wrote:
> `uref->usage_index` is not always being properly checked, causing
> hiddev_ioctl_usage() to go out of bounds under some cases. Fix it.
> 

Yeah.  This code is not obvious.  It doesn't come from the user directly
so we don't have to worry about nospec.  It comes from hiddev_lookup_usage()
where we set:

	uref->usage_index = j;

We know that j is less than field->maxusage but we do need to check
against field->report_count like your patch does...  The two arrays
are allocated in hid_register_field().

I don't know the code well enough to say how these arrays are used or
why the one is larger than the other so I can't give a proper
reviewed-by.  But the patch looks reasonable and doesn't introduce any
bugs which weren't there in the original code.

regards,
dan carpenter



More information about the Linux-kernel-mentees mailing list