Re: [PATCH v3] HID: core: Sanitize event code and type when mapping input

Marc Zyngier <maz@xxxxxxxxxx> · Tue, 01 Sep 2020 10:44:28 +0100

On 2020-08-27 22:05, Marc Zyngier wrote:
When calling into hid_map_usage(), the passed event code is
blindly stored as is, even if it doesn't fit in the associated bitmap.

This event code can come from a variety of sources, including devices
masquerading as input devices, only a bit more "programmable".

Instead of taking the event code at face value, check that it actually
fits the corresponding bitmap, and if it doesn't:
- spit out a warning so that we know which device is acting up
- NULLify the bitmap pointer so that we catch unexpected uses

Code paths that can make use of untrusted inputs can now check
that the mapping was indeed correct and bail out if not.

Cc: stable@xxxxxxxxxxxxxxx
Signed-off-by: Marc Zyngier <maz@xxxxxxxxxx>
---
* From v2:
  - Don't prematurely narrow the event code so that hid_map_usage()
    catches illegal values beyond the 16bit limit.

* From v1:
  - Dropped the input.c changes, and turned hid_map_usage() into
    the validation primitive.
  - Handle mapping failures in hidinput_configure_usage() and
    mt_touch_input_mapping() (on top of hid_map_usage_clear() which
    was already handled)

 drivers/hid/hid-input.c      |  4 ++++
 drivers/hid/hid-multitouch.c |  2 ++
 drivers/mfd/syscon.c         |  2 +-
 include/linux/hid.h          | 42 +++++++++++++++++++++++++-----------
 4 files changed, 36 insertions(+), 14 deletions(-)


[...]

diff --git a/drivers/mfd/syscon.c b/drivers/mfd/syscon.c
index 7a660411c562..75859e492984 100644
--- a/drivers/mfd/syscon.c
+++ b/drivers/mfd/syscon.c
@@ -108,6 +108,7 @@ static struct syscon *of_syscon_register(struct
device_node *np, bool check_clk)
 	syscon_config.max_register = resource_size(&res) - reg_io_width;

 	regmap = regmap_init_mmio(NULL, base, &syscon_config);
+	kfree(syscon_config.name);
 	if (IS_ERR(regmap)) {
 		pr_err("regmap init failed\n");
 		ret = PTR_ERR(regmap);
@@ -144,7 +145,6 @@ static struct syscon *of_syscon_register(struct
device_node *np, bool check_clk)
 	regmap_exit(regmap);
 err_regmap:
 	iounmap(base);
-	kfree(syscon_config.name);
 err_map:
 	kfree(syscon);
 	return ERR_PTR(ret);


This hunk is totally unrelated, and is from another fix I was working
on at the same time... Sorry for the nois, I'll post v4 (hopefully 
final)
now.

        M.
--
Jazz is not dead. It just smells funny...






