voidanix
/
android_kernel_lge_bullhead
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
android_kernel_lge_bullhead/drivers/hid
History
Alan Stern 4cd3c61d73 HID: Fix assumption that devices have inputs 
commit d9d4b1e46d9543a82c23f6df03f4ad697dab361b upstream.

The syzbot fuzzer found a slab-out-of-bounds write bug in the hid-gaff
driver.  The problem is caused by the driver's assumption that the
device must have an input report.  While this will be true for all
normal HID input devices, a suitably malicious device can violate the
assumption.

The same assumption is present in over a dozen other HID drivers.
This patch fixes them by checking that the list of hid_inputs for the
hid_device is nonempty before allowing it to be used.

Reported-and-tested-by: syzbot+403741a091bf41d4ae79@syzkaller.appspotmail.com
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
CC: <stable@vger.kernel.org>
Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Lee Jones <lee.jones@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: Ica4d1b6adc1bcb30ce077f7d954cb8ba94bce730
 		2020-07-11 12:23:33 +02:00
..
i2c-hid HID: i2c-hid: Add sleep between POWER ON and RESET 2017-06-20 14:04:41 +02:00
usbhid HID: hiddev: do cleanup in failure of opening a device 2020-07-11 12:23:03 +02:00
Kconfig Merge upstream linux-stable v3.10.28 into msm-3.10 2014-03-24 14:28:34 -07:00
Makefile Merge branches 'for-3.10/multitouch', 'for-3.10/roccat' and 'for-3.10/upstream' into for-linus 2013-04-30 10:19:07 +02:00
hid-a4tech.c HID: Use module_hid_driver macro 2013-01-03 10:27:31 +01:00
hid-apple.c HID: apple: option to swap the 'Option' ("Alt") and 'Command' ("Flag") keys. 2013-12-04 10:57:34 -08:00
hid-appleir.c HID: appleir: add support for Apple ir devices 2013-04-18 19:06:20 -07:00
hid-aureal.c HID: Use module_hid_driver macro 2013-01-03 10:27:31 +01:00
hid-axff.c HID: Fix assumption that devices have inputs 2020-07-11 12:23:33 +02:00
hid-belkin.c HID: Use module_hid_driver macro 2013-01-03 10:27:31 +01:00
hid-cherry.c HID: fix a couple of off-by-ones 2014-09-05 16:28:34 -07:00
hid-chicony.c HID: Use module_hid_driver macro 2013-01-03 10:27:31 +01:00
hid-core.c This is the 3.10.96 stable release 2018-01-25 17:06:17 -07:00
hid-cypress.c HID: hid-cypress: validate length of report 2017-06-20 14:03:27 +02:00
hid-debug.c ANDROID: HID: debug: check length in hid_debug_events_read() before copy_to_user() 2018-07-12 16:41:00 -07:00
hid-dr.c HID: Fix assumption that devices have inputs 2020-07-11 12:23:33 +02:00
hid-elecom.c HID: Use module_hid_driver macro 2013-01-03 10:27:31 +01:00
hid-emsff.c HID: Fix assumption that devices have inputs 2020-07-11 12:23:33 +02:00
hid-ezkey.c HID: Use module_hid_driver macro 2013-01-03 10:27:31 +01:00
hid-gaff.c HID: Fix assumption that devices have inputs 2020-07-11 12:23:33 +02:00
hid-generic.c HID: Use module_hid_driver macro 2013-01-03 10:27:31 +01:00
hid-gyration.c HID: Use module_hid_driver macro 2013-01-03 10:27:31 +01:00
hid-holtek-kbd.c HID: Use module_hid_driver macro 2013-01-03 10:27:31 +01:00
hid-holtekff.c HID: Fix assumption that devices have inputs 2020-07-11 12:23:33 +02:00
hid-hyperv.c Drivers: hid: hid-hyperv: Use consolidated GUID definitions 2013-01-25 11:17:31 -08:00
hid-icade.c HID: icade: u16 which never < 0 2013-04-24 16:32:27 +02:00
