ACK/Cmnt: [PATCH] Input: gtco - fix potential out-of-bound access
Stefan Bader
stefan.bader at canonical.com
Mon Jul 23 13:22:10 UTC 2018
On 20.07.2018 15:10, Colin King wrote:
> From: Dmitry Torokhov <dmitry.torokhov at gmail.com>
>
> CVE-2017-16643
>
> parse_hid_report_descriptor() has a while (i < length) loop, which
> only guarantees that there's at least 1 byte in the buffer, but the
> loop body can read multiple bytes which causes out-of-bounds access.
>
> Reported-by: Andrey Konovalov <andreyknvl at google.com>
> Reviewed-by: Andrey Konovalov <andreyknvl at google.com>
> Cc: stable at vger.kernel.org
> Signed-off-by: Dmitry Torokhov <dmitry.torokhov at gmail.com>
> (clean upstream cherry pick from commit a50829479f58416a013a4ccca791336af3c584c7)
> Acked-by: Colin Ian King <colin.king at canonical.com>
Acked-by: Stefan Bader <stefan.bader at canonical.com>
> ---
-> (cherry picked from commit a50829479f58416a013a4ccca791336af3c584c7)
> drivers/input/tablet/gtco.c | 17 ++++++++++-------
> 1 file changed, 10 insertions(+), 7 deletions(-)
>
> diff --git a/drivers/input/tablet/gtco.c b/drivers/input/tablet/gtco.c
> index b796e89..4b8b9d7 100644
> --- a/drivers/input/tablet/gtco.c
> +++ b/drivers/input/tablet/gtco.c
> @@ -230,13 +230,17 @@ static void parse_hid_report_descriptor(struct gtco *device, char * report,
>
> /* Walk this report and pull out the info we need */
> while (i < length) {
> - prefix = report[i];
> -
> - /* Skip over prefix */
> - i++;
> + prefix = report[i++];
>
> /* Determine data size and save the data in the proper variable */
> - size = PREF_SIZE(prefix);
> + size = (1U << PREF_SIZE(prefix)) >> 1;
> + if (i + size > length) {
> + dev_err(ddev,
> + "Not enough data (need %d, have %d)\n",
> + i + size, length);
> + break;
> + }
> +
> switch (size) {
> case 1:
> data = report[i];
> @@ -244,8 +248,7 @@ static void parse_hid_report_descriptor(struct gtco *device, char * report,
> case 2:
> data16 = get_unaligned_le16(&report[i]);
> break;
> - case 3:
> - size = 4;
> + case 4:
> data32 = get_unaligned_le32(&report[i]);
> break;
> }
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20180723/486a0e37/attachment.sig>
More information about the kernel-team
mailing list