Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/hid

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

Pull HID fixes from Jiri Kosina:

- fix for potential out-of-bounds memory access (found by fuzzing,
likely requires specially crafted device to trigger) by Jaejoong Kim

- two new device IDs for elecom driver from Alex Manoussakis

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/hid:
HID: hid-elecom: extend to fix descriptor for HUGE trackball
HID: usbhid: fix out-of-bounds bug

Linus Torvalds 8 years ago be7484ac 7702f476

+25 -5

5 changed files

expand all

drivers

hid

Kconfig

hid-core.c

hid-elecom.c

hid-ids.h

usbhid

hid-core.c

drivers/hid/Kconfig

··· 281 281 Support for ELECOM devices: 282 282 - BM084 Bluetooth Mouse 283 283 - DEFT Trackball (Wired and wireless) 284 + - HUGE Trackball (Wired and wireless) 284 285 285 286 config HID_ELO 286 287 tristate "ELO USB 4000/4500 touchscreen"

drivers/hid/hid-core.c

··· 2032 2032 { HID_BLUETOOTH_DEVICE(USB_VENDOR_ID_ELECOM, USB_DEVICE_ID_ELECOM_BM084) }, 2033 2033 { HID_USB_DEVICE(USB_VENDOR_ID_ELECOM, USB_DEVICE_ID_ELECOM_DEFT_WIRED) }, 2034 2034 { HID_USB_DEVICE(USB_VENDOR_ID_ELECOM, USB_DEVICE_ID_ELECOM_DEFT_WIRELESS) }, 2035 + { HID_USB_DEVICE(USB_VENDOR_ID_ELECOM, USB_DEVICE_ID_ELECOM_HUGE_WIRED) }, 2036 + { HID_USB_DEVICE(USB_VENDOR_ID_ELECOM, USB_DEVICE_ID_ELECOM_HUGE_WIRELESS) }, 2035 2037 #endif 2036 2038 #if IS_ENABLED(CONFIG_HID_ELO) 2037 2039 { HID_USB_DEVICE(USB_VENDOR_ID_ELO, 0x0009) },

+9 -4

drivers/hid/hid-elecom.c

··· 3 3 * Copyright (c) 2010 Richard Nauber <Richard.Nauber@gmail.com> 4 4 * Copyright (c) 2016 Yuxuan Shui <yshuiv7@gmail.com> 5 5 * Copyright (c) 2017 Diego Elio Pettenò <flameeyes@flameeyes.eu> 6 + * Copyright (c) 2017 Alex Manoussakis <amanou@gnu.org> 6 7 */ 7 8 8 9 /* ··· 33 32 break; 34 33 case USB_DEVICE_ID_ELECOM_DEFT_WIRED: 35 34 case USB_DEVICE_ID_ELECOM_DEFT_WIRELESS: 36 - /* The DEFT trackball has eight buttons, but its descriptor only 37 - * reports five, disabling the three Fn buttons on the top of 38 - * the mouse. 35 + case USB_DEVICE_ID_ELECOM_HUGE_WIRED: 36 + case USB_DEVICE_ID_ELECOM_HUGE_WIRELESS: 37 + /* The DEFT/HUGE trackball has eight buttons, but its descriptor 38 + * only reports five, disabling the three Fn buttons on the top 39 + * of the mouse. 39 40 * 40 41 * Apply the following diff to the descriptor: 41 42 * ··· 65 62 * End Collection, End Collection, 66 63 */ 67 64 if (*rsize == 213 && rdesc[13] == 5 && rdesc[21] == 5) { 68 - hid_info(hdev, "Fixing up Elecom DEFT Fn buttons\n"); 65 + hid_info(hdev, "Fixing up Elecom DEFT/HUGE Fn buttons\n"); 69 66 rdesc[13] = 8; /* Button/Variable Report Count */ 70 67 rdesc[21] = 8; /* Button/Variable Usage Maximum */ 71 68 rdesc[29] = 0; /* Button/Constant Report Count */ ··· 79 76 { HID_BLUETOOTH_DEVICE(USB_VENDOR_ID_ELECOM, USB_DEVICE_ID_ELECOM_BM084) }, 80 77 { HID_USB_DEVICE(USB_VENDOR_ID_ELECOM, USB_DEVICE_ID_ELECOM_DEFT_WIRED) }, 81 78 { HID_USB_DEVICE(USB_VENDOR_ID_ELECOM, USB_DEVICE_ID_ELECOM_DEFT_WIRELESS) }, 79 + { HID_USB_DEVICE(USB_VENDOR_ID_ELECOM, USB_DEVICE_ID_ELECOM_HUGE_WIRED) }, 80 + { HID_USB_DEVICE(USB_VENDOR_ID_ELECOM, USB_DEVICE_ID_ELECOM_HUGE_WIRELESS) }, 82 81 { } 83 82 }; 84 83 MODULE_DEVICE_TABLE(hid, elecom_devices);

drivers/hid/hid-ids.h

··· 368 368 #define USB_DEVICE_ID_ELECOM_BM084 0x0061 369 369 #define USB_DEVICE_ID_ELECOM_DEFT_WIRED 0x00fe 370 370 #define USB_DEVICE_ID_ELECOM_DEFT_WIRELESS 0x00ff 371 + #define USB_DEVICE_ID_ELECOM_HUGE_WIRED 0x010c 372 + #define USB_DEVICE_ID_ELECOM_HUGE_WIRELESS 0x010d 371 373 372 374 #define USB_VENDOR_ID_DREAM_CHEEKY 0x1d34 373 375 #define USB_DEVICE_ID_DREAM_CHEEKY_WN 0x0004

+11 -1

drivers/hid/usbhid/hid-core.c

··· 975 975 unsigned int rsize = 0; 976 976 char *rdesc; 977 977 int ret, n; 978 + int num_descriptors; 979 + size_t offset = offsetof(struct hid_descriptor, desc); 978 980 979 981 quirks = usbhid_lookup_quirk(le16_to_cpu(dev->descriptor.idVendor), 980 982 le16_to_cpu(dev->descriptor.idProduct)); ··· 999 997 return -ENODEV; 1000 998 } 1001 999 1000 + if (hdesc->bLength < sizeof(struct hid_descriptor)) { 1001 + dbg_hid("hid descriptor is too short\n"); 1002 + return -EINVAL; 1003 + } 1004 + 1002 1005 hid->version = le16_to_cpu(hdesc->bcdHID); 1003 1006 hid->country = hdesc->bCountryCode; 1004 1007 1005 - for (n = 0; n < hdesc->bNumDescriptors; n++) 1008 + num_descriptors = min_t(int, hdesc->bNumDescriptors, 1009 + (hdesc->bLength - offset) / sizeof(struct hid_class_descriptor)); 1010 + 1011 + for (n = 0; n < num_descriptors; n++) 1006 1012 if (hdesc->desc[n].bDescriptorType == HID_DT_REPORT) 1007 1013 rsize = le16_to_cpu(hdesc->desc[n].wDescriptorLength); 1008 1014