On Tue, 10 Dec 2019, Alan Stern wrote: > The syzbot fuzzer found a slab-out-of-bounds bug in the HID report > handler. The bug was caused by a report descriptor which included a > field with size 12 bits and count 4899, for a total size of 7349 > bytes. > > The usbhid driver uses at most a single-page 4-KB buffer for reports. > In the test there wasn't any problem about overflowing the buffer, > since only one byte was received from the device. Rather, the bug > occurred when the HID core tried to extract the data from the report > fields, which caused it to try reading data beyond the end of the > allocated buffer. > > This patch fixes the problem by rejecting any report whose total > length exceeds the HID_MAX_BUFFER_SIZE limit (minus one byte to allow > for a possible report index). In theory a device could have a report > longer than that, but if there was such a thing we wouldn't handle it > correctly anyway. > > Reported-and-tested-by: syzbot+09ef48aa58261464b621@xxxxxxxxxxxxxxxxxxxxxxxxx > Signed-off-by: Alan Stern <stern@xxxxxxxxxxxxxxxxxxx> > CC: <stable@xxxxxxxxxxxxxxx> Thanks for hunting this down Alan. Applied. -- Jiri Kosina SUSE Labs
