From nobody Fri Apr 19 00:59:54 2024 Delivered-To: importer@patchew.org Received-SPF: none (zohomail.com: 78.46.105.101 is neither permitted nor denied by domain of seabios.org) client-ip=78.46.105.101; envelope-from=seabios-bounces@seabios.org; helo=coreboot.org; Authentication-Results: mx.zohomail.com; dkim=fail; spf=none (zohomail.com: 78.46.105.101 is neither permitted nor denied by domain of seabios.org) smtp.mailfrom=seabios-bounces@seabios.org; dmarc=fail(p=none dis=none) header.from=gmail.com ARC-Seal: i=1; a=rsa-sha256; t=1576258929; cv=none; d=zohomail.com; s=zohoarc; b=BlLvPepO2D/kUzClHSe9OD//W4Db9U/USZ4wxqb7NI5OnKG6k7zlKZ82YSfzC4Ep5J+/hrPjUoqEOKEbKhdjsijfr4qSZuLhiFyzg0CTtxD+iEI05dNimHoxRG+JZzvmXgPyfUEr2OIyoC2hYRxaJ2EyIv9awpfumEDmtK+LcBM= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1576258929; h=Content-Type:Content-Transfer-Encoding:Date:From:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Subject:To; bh=zDGly0DAwayabXoASP0dL68IwiAL0O07FFtWShLpPUc=; b=RDSZbc8YK92BKd2A5kEi4sqfpUv9lKKHZ7QpNpwcVhaWyL76Q9vlG26jpZYucPO2V0XII0mNGAOngny6jn7jOad3FFjzgQyifkfJ+2sHkHV2nLPAYRy4/J6yEh3xOsvWGBvA19sRJLm6wVHPHiI2vB1LbTqmWoaxv0M6zvs2mA0= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=fail; spf=none (zohomail.com: 78.46.105.101 is neither permitted nor denied by domain of seabios.org) smtp.mailfrom=seabios-bounces@seabios.org; dmarc=fail header.from= (p=none dis=none) header.from= Return-Path: Received: from coreboot.org (coreboot.org [78.46.105.101]) by mx.zohomail.com with SMTPS id 1576258929627583.8909976981819; Fri, 13 Dec 2019 09:42:09 -0800 (PST) Received: from authenticated-user (PRIMARY_HOSTNAME [PUBLIC_IP]) by coreboot.org (Postfix) with ESMTPA id 7745120A14; Fri, 13 Dec 2019 17:42:05 +0000 (UTC) Received: from authenticated-user (PRIMARY_HOSTNAME [PUBLIC_IP]) by coreboot.org (Postfix) with ESMTP id E577838562 for ; Fri, 13 Dec 2019 17:41:45 +0000 (UTC) Received: from authenticated-user (PRIMARY_HOSTNAME [PUBLIC_IP]) for ; Fri, 13 Dec 2019 09:41:45 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=khMPDP1ZiWcUURF8/12cudD51tS2CIfVZh8ao8eHZXM=; b=IEqvJNe9CWwNTB4YRZzilhpG7tI55WYrFOgYNAQBcAnbgENnJbQWIRlELx2+NPwu0q IRHu/xqsB1TKGYvd4Z4LYxd2d9r5gP+TQ//j3GWlWf8qVNZcu1q7oEQqkNIhXeJF1caa Z1DKKsFKHdUf3FFR0Rt9rmLj78rC5zk+rkHwdaURGo9sBWiGGd/Rio0xyqQcucl1DBsR +tddlhn8q4aYpYFercP/HD6mQT5Rqpdwa0kAvntqVwvexvq3ompE0Fj6GQuQOXBoEjsV 4MTBqTFX8+DsTO9Ym06eyR4E0vsEs/UEcog3JgIESU6KRCpW/mRuyHb+xv8mio0iO/Gh AnQA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=khMPDP1ZiWcUURF8/12cudD51tS2CIfVZh8ao8eHZXM=; b=nxenuoHnW7HEaTs8vwqYa5jCFTb+M/7Ik61Q4IpjrFiqEAjUNZenb0Ls2T+vKdZclP BiOMA1fG9+Qm8B6wGHSDrPoXzfX8D+6scQh9mPAqzUwIXs6GbkN8tF0tHA8CyyBTm2k+ moAHcjeIbRoTs9NiOetbKRt9iBcxIcSeyKHkWZX6NuFm+dXh9RG506/Xvz4tiVdRq2Di 5fNBNTQ+6LuFHxvrkSI1k5csBxypCeRS+uKw042xAipbbmqY9pylSu4dwxPDe8m7iGJp rjcSA6tOzJNJjk0KnXnNcs33+MPZLV6pGnMzo1B4ec8vD4rXrGorykRg0qztjYuR49xH YjAw== X-Gm-Message-State: APjAAAUbk1XTrlveJvEpHGcXHUSVqRgsjBaUrXh8qTrsfmZbLB8OgbSo x4Ii8j046yCN1fXBcQYb73TboKLMzoDeviPw4eDxWIttip0= X-Google-Smtp-Source: APXvYqyToQenysbdwG56YEl7CSR82pAhojJhKg8pXEUpRoI8rS+4fx995LYVmqbG5viNIuWEcH5Sa8kXCIJY2R10SzA= X-Received: by 2002:a92:860a:: with SMTP id g10mr452267ild.280.1576258904280; Fri, 13 Dec 2019 09:41:44 -0800 (PST) MIME-Version: 1.0 From: Matt DeVillier Date: Fri, 13 Dec 2019 11:41:33 -0600 Message-ID: To: seabios Message-ID-Hash: 2VQYURD3XMCQ32AP2NB2ALJQJ3FJA4HQ X-Message-ID-Hash: 2VQYURD3XMCQ32AP2NB2ALJQJ3FJA4HQ X-MailFrom: matt.devillier@gmail.