HID: Fix assumption that devices have inputs

The syzbot fuzzer found a slab-out-of-bounds write bug in the hid-gaff
driver.  The problem is caused by the driver's assumption that the
device must have an input report.  While this will be true for all
normal HID input devices, a suitably malicious device can violate the
assumption.

The same assumption is present in over a dozen other HID drivers.
This patch fixes them by checking that the list of hid_inputs for the
hid_device is nonempty before allowing it to be used.

Reported-and-tested-by: syzbot+403741a091bf41d4ae79@syzkaller.appspotmail.com
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
CC: <stable@vger.kernel.org>
Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>

1 files changed, 9 insertions, 3 deletions

diff --git a/drivers/hid/hid-emsff.c b/drivers/hid/hid-emsff.c
index 7cd5651872d3..c34f2e5a049f 100644
--- a/drivers/hid/hid-emsff.c
+++ b/drivers/hid/hid-emsff.c
@@ -47,13 +47,19 @@ static int emsff_init(struct hid_device *hid)
 {
         struct emsff_device *emsff;
         struct hid_report *report;
-        struct hid_input *hidinput = list_first_entry(&hid->inputs,
-                                                struct hid_input, list);
+        struct hid_input *hidinput;
         struct list_head *report_list =
                         &hid->report_enum[HID_OUTPUT_REPORT].report_list;
-        struct input_dev *dev = hidinput->input;
+        struct input_dev *dev;
         int error;
 
+        if (list_empty(&hid->inputs)) {
+                hid_err(hid, "no inputs found\n");
+                return -ENODEV;
+        }
+        hidinput = list_first_entry(&hid->inputs, struct hid_input, list);
+        dev = hidinput->input;
+
         if (list_empty(report_list)) {
                 hid_err(hid, "no output reports found\n");
                 return -ENODEV;