HID: cougar: fix slab-out-of-bounds Read in cougar_report_fixup

[ Upstream commit a6e9c391d45b5865b61e569146304cff72821a5d ] report_fixup for the Cougar 500k Gaming Keyboard was not verifying that the report descriptor size was correct before accessing it Reported-by: syzbot+24c0361074799d02c452@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=24c0361074799d02c452 Signed-off-by: Camila Alvarez <cam.alvarez.i@gmail.com> Reviewed-by: Silvan Jegen <s.jegen@gmail.com> Signed-off-by: Jiri Kosina <jkosina@suse.com> Signed-off-by: Sasha Levin <sashal@kernel.org>
author: Camila Alvarez <cam.alvarez.i@gmail.com> 2024-07-31 02:42:43 +0300
committer: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2024-09-12 12:03:54 +0300
commit: fac3cb3c6428afe2207593a183b5bc4742529dfd (patch)
tree: eeac7a4ff295281af29b797d6a6e8edcfab2709f
parent: 7ef29fada7d2b3e0fca680e7319be7396602f459 (diff)
download: linux-fac3cb3c6428afe2207593a183b5bc4742529dfd.tar.xz
1 files changed, 1 insertions, 1 deletions
diff --git a/drivers/hid/hid-cougar.c b/drivers/hid/hid-cougar.c
index 4ff3bc1d25e2..5294299afb26 100644
--- a/drivers/hid/hid-cougar.c
+++ b/drivers/hid/hid-cougar.c
@@ -106,7 +106,7 @@ static void cougar_fix_g6_mapping(void)
 static __u8 *cougar_report_fixup(struct hid_device *hdev, __u8 *rdesc,
 				 unsigned int *rsize)
 {
-	if (rdesc[2] == 0x09 && rdesc[3] == 0x02 &&
+	if (*rsize >= 117 && rdesc[2] == 0x09 && rdesc[3] == 0x02 &&
 	    (rdesc[115] | rdesc[116] << 8) >= HID_MAX_USAGES) {
 		hid_info(hdev,
 			"usage count exceeds max: fixing up report descriptor\n");
author	Camila Alvarez <cam.alvarez.i@gmail.com>	2024-07-31 02:42:43 +0300
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2024-09-12 12:03:54 +0300
commit	fac3cb3c6428afe2207593a183b5bc4742529dfd (patch)
tree	eeac7a4ff295281af29b797d6a6e8edcfab2709f
parent	7ef29fada7d2b3e0fca680e7319be7396602f459 (diff)
download	linux-fac3cb3c6428afe2207593a183b5bc4742529dfd.tar.xz