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-seabios.seabios.org-0; header-match-seabios.seabios.org-1; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; suspicious-header X-Mailman-Version: 3.3.1 Precedence: list Subject: [SeaBIOS] [PATCH v2] hw/usb-hid: handle devices with illegal max packet size List-Id: SeaBIOS mailing list Archived-At: List-Archive: List-Help: List-Post: List-Subscribe: List-Unsubscribe: Content-Transfer-Encoding: quoted-printable X-Spamd-Bar: +++ X-Spam-Level: *** Authentication-Results: coreboot.org; auth=pass smtp.auth=mailman@coreboot.org smtp.mailfrom=seabios-bounces@seabios.org X-ZohoMail-DKIM: fail (Computed bodyhash is different from the expected one) Content-Type: text/plain; charset="utf-8" Some USB keyboards report 9 or 10-byte max packet sizes, instead of the 8-byte max specified by the USB HID spec. Handle this by increasing the size of the keyevent struct to 10 bytes, zeroizing it before use, and using the key array size of the usbkeyinfo struct as loop bounds rather than that of the keyevent struct (since the former will always be smaller, and within spec) to prevent buffer overflow. Test: built/boot on Google Pixel Slate, observe keyboard functional Signed-off-by: Matt DeVillier --- src/hw/usb-hid.c | 19 ++++++++++++++----- 1 file changed, 14 insertions(+), 5 deletions(-) diff --git a/src/hw/usb-hid.c b/src/hw/usb-hid.c index fa4d9a2..bce1b5f 100644 --- a/src/hw/usb-hid.c +++ b/src/hw/usb-hid.c @@ -8,6 +8,7 @@ #include "config.h" // CONFIG_* #include "output.h" // dprintf #include "ps2port.h" // ATKBD_CMD_GETID +#include //memset #include "usb.h" // usb_ctrlrequest #include "usb-hid.h" // usb_keyboard_setup #include "util.h" // process_key @@ -59,8 +60,10 @@ usb_kbd_setup(struct usbdevice_s *usbdev // XXX - this enables the first found keyboard (could be random) return -1; - if (epdesc->wMaxPacketSize !=3D 8) + if (epdesc->wMaxPacketSize > 10) { + dprintf(1, "USB keyboard endpoint wMaxPacketSize > 10; aborting\n"= ); return -1; + } // Enable "boot" protocol. int ret =3D set_protocol(usbdev->defpipe, 0); @@ -163,11 +166,15 @@ static u16 ModifierToScanCode[] VAR16 =3D { #define RELEASEBIT 0x80 -// Format of USB keyboard event data +// Format of USB keyboard event data. +// Some keyboards use a 9/10 byte packet size, +// so account for that here to prevent buffer +// overflow. We'll ignore the 9th/10th bytes +// as it's out of spec. struct keyevent { u8 modifiers; u8 reserved; - u8 keys[6]; + u8 keys[8]; }; // Translate data from KeyToScanCode[] to calls to process_key(). @@ -253,7 +260,7 @@ handle_key(struct keyevent *data) break; int j; for (j=3D0;; j++) { - if (j>=3DARRAY_SIZE(data->keys)) { + if (j>=3DARRAY_SIZE(old.keys)) { // Key released. procscankey(key, RELEASEBIT, data->modifiers); if (i+1 >=3D ARRAY_SIZE(old.keys) || !old.keys[i+1]) @@ -274,7 +281,7 @@ handle_key(struct keyevent *data) // Process new keys procmodkey(data->modifiers & ~old.modifiers, 0); old.modifiers =3D data->modifiers; - for (i=3D0; ikeys); i++) { + for (i=3D0; ikeys[i]; if (!key) continue; @@ -310,6 +317,8 @@ usb_check_key(void) for (;;) { struct keyevent data; + // zeroize struct as most keyboards won't fill it + memset(&data, 0, sizeof(data)); int ret =3D usb_poll_intr(pipe, &data); if (ret) break; --=20 2.20.1 _______________________________________________ SeaBIOS mailing list -- seabios@seabios.org To unsubscribe send an email to seabios-leave@seabios.org