On Tue, 31 Dec 2024, Alan Stern wrote:
> A report in 2019 by the syzbot fuzzer was found to be connected to two
> errors in the HID core associated with Resolution Multipliers. One of
> the errors was fixed by commit ea427a222d8b ("HID: core: Fix deadloop
> in hid_apply_multiplier."), but the other has not been fixed.
>
> This error arises because hid_apply_multipler() assumes that every
> Resolution Multiplier control is contained in a Logical Collection,
> i.e., there's no way the routine can ever set multiplier_collection to
> NULL. This is in spite of the fact that the function starts with a
> big comment saying:
>
> * "The Resolution Multiplier control must be contained in the same
> * Logical Collection as the control(s) to which it is to be applied.
> ...
> * If no Logical Collection is
> * defined, the Resolution Multiplier is associated with all
> * controls in the report."
> * HID Usage Table, v1.12, Section 4.3.1, p30
> *
> * Thus, search from the current collection upwards until we find a
> * logical collection...
>
> The comment and the code overlook the possibility that none of the
> collections found may be a Logical Collection.
>
> The fix is to set the multiplier_collection pointer to NULL if the
> collection found isn't a Logical Collection.
>
> Reported-by: syzbot+ec5f884c4a135aa0dbb9@xxxxxxxxxxxxxxxxxxxxxxxxx
> Closes: https://lore.kernel.org/all/000000000000109c040597dc5843@xxxxxxxxxx/
> Signed-off-by: Alan Stern <stern@xxxxxxxxxxxxxxxxxxx>
> Cc: Peter Hutterer <peter.hutterer@xxxxxxxxx>
> Fixes: 5a4abb36f312 ("HID: core: process the Resolution Multiplier")
> Cc: stable@xxxxxxxxxxxxxxx
Thanks a lot for hunting this down, Alan! Applied.
--
Jiri Kosina
SUSE Labs