hid-ids.h HID: Add a new id 0x501a for Genius MousePen i608X 2015-01-16 06:59:01 -08:00
hid-input.c This is the 3.10.103 stable release 2018-01-25 17:26:32 -07:00
hid-kensington.c HID: Use module_hid_driver macro 2013-01-03 10:27:31 +01:00
hid-keytouch.c HID: Use module_hid_driver macro 2013-01-03 10:27:31 +01:00
hid-kye.c HID: Add a new id 0x501a for Genius MousePen i608X 2015-01-16 06:59:01 -08:00
hid-lcpower.c HID: Use module_hid_driver macro 2013-01-03 10:27:31 +01:00
hid-lenovo-tpkbd.c HID: lenovo-tpkbd: validate output report details 2013-10-01 09:17:46 -07:00
hid-lg.c HID: hid-lg: Fix immediate disconnection of Logitech Rumblepad 2 2017-06-20 14:04:40 +02:00
hid-lg.h HID: hid-lg4ff: Adjust X axis input value accordingly to selected range. 2012-09-25 15:41:02 +02:00
hid-lg2ff.c HID: Fix assumption that devices have inputs 2020-07-11 12:23:33 +02:00
hid-lg3ff.c HID: Fix assumption that devices have inputs 2020-07-11 12:23:33 +02:00
hid-lg4ff.c HID: Fix assumption that devices have inputs 2020-07-11 12:23:33 +02:00
hid-lgff.c HID: Fix assumption that devices have inputs 2020-07-11 12:23:33 +02:00
hid-logitech-dj.c HID: logitech-dj: prevent false errors to be shown 2014-10-05 14:54:08 -07:00
hid-logitech-dj.h HID: logitech-dj: prevent false errors to be shown 2014-10-05 14:54:08 -07:00
hid-magicmouse.c This is the 3.10.67 stable release 2015-05-01 13:34:57 -07:00
hid-microsoft.c HID: Add PID for Japanese version of NE4K keyboard 2013-04-29 10:16:55 +02:00
hid-monterey.c HID: fix a couple of off-by-ones 2014-09-05 16:28:34 -07:00
hid-multitouch.c Merge upstream linux-stable v3.10.28 into msm-3.10 2014-03-24 14:28:34 -07:00
hid-ntrig.c bludgeon the qualcomm kernel until it builds on i386 for qemu testing 2015-06-15 15:10:00 -07:00
hid-ortek.c HID: Use module_hid_driver macro 2013-01-03 10:27:31 +01:00
hid-petalynx.c HID: fix a couple of off-by-ones 2014-09-05 16:28:34 -07:00
hid-picolcd.h Merge branches 'for-3.10/multitouch', 'for-3.10/roccat' and 'for-3.10/upstream' into for-linus 2013-04-30 10:19:07 +02:00
hid-picolcd_backlight.c HID: use hid_hw_request() instead of direct call to usbhid 2013-02-25 13:26:41 +01:00
hid-picolcd_cir.c HID: picolcd: Prevent NULL pointer dereference on _remove() 2013-09-26 17:18:16 -07:00
hid-picolcd_core.c HID: picolcd: sanity check report size in raw_event() callback 2014-10-05 14:54:08 -07:00
hid-picolcd_debugfs.c HID: fix data access in implement() 2013-10-13 16:08:28 -07:00
hid-picolcd_fb.c HID: picolcd: Prevent NULL pointer dereference on _remove() 2013-09-26 17:18:16 -07:00
hid-picolcd_lcd.c HID: use hid_hw_request() instead of direct call to usbhid 2013-02-25 13:26:41 +01:00
hid-picolcd_leds.c HID: use hid_hw_request() instead of direct call to usbhid 2013-02-25 13:26:41 +01:00
hid-pl.c HID: pantherlord: validate output report details 2013-09-26 17:18:15 -07:00
hid-primax.c HID: Use module_hid_driver macro 2013-01-03 10:27:31 +01:00
hid-prodikeys.c HID: use hid_hw_request() instead of direct call to usbhid 2013-02-25 13:26:41 +01:00
hid-ps3remote.c HID: Use module_hid_driver macro 2013-01-03 10:27:31 +01:00
hid-roccat-arvo.c
hid-roccat-arvo.h
hid-roccat-common.c HID: roccat: add new device return value 2013-12-04 10:57:34 -08:00
hid-roccat-common.h
hid-roccat-isku.c HID: roccat: add support for IskuFX 2013-03-14 11:50:49 +01:00
