diff options
| author | Jiri Kosina <jkosina@suse.cz> | 2007-10-15 09:17:41 -0400 |
|---|---|---|
| committer | Linus Torvalds <torvalds@woody.linux-foundation.org> | 2007-10-15 11:12:00 -0400 |
| commit | 57d292bd7e6e72898e533687af481603597b1ca7 (patch) | |
| tree | d9594d10bfc843b44eb4ad1b32f945b000330f8c | |
| parent | 23fd50450a34f2558070ceabb0bfebc1c9604af5 (diff) | |
HID: fix HIDIOCGRDESC memory access in hidraw
Fix bogus copying of data into userspace when HIDIOCGRDESC is issued.
HID-transport layer makes sure that dev->hid->rdesc is not larger than
HID_MAX_DESCRIPTOR_SIZE.
Noticed-by: Al Viro <viro@ftp.linux.org.uk>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
| -rw-r--r-- | drivers/hid/hidraw.c | 12 | ||||
| -rw-r--r-- | include/linux/hid.h | 20 | ||||
| -rw-r--r-- | include/linux/hidraw.h | 6 |
3 files changed, 24 insertions, 14 deletions
diff --git a/drivers/hid/hidraw.c b/drivers/hid/hidraw.c index 8503197a8131..a702e2f6da7d 100644 --- a/drivers/hid/hidraw.c +++ b/drivers/hid/hidraw.c | |||
| @@ -229,9 +229,15 @@ static int hidraw_ioctl(struct inode *inode, struct file *file, unsigned int cmd | |||
| 229 | 229 | ||
| 230 | if (get_user(len, (int __user *)arg)) | 230 | if (get_user(len, (int __user *)arg)) |
| 231 | return -EFAULT; | 231 | return -EFAULT; |
| 232 | if (copy_to_user(*((__u8 **)(user_arg + | 232 | |
| 233 | sizeof(__u32))), | 233 | if (len > HID_MAX_DESCRIPTOR_SIZE - 1) |
| 234 | dev->hid->rdesc, len)) | 234 | return -EINVAL; |
| 235 | |||
| 236 | if (copy_to_user(user_arg + offsetof( | ||
| 237 | struct hidraw_report_descriptor, | ||
| 238 | value[0]), | ||
| 239 | dev->hid->rdesc, | ||
| 240 | min(dev->hid->rsize, len))) | ||
| 235 | return -EFAULT; | 241 | return -EFAULT; |
| 236 | return 0; | 242 | return 0; |
| 237 | } | 243 | } |
diff --git a/include/linux/hid.h b/include/linux/hid.h index 55e51f9f76cb..edb8024d744b 100644 --- a/include/linux/hid.h +++ b/include/linux/hid.h | |||
| @@ -29,13 +29,6 @@ | |||
| 29 | * Vojtech Pavlik, Simunkova 1594, Prague 8, 182 00 Czech Republic | 29 | * Vojtech Pavlik, Simunkova 1594, Prague 8, 182 00 Czech Republic |
| 30 | */ | 30 | */ |
| 31 | 31 | ||
| 32 | #include <linux/types.h> | ||
| 33 | #include <linux/slab.h> | ||
| 34 | #include <linux/list.h> | ||
| 35 | #include <linux/timer.h> | ||
| 36 | #include <linux/workqueue.h> | ||
| 37 | #include <linux/input.h> | ||
| 38 | |||
| 39 | /* | 32 | /* |
| 40 | * USB HID (Human Interface Device) interface class code | 33 | * USB HID (Human Interface Device) interface class code |
| 41 | */ | 34 | */ |
| @@ -69,6 +62,17 @@ | |||
| 69 | #define HID_DT_REPORT (USB_TYPE_CLASS | 0x02) | 62 | #define HID_DT_REPORT (USB_TYPE_CLASS | 0x02) |
| 70 | #define HID_DT_PHYSICAL (USB_TYPE_CLASS | 0x03) | 63 | #define HID_DT_PHYSICAL (USB_TYPE_CLASS | 0x03) |
| 71 | 64 | ||
| 65 | #define HID_MAX_DESCRIPTOR_SIZE 4096 | ||
| 66 | |||
| 67 | #ifdef __KERNEL__ | ||
| 68 | |||
| 69 | #include <linux/types.h> | ||
| 70 | #include <linux/slab.h> | ||
| 71 | #include <linux/list.h> | ||
| 72 | #include <linux/timer.h> | ||
| 73 | #include <linux/workqueue.h> | ||
| 74 | #include <linux/input.h> | ||
| 75 | |||
| 72 | /* | 76 | /* |
| 73 | * We parse each description item into this structure. Short items data | 77 | * We parse each description item into this structure. Short items data |
| 74 | * values are expanded to 32-bit signed int, long items contain a pointer | 78 | * values are expanded to 32-bit signed int, long items contain a pointer |
| @@ -311,7 +315,6 @@ struct hid_global { | |||
| 311 | * This is the local environment. It is persistent up the next main-item. | 315 | * This is the local environment. It is persistent up the next main-item. |
| 312 | */ | 316 | */ |
| 313 | 317 | ||
| 314 | #define HID_MAX_DESCRIPTOR_SIZE 4096 | ||
| 315 | #define HID_MAX_USAGES 8192 | 318 | #define HID_MAX_USAGES 8192 |
| 316 | #define HID_DEFAULT_NUM_COLLECTIONS 16 | 319 | #define HID_DEFAULT_NUM_COLLECTIONS 16 |
| 317 | 320 | ||
| @@ -560,4 +563,5 @@ static inline int hid_ff_init(struct hid_device *hid) { return -1; } | |||
| 560 | #define err_hid(format, arg...) printk(KERN_ERR "%s: " format "\n" , \ | 563 | #define err_hid(format, arg...) printk(KERN_ERR "%s: " format "\n" , \ |
| 561 | __FILE__ , ## arg) | 564 | __FILE__ , ## arg) |
| 562 | #endif | 565 | #endif |
| 566 | #endif | ||
| 563 | 567 | ||
diff --git a/include/linux/hidraw.h b/include/linux/hidraw.h index 6676cd5e9954..0536f299f7ff 100644 --- a/include/linux/hidraw.h +++ b/include/linux/hidraw.h | |||
| @@ -15,9 +15,11 @@ | |||
| 15 | * 51 Franklin St - Fifth Floor, Boston, MA 02110-1301 USA. | 15 | * 51 Franklin St - Fifth Floor, Boston, MA 02110-1301 USA. |
| 16 | */ | 16 | */ |
| 17 | 17 | ||
| 18 | #include <linux/hid.h> | ||
| 19 | |||
| 18 | struct hidraw_report_descriptor { | 20 | struct hidraw_report_descriptor { |
| 19 | __u32 size; | 21 | __u32 size; |
| 20 | __u8 *value; | 22 | __u8 value[HID_MAX_DESCRIPTOR_SIZE]; |
| 21 | }; | 23 | }; |
| 22 | 24 | ||
| 23 | struct hidraw_devinfo { | 25 | struct hidraw_devinfo { |
| @@ -40,8 +42,6 @@ struct hidraw_devinfo { | |||
| 40 | /* kernel-only API declarations */ | 42 | /* kernel-only API declarations */ |
| 41 | #ifdef __KERNEL__ | 43 | #ifdef __KERNEL__ |
| 42 | 44 | ||
| 43 | #include <linux/hid.h> | ||
| 44 | |||
| 45 | struct hidraw { | 45 | struct hidraw { |
| 46 | unsigned int minor; | 46 | unsigned int minor; |
| 47 | int exist; | 47 | int exist; |