From nobody Tue Oct 7 09:53:11 2025 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 0155D271A9D; Thu, 10 Jul 2025 14:02:22 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1752156143; cv=none; b=gNpw2HgVBJEsQ35sRR9ZdGLaRgSfS+Gs7eDnE8XI7vrEG+WoaXdZbLURkaojhsC+lKjimlBesKSEIYtHgTMOWIyNO09uT1atGdoauNZlZL+j4oNsRkSEqhG3uMVlOFY3zPLks4VvcpX6JGnD3Y/f9PvkHSjL+XeyfV6G3TZJkhM= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1752156143; c=relaxed/simple; bh=Co8as0JEy3sYgEqTMquGxvLRQOzjREC6NPEM+EJDGaA=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=Zlfi/yewHugmNgSwBCAyMgqar8ZmgTBmqz6lSAGJr2Nf+UElOCb+c64plbFQ1y/16fNDQMUxKFw8uRWlRbNK0WpwSiBJGpTDEnfl8QQcWKUpPxY3zrMvDHb4l/4QF1caBAfDNp1r5wYr49HKtx1kXEl6AGkZvY6NDVIO42bJiz8= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=IYcut2lz; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="IYcut2lz" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 02684C4CEED; Thu, 10 Jul 2025 14:02:20 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1752156142; bh=Co8as0JEy3sYgEqTMquGxvLRQOzjREC6NPEM+EJDGaA=; h=From:Date:Subject:References:In-Reply-To:To:Cc:From; b=IYcut2lz3QhniyOh45T7rE82xKzsV9T4PrOO2G9ZbSpCTsOqqbvGmijeO6W2V7EWY Ts8rp8KA4XZ4D3tC2jRDQvJNu6bl+EUfUMHOGGZH+ZOgAp7wKImOvUPTsCTr8FhNc2 XdBSPgoizJP2ZbwXQ8/pStte9APz95iRRHC7L5uisuEpkQRW69zrLyikXOhzOAd3/I xF4ZVZouTvnIjbIol+vWKutwb4uzrMNtSOffQ/hBnnkhMALymPx6dnYZQUDdkINxWZ zbxfoctMPE05jIJbLn4/JK6QIqNDpe2xV+RTwQEQUdbAi5LShqgdTdt7mz3+5tA4p1 ggQGnih5S82fw== From: Benjamin Tissoires Date: Thu, 10 Jul 2025 16:01:33 +0200 Subject: [PATCH v2 1/4] HID: core: ensure the allocated report buffer can contain the reserved report ID Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20250710-report-size-null-v2-1-ccf922b7c4e5@kernel.org> References: <20250710-report-size-null-v2-0-ccf922b7c4e5@kernel.org> In-Reply-To: <20250710-report-size-null-v2-0-ccf922b7c4e5@kernel.org> To: Jiri Kosina , Alan Stern , Shuah Khan Cc: linux-input@vger.kernel.org, linux-kernel@vger.kernel.org, linux-kselftest@vger.kernel.org, Benjamin Tissoires , stable@vger.kernel.org X-Mailer: b4 0.14.2 X-Developer-Signature: v=1; a=ed25519-sha256; t=1752156138; l=1423; i=bentiss@kernel.org; s=20230215; h=from:subject:message-id; bh=Co8as0JEy3sYgEqTMquGxvLRQOzjREC6NPEM+EJDGaA=; b=gPC4tV0NRIY4GQ0pGBpc/9NTIFhSSe5QHrzI2IP5DHO6ZmQWtA4O77giACqp8cb96JJlGtrg3 JSyhRg7/pzrDneito10Pd7p+CC6XdNF8sK3OYowYoaMCUyoLjqRtNid X-Developer-Key: i=bentiss@kernel.org; a=ed25519; pk=7D1DyAVh6ajCkuUTudt/chMuXWIJHlv2qCsRkIizvFw= When the report ID is not used, the low level transport drivers expect the first byte to be 0. However, currently the allocated buffer not account for that extra byte, meaning that instead of having 8 guaranteed bytes for implement to be working, we only have 7. Reported-by: Alan Stern Closes: https://lore.kernel.org/linux-input/c75433e0-9b47-4072-bbe8-b1d14ea= 97b13@rowland.harvard.edu/ Cc: stable@vger.kernel.org Suggested-by: Alan Stern Signed-off-by: Benjamin Tissoires --- drivers/hid/hid-core.