HID: betop: fix slab-out-of-bounds Write in betop_probe
commit 1e4ce418b1cb1a810256b5fb3fd33d22d1325993 upstream. Syzbot reported slab-out-of-bounds Write bug in hid-betopff driver. The problem is the driver assumes the device must have an input report but some malicious devices violate this assumption. So this patch checks hid_device's input is non empty before it's been used. Reported-by: syzbot+07efed3bc5a1407bd742@syzkaller.appspotmail.com Signed-off-by: F.A. SULAIMAN <asha.16@itfac.mrt.ac.lk> Reviewed-by: Pavel Skripkin <paskripkin@gmail.com> Signed-off-by: Jiri Kosina <jkosina@suse.cz> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This commit is contained in:
parent
24f3d26091
commit
fe9bb925e7
|
@ -56,15 +56,22 @@ static int betopff_init(struct hid_device *hid)
|
||||||
{
|
{
|
||||||
struct betopff_device *betopff;
|
struct betopff_device *betopff;
|
||||||
struct hid_report *report;
|
struct hid_report *report;
|
||||||
struct hid_input *hidinput =
|
struct hid_input *hidinput;
|
||||||
list_first_entry(&hid->inputs, struct hid_input, list);
|
|
||||||
struct list_head *report_list =
|
struct list_head *report_list =
|
||||||
&hid->report_enum[HID_OUTPUT_REPORT].report_list;
|
&hid->report_enum[HID_OUTPUT_REPORT].report_list;
|
||||||
struct input_dev *dev = hidinput->input;
|
struct input_dev *dev;
|
||||||
int field_count = 0;
|
int field_count = 0;
|
||||||
int error;
|
int error;
|
||||||
int i, j;
|
int i, j;
|
||||||
|
|
||||||
|
if (list_empty(&hid->inputs)) {
|
||||||
|
hid_err(hid, "no inputs found\n");
|
||||||
|
return -ENODEV;
|
||||||
|
}
|
||||||
|
|
||||||
|
hidinput = list_first_entry(&hid->inputs, struct hid_input, list);
|
||||||
|
dev = hidinput->input;
|
||||||
|
|
||||||
if (list_empty(report_list)) {
|
if (list_empty(report_list)) {
|
||||||
hid_err(hid, "no output reports found\n");
|
hid_err(hid, "no output reports found\n");
|
||||||
return -ENODEV;
|
return -ENODEV;
|
||||||
|
|
Loading…
Reference in New Issue