Patch "HID: betop: check shape of output reports" has been added to the 5.10-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Tue, 24 Jan 2023 06:40:06 -0500

This is a note to let you know that I've just added the patch titled

    HID: betop: check shape of output reports

to the 5.10-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     hid-betop-check-shape-of-output-reports.patch
and it can be found in the queue-5.10 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit ec87bec9f327297b83a9270e01a18562dcbc4711
Author: Pietro Borrello <borrello@xxxxxxxxxxxxxxxx>
Date:   Wed Jan 11 18:12:16 2023 +0000

    HID: betop: check shape of output reports
    
    [ Upstream commit 3782c0d6edf658b71354a64d60aa7a296188fc90 ]
    
    betopff_init() only checks the total sum of the report counts for each
    report field to be at least 4, but hid_betopff_play() expects 4 report
    fields.
    A device advertising an output report with one field and 4 report counts
    would pass the check but crash the kernel with a NULL pointer dereference
    in hid_betopff_play().
    
    Fixes: 52cd7785f3cd ("HID: betop: add drivers/hid/hid-betopff.c")
    Signed-off-by: Pietro Borrello <borrello@xxxxxxxxxxxxxxxx>
    Signed-off-by: Jiri Kosina <jkosina@xxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/drivers/hid/hid-betopff.c b/drivers/hid/hid-betopff.c
index 467d789f9bc2..25ed7b9a917e 100644
--- a/drivers/hid/hid-betopff.c
+++ b/drivers/hid/hid-betopff.c
@@ -60,7 +60,6 @@ static int betopff_init(struct hid_device *hid)
 	struct list_head *report_list =
 			&hid->report_enum[HID_OUTPUT_REPORT].report_list;
 	struct input_dev *dev;
-	int field_count = 0;
 	int error;
 	int i, j;
 
@@ -86,19 +85,21 @@ static int betopff_init(struct hid_device *hid)
 	 * -----------------------------------------
 	 * Do init them with default value.
 	 */
+	if (report->maxfield < 4) {
+		hid_err(hid, "not enough fields in the report: %d\n",
+				report->maxfield);
+		return -ENODEV;
+	}
 	for (i = 0; i < report->maxfield; i++) {
+		if (report->field[i]->report_count < 1) {
+			hid_err(hid, "no values in the field\n");
+			return -ENODEV;
+		}
 		for (j = 0; j < report->field[i]->report_count; j++) {
 			report->field[i]->value[j] = 0x00;
-			field_count++;
 		}
 	}
 
-	if (field_count < 4) {
-		hid_err(hid, "not enough fields in the report: %d\n",
-				field_count);
-		return -ENODEV;
-	}
-
 	betopff = kzalloc(sizeof(*betopff), GFP_KERNEL);
 	if (!betopff)
 		return -ENOMEM;






