diff options
author | Camila Alvarez <cam.alvarez.i@gmail.com> | 2024-07-31 02:42:43 +0300 |
---|---|---|
committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2024-09-12 12:03:54 +0300 |
commit | fac3cb3c6428afe2207593a183b5bc4742529dfd (patch) | |
tree | eeac7a4ff295281af29b797d6a6e8edcfab2709f | |
parent | 7ef29fada7d2b3e0fca680e7319be7396602f459 (diff) | |
download | linux-fac3cb3c6428afe2207593a183b5bc4742529dfd.tar.xz |
HID: cougar: fix slab-out-of-bounds Read in cougar_report_fixup
[ Upstream commit a6e9c391d45b5865b61e569146304cff72821a5d ]
report_fixup for the Cougar 500k Gaming Keyboard was not verifying
that the report descriptor size was correct before accessing it
Reported-by: syzbot+24c0361074799d02c452@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=24c0361074799d02c452
Signed-off-by: Camila Alvarez <cam.alvarez.i@gmail.com>
Reviewed-by: Silvan Jegen <s.jegen@gmail.com>
Signed-off-by: Jiri Kosina <jkosina@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
-rw-r--r-- | drivers/hid/hid-cougar.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/drivers/hid/hid-cougar.c b/drivers/hid/hid-cougar.c index 4ff3bc1d25e2..5294299afb26 100644 --- a/drivers/hid/hid-cougar.c +++ b/drivers/hid/hid-cougar.c @@ -106,7 +106,7 @@ static void cougar_fix_g6_mapping(void) static __u8 *cougar_report_fixup(struct hid_device *hdev, __u8 *rdesc, unsigned int *rsize) { - if (rdesc[2] == 0x09 && rdesc[3] == 0x02 && + if (*rsize >= 117 && rdesc[2] == 0x09 && rdesc[3] == 0x02 && (rdesc[115] | rdesc[116] << 8) >= HID_MAX_USAGES) { hid_info(hdev, "usage count exceeds max: fixing up report descriptor\n"); |