diff options
| author | F.A.Sulaiman <asha.16@itfac.mrt.ac.lk> | 2021-08-24 18:07:30 +0300 |
|---|---|---|
| committer | Jiri Kosina <jkosina@suse.cz> | 2021-09-15 17:31:21 +0300 |
| commit | 1e4ce418b1cb1a810256b5fb3fd33d22d1325993 (patch) | |
| tree | 3e7e93b21eb520c9a0263b892516a2a90614ac9b /drivers/hid/hid-betopff.c | |
| parent | 83ec91697412ae64d25dcca74597ed03029aa00d (diff) | |
| download | linux-1e4ce418b1cb1a810256b5fb3fd33d22d1325993.tar.xz | |
HID: betop: fix slab-out-of-bounds Write in betop_probe
Syzbot reported slab-out-of-bounds Write bug in hid-betopff driver.
The problem is the driver assumes the device must have an input report but
some malicious devices violate this assumption.
So this patch checks hid_device's input is non empty before it's been used.
Reported-by: syzbot+07efed3bc5a1407bd742@syzkaller.appspotmail.com
Signed-off-by: F.A. SULAIMAN <asha.16@itfac.mrt.ac.lk>
Reviewed-by: Pavel Skripkin <paskripkin@gmail.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Diffstat (limited to 'drivers/hid/hid-betopff.c')
| -rw-r--r-- | drivers/hid/hid-betopff.c | 13 |
1 files changed, 10 insertions, 3 deletions
diff --git a/drivers/hid/hid-betopff.c b/drivers/hid/hid-betopff.c index 0790fbd3fc9a..467d789f9bc2 100644 --- a/drivers/hid/hid-betopff.c +++ b/drivers/hid/hid-betopff.c @@ -56,15 +56,22 @@ static int betopff_init(struct hid_device *hid) { struct betopff_device *betopff; struct hid_report *report; - struct hid_input *hidinput = - list_first_entry(&hid->inputs, struct hid_input, list); + struct hid_input *hidinput; struct list_head *report_list = &hid->report_enum[HID_OUTPUT_REPORT].report_list; - struct input_dev *dev = hidinput->input; + struct input_dev *dev; int field_count = 0; int error; int i, j; + if (list_empty(&hid->inputs)) { + hid_err(hid, "no inputs found\n"); + return -ENODEV; + } + + hidinput = list_first_entry(&hid->inputs, struct hid_input, list); + dev = hidinput->input; + if (list_empty(report_list)) { hid_err(hid, "no output reports found\n"); return -ENODEV; |