ACK/Cmnt: [PATCH] Input: gtco - fix potential out-of-bound access

Stefan Bader stefan.bader at canonical.com
Mon Jul 23 13:22:10 UTC 2018 

On 20.07.2018 15:10, Colin King wrote:
> From: Dmitry Torokhov <dmitry.torokhov at gmail.com>
> 
> CVE-2017-16643
> 
> parse_hid_report_descriptor() has a while (i < length) loop, which
> only guarantees that there's at least 1 byte in the buffer, but the
> loop body can read multiple bytes which causes out-of-bounds access.
> 
> Reported-by: Andrey Konovalov <andreyknvl at google.com>
> Reviewed-by: Andrey Konovalov <andreyknvl at google.com>
> Cc: stable at vger.kernel.org
> Signed-off-by: Dmitry Torokhov <dmitry.torokhov at gmail.com>
> (clean upstream cherry pick from commit a50829479f58416a013a4ccca791336af3c584c7)
> Acked-by: Colin Ian King <colin.king at canonical.com>
Acked-by: Stefan Bader <stefan.bader at canonical.com>
> ---

-> (cherry picked from commit a50829479f58416a013a4ccca791336af3c584c7)

>  drivers/input/tablet/gtco.c | 17 ++++++++++-------
>  1 file changed, 10 insertions(+), 7 deletions(-)
> 
> diff --git a/drivers/input/tablet/gtco.c b/drivers/input/tablet/gtco.c
> index b796e89..4b8b9d7 100644
> --- a/drivers/input/tablet/gtco.c
> +++ b/drivers/input/tablet/gtco.c
> @@ -230,13 +230,17 @@ static void parse_hid_report_descriptor(struct gtco *device, char * report,
>  
>  	/* Walk  this report and pull out the info we need */
>  	while (i < length) {
> -		prefix = report[i];
> -
> -		/* Skip over prefix */
> -		i++;
> +		prefix = report[i++];
>  
>  		/* Determine data size and save the data in the proper variable */
> -		size = PREF_SIZE(prefix);
> +		size = (1U << PREF_SIZE(prefix)) >> 1;
> +		if (i + size > length) {
> +			dev_err(ddev,
> +				"Not enough data (need %d, have %d)\n",
> +				i + size, length);
> +			break;
> +		}
> +
>  		switch (size) {
>  		case 1:
>  			data = report[i];
> @@ -244,8 +248,7 @@ static void parse_hid_report_descriptor(struct gtco *device, char * report,
>  		case 2:
>  			data16 = get_unaligned_le16(&report[i]);
>  			break;
> -		case 3:
> -			size = 4;
> +		case 4:
>  			data32 = get_unaligned_le32(&report[i]);
>  			break;
>  		}
> 


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20180723/486a0e37/attachment.sig>

More information about the kernel-team mailing list