HID: core: fix off-by-one memset in hid_report_raw_event()
Johan Korsnes authored
commit 5ebdffd2 upstream.

In case a report is greater than HID_MAX_BUFFER_SIZE, it is truncated,
but the report-number byte is not correctly handled. This results in a
off-by-one in the following memset, causing a kernel Oops and ensuing
system crash.

Note: With commit 8ec321e9 ("HID: Fix slab-out-of-bounds read in
hid_field_extract") I no longer hit the kernel Oops as we instead fail
"controlled" at probe if there is a report too long in the HID
report-descriptor. hid_report_raw_event() is an exported symbol, so
presumabely we cannot always rely on this being the case.

Fixes: 966922f2

 ("HID: fix a crash in hid_report_raw_event()
                     function.")
Signed-off-by: default avatarJohan Korsnes <jkorsnes@cisco.com>
Cc: Armando Visconti <armando.visconti@st.com>
Cc: Jiri Kosina <jkosina@suse.cz>
Cc: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: default avatarJiri Kosina <jkosina@suse.cz>
Signed-off-by: Greg Kroah-Ha...
819f8ab7
Name Last commit Last update
Documentation mm: Avoid creating virtual address aliases in brk()/mmap()/mremap()
LICENSES LICENSES: Rename other to deprecated
arch KVM: VMX: check descriptor table exits on instruction emulation
block block, bfq: do not plug I/O for bfq_queues with no proc refs
certs PKCS#7: Refactor verify_pkcs7_signature()
crypto crypto: rename sm3-256 to sm3 in hash_algo_name
drivers HID: core: fix off-by-one memset in hid_report_raw_event()
fs ext4: potential crash on allocation error in ext4_alloc_flex_bg_array()
include ACPICA: Introduce ACPI_ACCESS_BYTE_WIDTH() macro
init Revert "um: Enable CONFIG_CONSTRUCTORS"
ipc Revert "ipc,sem: remove uneeded sem_undo_list lock usage in exit_sem()"
kernel audit: always check the netlink payload length in audit_receive_msg()
lib lib/stackdepot.c: fix global out-of-bounds in stack_slabs
mm mm: Avoid creating virtual address aliases in brk()/mmap()/mremap()
net mac80211: fix wrong 160/80+80 MHz setting
samples samples/bpf: Set -fno-stack-protector when building BPF programs
scripts bpf, btf: Always output invariant hit in pahole DWARF to BTF transform
security selinux: ensure we cleanup the internal AVC counters on error in avc_update()
sound ASoC: SOF: Intel: hda: Add iDisp4 DAI
tools ipv6: Fix route replacement with dev-only route
usr gen_initramfs_list.sh: fix 'bad variable name' error
virt KVM: arm64: Treat emulated TVAL TimerValue as a signed 32-bit integer
.clang-format clang-format: Update with the latest for_each macro list
.cocciconfig scripts: add Linux .cocciconfig for coccinelle
.get_maintainer.ignore Opt out of scripts/get_maintainer.pl
.gitattributes
.gitignore
.mailmap
COPYING
CREDITS
Kbuild
Kconfig
MAINTAINERS
Makefile
README
Linux kernel
============

There are several guides for kernel developers and users. These guides can
be rendered in a number of formats, like HTML and PDF. Please read
Documentation/admin-guide/README.rst first.

In order to build the documentation, use ``make htmldocs`` or
``make pdfdocs``.  The formatted documentation can also be read online at:

    https://www.kernel.org/doc/html/latest/

There are various text files in the Documentation/ subdirectory,
several of them using the Restructured Text markup notation.

Please read the Documentation/process/changes.rst file, as it contains the
requirements for building and running the kernel, and information about
the problems which may result by upgrading your kernel.