Commit d93ba918 authored by Lee Jones's avatar Lee Jones Committed by Jiri Kosina
Browse files

HID: magicmouse: Prevent out-of-bounds (OOB) read during DOUBLE_REPORT_ID 



It is currently possible for a malicious or misconfigured USB device to
cause an out-of-bounds (OOB) read when submitting reports using
DOUBLE_REPORT_ID by specifying a large report length and providing a
smaller one.

Let's prevent that by comparing the specified report length with the
actual size of the data read in from userspace.  If the actual data
length ends up being smaller than specified, we'll politely warn the
user and prevent any further processing.

Signed-off-by: default avatarLee Jones <lee@kernel.org>
Reviewed-by: default avatarGünther Noack <gnoack@google.com>
Signed-off-by: default avatarJiri Kosina <jkosina@suse.com>
parent f097d246

drivers/hid/hid-magicmouse.c

+16 −0
Original line number Diff line number Diff line
@@ -390,6 +390,10 @@ static int magicmouse_raw_event(struct hid_device *hdev, 
	struct input_dev *input = msc->input;

	int x = 0, y = 0, ii, clicks = 0, npoints;



	/* Protect against zero sized recursive calls from DOUBLE_REPORT_ID */

	if (size < 1)

		return 0;



	switch (data[0]) {

	case TRACKPAD_REPORT_ID:

	case TRACKPAD2_BT_REPORT_ID:
@@ -490,6 +494,18 @@ static int magicmouse_raw_event(struct hid_device *hdev, 
		/* Sometimes the trackpad sends two touch reports in one

		 * packet.

		 */



		/* Ensure that we have at least 2 elements (report type and size) */

		if (size < 2)

			return 0;



		if (size < data[1] + 2) {

			hid_warn(hdev,

				 "received report length (%d) was smaller than specified (%d)",

				 size, data[1] + 2);

			return 0;

		}



		magicmouse_raw_event(hdev, report, data + 2, data[1]);

		magicmouse_raw_event(hdev, report, data + 2 + data[1],

			size - 2 - data[1]);