HID: bigben: fix slab-out-of-bounds Write in bigben_probe

[ Upstream commit fc4ef9d5724973193bfa5ebed181dba6de3a56db ] There is a slab-out-of-bounds Write bug in hid-bigbenff driver. The problem is the driver assumes the device must have an input but some malicious devices violate this assumption. Fix this by checking hid_device's input is non-empty before its usage. Reported-by: syzkaller <syzkaller@googlegroups.com> Signed-off-by: Dongliang Mu <mudongliangabcd@gmail.com> Signed-off-by: Jiri Kosina <jkosina@suse.cz> Signed-off-by: Sasha Levin <sashal@kernel.org>
author: Dongliang Mu <mudongliangabcd@gmail.com> 2022-05-06 10:24:25 +0300
committer: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2022-06-09 11:20:54 +0300
commit: 296f8ca0f73f5268cd9b85cf72ff783596b2264e (patch)
tree: bc51ab398f196a89f1247af74716992315090124 /drivers/hid/hid-bigbenff.c
parent: 3ee67465f7115cea05e8ef59840a3529b5911fa4 (diff)
download: linux-296f8ca0f73f5268cd9b85cf72ff783596b2264e.tar.xz
1 files changed, 6 insertions, 0 deletions
diff --git a/drivers/hid/hid-bigbenff.c b/drivers/hid/hid-bigbenff.c
index 74ad8bf98bfd..e8c5e3ac9fff 100644
--- a/drivers/hid/hid-bigbenff.c
+++ b/drivers/hid/hid-bigbenff.c
@@ -347,6 +347,12 @@ static int bigben_probe(struct hid_device *hid,
 	bigben->report = list_entry(report_list->next,
 		struct hid_report, list);
 
+	if (list_empty(&hid->inputs)) {
+		hid_err(hid, "no inputs found\n");
+		error = -ENODEV;
+		goto error_hw_stop;
+	}
+
 	hidinput = list_first_entry(&hid->inputs, struct hid_input, list);
 	set_bit(FF_RUMBLE, hidinput->input->ffbit);
author	Dongliang Mu <mudongliangabcd@gmail.com>	2022-05-06 10:24:25 +0300
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2022-06-09 11:20:54 +0300
commit	296f8ca0f73f5268cd9b85cf72ff783596b2264e (patch)
tree	bc51ab398f196a89f1247af74716992315090124 /drivers/hid/hid-bigbenff.c
parent	3ee67465f7115cea05e8ef59840a3529b5911fa4 (diff)
download	linux-296f8ca0f73f5268cd9b85cf72ff783596b2264e.tar.xz