hid-roccat-isku.h HID: roccat: add support for IskuFX 2013-03-14 11:50:49 +01:00
hid-roccat-kone.c HID: roccat: added media key support for Kone 2013-04-08 10:33:13 +02:00
hid-roccat-kone.h HID: roccat: added media key support for Kone 2013-04-08 10:33:13 +02:00
hid-roccat-koneplus.c HID: roccat: deprecate some Koneplus attributes 2012-11-12 15:30:28 +01:00
hid-roccat-koneplus.h HID: roccat: fix wrong attr size for koneplus tcu 2012-11-18 22:58:28 +01:00
hid-roccat-konepure.c HID: roccat: add support for KonePureOptical v2 2013-10-13 16:08:35 -07:00
hid-roccat-konepure.h HID: roccat: add support for Roccat Kone Pure gaming mouse 2013-03-14 11:50:49 +01:00
hid-roccat-kovaplus.c HID: roccat: fix Coverity CID 141438 2013-12-04 10:57:34 -08:00
hid-roccat-kovaplus.h HID: roccat: deprecate some Kovaplus attributes 2012-11-12 15:30:29 +01:00
hid-roccat-lua.c HID: Use module_hid_driver macro 2013-01-03 10:27:31 +01:00
hid-roccat-lua.h HID: roccat: add support for Roccat Lua 2012-10-17 10:44:47 +02:00
hid-roccat-pyra.c HID: roccat: potential out of bounds in pyra_sysfs_write_settings() 2015-01-16 06:59:01 -08:00
hid-roccat-pyra.h HID: roccat: deprecated some Pyra attributes 2012-11-12 15:30:28 +01:00
hid-roccat-savu.c HID: roccat: enable Savu device reset 2012-11-05 13:17:39 +01:00
hid-roccat-savu.h
hid-roccat.c HID: roccat: fix comments on chardevice 2013-03-14 11:50:49 +01:00
hid-saitek.c HID: Use module_hid_driver macro 2013-01-03 10:27:31 +01:00
hid-samsung.c HID: Use module_hid_driver macro 2013-01-03 10:27:31 +01:00
hid-sensor-hub.c HID: hid-sensor-hub: fix report size 2013-12-04 10:57:19 -08:00
hid-sjoy.c HID: use hid_hw_request() instead of direct call to usbhid 2013-02-25 13:26:41 +01:00
hid-sony.c Merge branches 'for-3.9/sony' and 'for-3.9/steelseries' into for-linus 2013-02-21 10:45:52 +01:00
hid-speedlink.c HID: Fix Speedlink VAD Cezanne support for some devices 2013-09-26 17:18:16 -07:00
hid-steelseries.c HID: steelseries: validate output report details 2013-10-01 09:17:46 -07:00
hid-sunplus.c HID: fix a couple of off-by-ones 2014-09-05 16:28:34 -07:00
hid-thingm.c HID: Kconfig: Remove explicit transport layer dependencies 2013-02-25 13:26:40 +01:00
hid-tivo.c HID: Use module_hid_driver macro 2013-01-03 10:27:31 +01:00
hid-tmff.c HID: Fix assumption that devices have inputs 2020-07-11 12:23:33 +02:00
hid-topseed.c HID: Use module_hid_driver macro 2013-01-03 10:27:31 +01:00
hid-twinhan.c HID: Use module_hid_driver macro 2013-01-03 10:27:31 +01:00
hid-uclogic.c HID: Use module_hid_driver macro 2013-01-03 10:27:31 +01:00
hid-wacom.c HID: Use module_hid_driver macro 2013-01-03 10:27:31 +01:00
hid-waltop.c HID: Use module_hid_driver macro 2013-01-03 10:27:31 +01:00
hid-wiimote-core.c HID: wiimote: parse reduced status reports 2013-04-04 09:38:43 +02:00
hid-wiimote-debug.c HID: Fix uninitialized variable "size" in hid-wiimote-debug 2013-01-18 10:59:24 +01:00
hid-wiimote-ext.c HID: wiimote: fix nunchuck button parser 2013-02-18 10:41:52 +01:00
hid-wiimote.h
hid-zpff.c HID: Fix assumption that devices have inputs 2020-07-11 12:23:33 +02:00
hid-zydacron.c HID: Use module_hid_driver macro 2013-01-03 10:27:31 +01:00
hidraw.c HID: hidraw: correctly deallocate memory on device disconnect 2013-09-26 17:18:17 -07:00
uhid.c ANDROID: hid: uhid: implement refcount for open and close 2017-06-15 22:47:47 +00:00