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c index b348d0464314ca331da073128f0ec4e0a6a91ed1..1a231dd9e4bc83202f2cbcd8b3a= 21e8c82b9deec 100644 --- a/drivers/hid/hid-core.c +++ b/drivers/hid/hid-core.c @@ -1883,9 +1883,12 @@ u8 *hid_alloc_report_buf(struct hid_report *report, = gfp_t flags) /* * 7 extra bytes are necessary to achieve proper functionality * of implement() working on 8 byte chunks + * 1 extra byte for the report ID if it is null (not used) so + * we can reserve that extra byte in the first position of the buffer + * when sending it to .raw_request() */ =20 - u32 len =3D hid_report_len(report) + 7; + u32 len =3D hid_report_len(report) + 7 + (report->id =3D=3D 0); =20 return kzalloc(len, flags); } --=20 2.49.0 From nobody Tue Oct 7 09:53:11 2025 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id D89E6272E41; Thu, 10 Jul 2025 14:02:24 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1752156145; cv=none; b=BKI+sQVj86vPMbP8lhEfzhvCo2zIR/m1x8+ZlwXBQMZ6X9MiLov58K1EvppEx9oIiMl1mVaUupOl47to2S5Vxw4BVxG1hBweRVb1Rwx+KRygPZeRr/KwyF6wjqKzkMv1T9a3qqDGpiP03ZOH9htNTIA4bC9p2HYV74Ev1UIepNk= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1752156145; c=relaxed/simple; bh=L8+bJF4j7IK17zKC3J3eZHMafR8FtMP0+RphfMVg0FU=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=iPMSWJNFSMBXPzoAWLPGGDr3e/0+jjkMUshdOheYd/XVGZztHA+/Ykd2daJkNFVBbh7RKCWMjOcNIbL0oPeA0WE85ezDhrMpiKKwiIcf/OVJheMTjD1Zg31DC4kcSSnuJRbytYuYm2fVR1HlhYVfuyUarHet3FpFIZ4Jj3dxxBA= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=Rd3znu73; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="Rd3znu73" Received: by smtp.kernel.org (Postfix) with ESMTPSA id DC9F7C4AF09; Thu, 10 Jul 2025 14:02:22 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1752156144; bh=L8+bJF4j7IK17zKC3J3eZHMafR8FtMP0+RphfMVg0FU=; h=From:Date:Subject:References:In-Reply-To:To:Cc:From; b=Rd3znu73D1SyxHcxxNwyHZr9xTkaOys2N6r6jYRcQwUIP7WfIqhnl5LSj0Lffhq5m QMEp6gBIbu3uJoje9fZUo7GEB45E3BQ+b00nLUfAfQVBNwC6vD46Bwro25S0N2yUdU lVU5B/rs946fxlNt1+LAgmI2VHIxV26fCuvi+jOllGThFNWz/S8pW5zYfRSMFdDo9f OuKUtk73P6ViNIZU7A+BQatVRqJj5+CKysdNOr8/rQWu0Z1sN8Iq7Tr3VmA+bKU/PT FtQaHl9UpOCHylpD564U1qZKAUCSjWMRlWFI4nPOAvrLcKj6mpPdYHl38ZaM5b/dEm hpXLfgsYdXUdg== From: Benjamin Tissoires Date: Thu, 10 Jul 2025 16:01:34 +0200 Subject: [PATCH v2 2/4] HID: core: ensure __hid_request reserves the report ID as the first byte Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20250710-report-size-null-v2-2-ccf922b7c4e5@kernel.org> References: <20250710-report-size-null-v2-0-ccf922b7c4e5@kernel.org> In-Reply-To: <20250710-report-size-null-v2-0-ccf922b7c4e5@kernel.org> To: Jiri Kosina , Alan Stern , Shuah Khan Cc: linux-input@vger.kernel.org, linux-kernel@vger.kernel.org, linux-kselftest@vger.kernel.org, Benjamin Tissoires , syzbot+8258d5439c49d4c35f43@syzkaller.appspotmail.com, stable@vger.kernel.org X-Mailer: b4 0.14.2 X-Developer-Signature: v=1; a=ed25519-sha256; t=1752156138; l=1990; i=bentiss@kernel.org; s=20230215; h=from:subject:message-id; bh=L8+bJF4j7IK17zKC3J3eZHMafR8FtMP0+RphfMVg0FU=; b=p8JpT/l6x6L7bc9rN5/cXJGtW5BtwLcKq2m0Aam/11DpM8UFb06HMOdiuVT7u1F8mguZrKnT6 437kFiGm6Z6BAnt6BIu3sjrxd0bMS0C+xngaorK+zRbPVIUmbhUDD9b X-Developer-Key: i=bentiss@kernel.org; a=ed25519; pk=7D1DyAVh6ajCkuUTudt/chMuXWIJHlv2qCsRkIizvFw= The low level transport driver expects the first byte to be the report ID, even when the report ID is not use (in which case they just shift the buffer). However, __hid_request() whas not offsetting the buffer it used by one in this case, meaning that the raw_request() callback emitted by the transport driver would be stripped of the first byte. Reported-by: Alan Stern Closes: https://lore.kernel.org/linux-input/c75433e0-9b47-4072-bbe8-b1d14ea= 97b13@rowland.harvard.edu/ Reported-by: syzbot+8258d5439c49d4c35f43@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=3D8258d5439c49d4c35f43 Tested-by: syzbot+8258d5439c49d4c35f43@syzkaller.appspotmail.com Fixes: 4fa5a7f76cc7 ("HID: core: implement generic .request()") Cc: stable@vger.kernel.org Signed-off-by: Benjamin Tissoires --- drivers/hid/hid-core.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c index 1a231dd9e4bc83202f2cbcd8b3a21e8c82b9deec..320887c365f7a36f7376556ffd1= 9f99e52b7d732 100644 --- a/drivers/hid/hid-core.c +++ b/drivers/hid/hid-core.c @@ -1976,7 +1976,7 @@ static struct hid_report *hid_get_report(struct hid_r= eport_enum *report_enum, int __hid_request(struct hid_device *hid, struct hid_report *report, enum hid_class_request reqtype) { - char *buf; + char *buf, *data_buf; int ret; u32 len; =20 @@ -1984,10 +1984,17 @@ int __hid_request(struct hid_device *hid, struct hi= d_report *report, if (!buf) return -ENOMEM; =20 + data_buf =3D buf; len =3D hid_report_len(report); =20 + if (report->id =3D=3D 0) { + /* reserve the first byte for the report ID */ + data_buf++; + len++; + } + if (reqtype =3D=3D HID_REQ_SET_REPORT) - hid_output_report(report, buf); + hid_output_report(report, data_buf); =20 ret =3D hid->ll_driver->raw_request(hid, report->id, buf, len, report->type, reqtype); --=20 2.49.0 From nobody Tue Oct 7 09:53:11 2025 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id DF2952737F3; Thu, 10 Jul 2025 14:02:26 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1752156147; cv=none; b=FE2UQ86aHs8jc3raAeH6mTFdMYGTvy/ATUl6HWSIQzIhMf7GUjukRqZHSBBTSP31gE8qUSjUjWtocbPT03Rn4czyAcLnwm467/hywJ/MJMUzdGqBpUDvnsn96VWDmJ1ah/bJxFUM3nvGVvkOdOt+BMijTGNWYOA/Bo7T4eJ7Eqw= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1752156147; c=relaxed/simple; bh=ln3XynQ38sbyzJkbc6ukGWTXFvmEi9JBe++zC7jvuHA=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=WyfZmgGQNO5+L0XJgbDZbVbLssITRScvvu/uE+90m/X18wobDlOC9bajtSk6CG7fjlAbrpVwMEYZkB0EpeAfR//2Au8zmt2tucZOZuZcEwmyBMnQPQgGpEn/xTZdTJIILkBhn7gwtOboirKg4ZBaz4eGqyWkq6bJT3KT/Z4AKh4= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=VKMtGCzz; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="VKMtGCzz" Received: by smtp.kernel.org (Postfix) with ESMTPSA id EC03FC4CEED; Thu, 10 Jul 2025 14:02:24 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1752156146; bh=ln3XynQ38sbyzJkbc6ukGWTXFvmEi9JBe++zC7jvuHA=; h=From:Date:Subject:References:In-Reply-To:To:Cc:From; b=VKMtGCzzm1SKJT3oBGHtqWOeuXPbV2yLtOv9CytCGAyfHC8Dev/pSNqY16QZZFCeK dHTVa47uSrehaKnUjsSOG28pyC++k6fR9rMgWtd0hR4ENFKGfKDLkQvxsh4gF11PXI r6QrhSar2d+hGWtqdaIXLEPi023IyHaOE03hJmEQ6egpkRoh5lbhC7ZR/EAvRTbZQv Vd7KP4hTe9UEPCg81AiDGwwW7YpJzFUOeNQb8VXxE/qGXujG8XPHhAYGy3uO4VgzBS dLbefliNlQEwT9YJtKJYm0994ggMZN7OCDZbVxm7CWL8+VDFUFtW0iEJ+AENaO86YL sQcfoo45Vwa0A== From: Benjamin Tissoires Date: Thu, 10 Jul 2025 16:01:35 +0200 Subject: [PATCH v2 3/4] HID: core: do not bypass hid_hw_raw_request Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20250710-report-size-null-v2-3-ccf922b7c4e5@kernel.org> References: <20250710-report-size-null-v2-0-ccf922b7c4e5@kernel.org> In-Reply-To: <20250710-report-size-null-v2-0-ccf922b7c4e5@kernel.org> To: Jiri Kosina , Alan Stern , Shuah Khan Cc: linux-input@vger.kernel.org, linux-kernel@vger.kernel.org, linux-kselftest@vger.kernel.org, Benjamin Tissoires , stable@vger.kernel.org X-Mailer: b4 0.14.2 X-Developer-Signature: v=1; a=ed25519-sha256; t=1752156138; l=1215; i=bentiss@kernel.org; s=20230215; h=from:subject:message-id; bh=ln3XynQ38sbyzJkbc6ukGWTXFvmEi9JBe++zC7jvuHA=; b=jKAc4d7acUg913xWdSGyq+whZiXJ0uwYVSpIfKFOOOUQc50QR6pTwqQfPTDHbgUdVimeZsVeQ NnfTfSXQz4uBpg+InzixicxJi9SJmF4r1qZmDJAy5rO9LRKW07Zxi/q X-Developer-Key: i=bentiss@kernel.org; a=ed25519; pk=7D1DyAVh6ajCkuUTudt/chMuXWIJHlv2qCsRkIizvFw= hid_hw_raw_request() is actually useful to ensure the provided buffer and length are valid. Directly calling in the low level transport driver function bypassed those checks and allowed invalid paramto be used. Reported-by: Alan Stern Closes: https://lore.kernel.org/linux-input/c75433e0-9b47-4072-bbe8-b1d14ea= 97b13@rowland.harvard.edu/ Cc: stable@vger.kernel.org Signed-off-by: Benjamin Tissoires --- drivers/hid/hid-core.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c index 320887c365f7a36f7376556ffd19f99e52b7d732..b31b8a2fd540bd5ed6659902082= 4726e69d10d75 100644 --- a/drivers/hid/hid-core.c +++ b/drivers/hid/hid-core.c @@ -1996,8 +1996,7 @@ int __hid_request(struct hid_device *hid, struct hid_= report *report, if (reqtype =3D=3D HID_REQ_SET_REPORT) hid_output_report(report, data_buf); =20 - ret =3D hid->ll_driver->raw_request(hid, report->id, buf, len, - report->type, reqtype); + ret =3D hid_hw_raw_request(hid, report->id, buf, len, report->type, reqty= pe); if (ret < 0) { dbg_hid("unable to complete request: %d\n", ret); goto