[SRU][N][PATCH 1/1] HID: cougar: fix slab-out-of-bounds Read in cougar_report_fixup
Massimiliano Pellizzer
massimiliano.pellizzer at canonical.com
Wed Oct 16 12:37:22 UTC 2024
From: Camila Alvarez <cam.alvarez.i at gmail.com>
[ Upstream commit a6e9c391d45b5865b61e569146304cff72821a5d ]
report_fixup for the Cougar 500k Gaming Keyboard was not verifying
that the report descriptor size was correct before accessing it
Reported-by: syzbot+24c0361074799d02c452 at syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=24c0361074799d02c452
Signed-off-by: Camila Alvarez <cam.alvarez.i at gmail.com>
Reviewed-by: Silvan Jegen <s.jegen at gmail.com>
Signed-off-by: Jiri Kosina <jkosina at suse.com>
Signed-off-by: Sasha Levin <sashal at kernel.org>
(cherry picked from commit 48b2108efa205f4579052c27fba2b22cc6ad8aa0 linux-6.10.y)
CVE-2024-46747
Signed-off-by: Massimiliano Pellizzer <massimiliano.pellizzer at canonical.com>
---
drivers/hid/hid-cougar.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/hid/hid-cougar.c b/drivers/hid/hid-cougar.c
index cb8bd8aae15b..0fa785f52707 100644
--- a/drivers/hid/hid-cougar.c
+++ b/drivers/hid/hid-cougar.c
@@ -106,7 +106,7 @@ static void cougar_fix_g6_mapping(void)
static __u8 *cougar_report_fixup(struct hid_device *hdev, __u8 *rdesc,
unsigned int *rsize)
{
- if (rdesc[2] == 0x09 && rdesc[3] == 0x02 &&
+ if (*rsize >= 117 && rdesc[2] == 0x09 && rdesc[3] == 0x02 &&
(rdesc[115] | rdesc[116] << 8) >= HID_MAX_USAGES) {
hid_info(hdev,
"usage count exceeds max: fixing up report descriptor\n");
--
2.43.0
More information about the kernel-team
mailing list