Re: [syzbot] WARNING in hid_submit_ctrl/usb_submit_urb

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, 20 Aug 2021, Alan Stern wrote:

> > syzbot has tested the proposed patch and the reproducer did not trigger any issue:
> 
> That's good to know.  Still, I suspect there's a better way of handling 
> this condition.
> 
> In particular, does it make sense to accept descriptors for input or 
> feature reports with length zero?  I can't imagine what good such 
> reports would do.

I quickly went through drivers + some hidraw users, and can't spot any use 
case for it.

> On the other hand, I'm not familiar enough with the code to know the 
> right way to reject these descriptors and reports.  It looks like the 
> HID subsystem was not designed with this sort of check in mind.
> 
> Benjamin and Jiri, what do you think?  Is it okay to allow descriptors 
> for zero-length reports and just pretend they have length 1 (as the 
> patch tested by syzbot did), or should we instead reject them during 
> probing?

I think it's a good band-aid for 5.14 (or 5.14-stable if we don't make 
it), and if it turns out to break something (which I don't expect), than 
we can look into rejecting already during probe.

Benjamin, is there a way to run this quickly through your HID regression 
testing machinery?

Thanks,

-- 
Jiri Kosina
SUSE Labs




[Index of Archives]     [Linux Media]     [Linux Input]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]     [Old Linux USB Devel Archive]

  Powered by Linux