HID: hiddev: validate num_values for HIDIOCGUSAGES, HIDIOCSUSAGES commands

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

This patch validates the num_values parameter from userland during the
HIDIOCGUSAGES and HIDIOCSUSAGES commands. Previously, if the report id was set
to HID_REPORT_ID_UNKNOWN, we would fail to validate the num_values parameter
leading to a heap overflow.

Cc: stable@vger.kernel.org
Signed-off-by: Scott Bauer <sbauer@plzdonthack.me>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>

authored by

Scott Bauer and committed by

Jiri Kosina 9 years ago 93a2001b a80e803a

+5 -5

1 changed file

expand all

drivers

hid

usbhid

hiddev.c

+5 -5

drivers/hid/usbhid/hiddev.c

··· 516 516 goto inval; 517 517 } else if (uref->usage_index >= field->report_count) 518 518 goto inval; 519 - 520 - else if ((cmd == HIDIOCGUSAGES || cmd == HIDIOCSUSAGES) && 521 - (uref_multi->num_values > HID_MAX_MULTI_USAGES || 522 - uref->usage_index + uref_multi->num_values > field->report_count)) 523 - goto inval; 524 519 } 520 + 521 + if ((cmd == HIDIOCGUSAGES || cmd == HIDIOCSUSAGES) && 522 + (uref_multi->num_values > HID_MAX_MULTI_USAGES || 523 + uref->usage_index + uref_multi->num_values > field->report_count)) 524 + goto inval; 525 525 526 526 switch (cmd) { 527 527 case HIDIOCGUSAGE: