Re: hid-pidff.c: null-pointer deref if optional HID reports are not present

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Cc Anssi

On 05. 11. 24, 1:30, Nolan Nicholson wrote:
Hello,

(This is my first time reporting a Linux bug; please accept my apologies for any mistakes in the process.)

When initializing a HID PID device, hid-pidff.c checks for eight required HID reports and five optional reports. If the eight required reports are present, the hid_pidff_init() function then attempts to find the necessary fields in each required or optional report, using the pidff_find_fields() function. However, if any of the five optional reports is not present, pidff_find_fields() will trigger a null-pointer dereference.

I recently implemented the descriptors for a USB HID device with PID force-feedback capability. After implementing the required report descriptors but not the optional ones, I got an OOPS from the pidff_find_fields function. I saved the OOPS from my Ubuntu installation, and have attached it here. I later reproduced the issue on 6.11.6.

I was able to work around the issue by having my device present all of the optional report descriptors as well as all of the required ones.

Indeed. The code checks the required ones in pidff_reports_ok(). But the optional ones are not checked at all and are directly accessed in both pidff_init_fields() and also likely pidff_find_special_fields().

thanks,
--
js
suse labs





[Index of Archives]     [Linux Kernel]     [Kernel Development Newbies]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite Hiking]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux