Hi, What's happened to getting a new version of this patch? This flaw is still reachable in -next from what I can see? Thanks, -Kees On Sat, Dec 23, 2023 at 11:59:51AM -0800, syzbot wrote: > For archival purposes, forwarding an incoming command email to > linux-kernel@xxxxxxxxxxxxxxx, syzkaller-bugs@xxxxxxxxxxxxxxxx. > > *** > > Subject: [PATCH] usbhid: fix array-index-out-of-bounds in usbhid_parse UBSAN warning > Author: tintinm2017@xxxxxxxxx > > #syz test: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master > > Look at the bug https://syzkaller.appspot.com/bug?extid=c52569baf0c843f35495 reported by syzbot. Tested a patch through syzbot, which gives an error. > Requesting help from the maintainers to understand what is really going wrong in the code. > > Based on my understanding, I believe the value of the number of descriptors is calculated incorrectly before the for loop. > > Signed-off-by: Attreyee Mukherjee <tintinm2017@xxxxxxxxx> > --- > drivers/hid/usbhid/hid-core.c | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/drivers/hid/usbhid/hid-core.c b/drivers/hid/usbhid/hid-core.c > index a90ed2ceae84..582ddbef448f 100644 > --- a/drivers/hid/usbhid/hid-core.c > +++ b/drivers/hid/usbhid/hid-core.c > @@ -1021,6 +1021,8 @@ static int usbhid_parse(struct hid_device *hid) > (hdesc->bLength - offset) / sizeof(struct hid_class_descriptor)); > > for (n = 0; n < num_descriptors; n++) > + if (n >= ARRAY_SIZE(hdesc->desc)) > + break; > if (hdesc->desc[n].bDescriptorType == HID_DT_REPORT) > rsize = le16_to_cpu(hdesc->desc[n].wDescriptorLength); > > -- > 2.34.1 > -- Kees Cook