out; --=20 2.49.0 From nobody Tue Oct 7 09:53:11 2025 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 508E9273D63; Thu, 10 Jul 2025 14:02:28 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1752156148; cv=none; b=Co7wTAkO2ugNRRgKd0+lQ6Mz/d4hlB8hAyJZub1NAoiR2E/sNTRa5U68pl9eis+tdZLVDUogHjHnkBrisHqWGchGBvIf+XZmaLfzVJrqjLMnzWHbe9JGOdmy9NPy2M0KRf7x9bVzOvxhobXhNQDkcPOgYp+9a0zEVodvSQcyt3E= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1752156148; c=relaxed/simple; bh=Z/uh8QYTHUIycpqei8dYAc94cZqurHyKG8OweVUhElA=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=K2qxG6RFJN1N49seo+HFrzw85irgqWNJHwyhN//rXpXwQudjiyWUQ/csv+H1Z7LW5U5nTI9Woxz+rZCLaV9BDYX2uNDfKBzjwfBdnfu9VV0uhGa+iUETHLNOhkBl/L7T4ifYbNVKiQPLj3GuhP9La9ooO8IdSW8jy8z4CaG5QKg= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=ozLfUdyu; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="ozLfUdyu" Received: by smtp.kernel.org (Postfix) with ESMTPSA id D23D6C4CEF5; Thu, 10 Jul 2025 14:02:26 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1752156148; bh=Z/uh8QYTHUIycpqei8dYAc94cZqurHyKG8OweVUhElA=; h=From:Date:Subject:References:In-Reply-To:To:Cc:From; b=ozLfUdyuWTQ1IqFw+EaC8SWsiWf/i7x66/KYx/xE+gCO/mVxzEuuBX5bwXux/bbks giH7TnysAvChJjdQHu77Y1c1Sr4ecekKlfku0yvC/HVExRuANm3y/G+FE7w+09vApO 9s/YDL/KjHAlQSL9lOSGo3mTr9fECdroQKl+jiOB9ZEeMl3N/4vBCWogQsEwn+XugR XJg5cJnJ833EOKsTg/yUw9EVRUziXVpOhG7jkM1FRVaQcIC5DVWBui9v5FJozW5Hrw r/XtsVdkeCkGs7CGbqh5b+POexqbHLdXy2PRapfBGETW9FSNtfOWpag3lKa1+W/v+S dezDAfykP/pVQ== From: Benjamin Tissoires Date: Thu, 10 Jul 2025 16:01:36 +0200 Subject: [PATCH v2 4/4] selftests/hid: add a test case for the recent syzbot underflow Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20250710-report-size-null-v2-4-ccf922b7c4e5@kernel.org> References: <20250710-report-size-null-v2-0-ccf922b7c4e5@kernel.org> In-Reply-To: <20250710-report-size-null-v2-0-ccf922b7c4e5@kernel.org> To: Jiri Kosina , Alan Stern , Shuah Khan Cc: linux-input@vger.kernel.org, linux-kernel@vger.kernel.org, linux-kselftest@vger.kernel.org, Benjamin Tissoires X-Mailer: b4 0.14.2 X-Developer-Signature: v=1; a=ed25519-sha256; t=1752156138; l=3864; i=bentiss@kernel.org; s=20230215; h=from:subject:message-id; bh=Z/uh8QYTHUIycpqei8dYAc94cZqurHyKG8OweVUhElA=; b=Z6jRKllfbgYwYmST03JECWzxOjanGelU/tFEEiHSYTZBV9r+XbkjeHk4sk0eB84hZwChenPSK fu4ah7R8SCVCdhSUkKggnT1CW0tmOcnxJmnbAT2Zm1I4Dj++p5pwUan X-Developer-Key: i=bentiss@kernel.org; a=ed25519; pk=7D1DyAVh6ajCkuUTudt/chMuXWIJHlv2qCsRkIizvFw= Syzbot found a buffer underflow in __hid_request(). Add a related test case for it. It's not perfect, but it allows to catch a corner case when a report descriptor is crafted so that it has a size of 0. Signed-off-by: Benjamin Tissoires --- tools/testing/selftests/hid/tests/test_mouse.py | 70 +++++++++++++++++++++= ++++ 1 file changed, 70 insertions(+) diff --git a/tools/testing/selftests/hid/tests/test_mouse.py b/tools/testin= g/selftests/hid/tests/test_mouse.py index 66daf7e5975ca50f0b065080669d7f6123fb177f..eb4e15a0e53bd5f3c8e0ea02365= ff9da7eead93d 100644 --- a/tools/testing/selftests/hid/tests/test_mouse.py +++ b/tools/testing/selftests/hid/tests/test_mouse.py @@ -439,6 +439,68 @@ class BadResolutionMultiplierMouse(ResolutionMultiplie= rMouse): return 32 # EPIPE =20 =20 +class BadReportDescriptorMouse(BaseMouse): + """ + This "device" was one autogenerated by syzbot. There are a lot of issu= es in + it, and the most problematic is that it declares features that have no + size. + + This leads to report->size being set to 0 and can mess up with usbhid + internals. Fortunately, uhid merely passes the incoming buffer, witho= ut + touching it so a buffer of size 0 will be translated to [] without + triggering a kernel oops. + + Because the report descriptor is wrong, no input are created, and we n= eed + to tweak a little bit the parameters to make it look correct. + """ + + # fmt: off + report_descriptor =3D [ + 0x96, 0x01, 0x00, # Report Count (1) = 0 + 0x06, 0x01, 0x00, # Usage Page (Generic Desktop) = 3 + # 0x03, 0x00, 0x00, 0x00, 0x00, # Ignored by the kernel somehow + 0x2a, 0x90, 0xa0, # Usage Maximum (41104) = 6 + 0x27, 0x00, 0x00, 0x00, 0x00, # Logical Maximum (0) = 9 + 0xb3, 0x81, 0x3e, 0x25, 0x03, # Feature (Cnst,Arr,Abs,Vol) = 14 + 0x1b, 0xdd, 0xe8, 0x40, 0x50, # Usage Minimum (1346431197) = 19 + 0x3b, 0x5d, 0x8c, 0x3d, 0xda, # Designator Index = 24 + ] + # fmt: on + + def __init__( + self, rdesc=3Dreport_descriptor, name=3DNone, input_info=3D(3, 0x0= 45E, 0x07DA) + ): + super().__init__(rdesc, name, input_info) + self.high_resolution_report_called =3D False + + def get_evdev(self, application=3DNone): + assert self._input_nodes is None + return ( + "Ok" # should be a list or None, but both would fail, so abus= ing the system + ) + + def next_sync_events(self, application=3DNone): + # there are no evdev nodes, so no events + return [] + + def is_ready(self): + # we wait for the SET_REPORT command to come + return self.high_resolution_report_called + + def set_report(self, req, rnum, rtype, data): + if rtype !=3D self.UHID_FEATURE_REPORT: + raise InvalidHIDCommunication(f"Unexpected report type: {rtype= }") + if rnum !=3D 0x0: + raise InvalidHIDCommunication(f"Unexpected report number: {rnu= m}") + + if len(data) !=3D 1: + raise InvalidHIDCommunication(f"Unexpected data: {data}, expec= ted '[0]'") + + self.high_resolution_report_called =3D True + + return 0 + + class ResolutionMultiplierHWheelMouse(TwoWheelMouse): # fmt: off report_descriptor =3D [ @@ -975,3 +1037,11 @@ class TestMiMouse(TestWheelMouse): # assert below print out the real error pass assert remaining =3D=3D [] + + +class TestBadReportDescriptorMouse(base.BaseTestCase.TestUhid): + def create_device(self): + return BadReportDescriptorMouse() + + def assertName(self, uhdev): + pass --=20 2.49.0