leandrof/linux
1
0
Fork 0
forked from Minki/linux
Code Issues Pull Requests Packages Projects Releases Wiki Activity
bc197eedef
linux/drivers
History
Jiri Kosina 27ce405039 HID: fix data access in implement() 
implement() is setting bytes in LE data stream. In case the data is not
aligned to 64bits, it reads past the allocated buffer. It doesn't really
change any value there (it's properly bitmasked), but in case that this
read past the boundary hits a page boundary, pagefault happens when
accessing 64bits of 'x' in implement(), and kernel oopses.

This happens much more often when numbered reports are in use, as the
initial 8bit skip in the buffer makes the whole process work on values
which are not aligned to 64bits.

This problem dates back to attempts in 2005 and 2006 to make implement()
and extract() as generic as possible, and even back then the problem
was realized by Adam Kroperlin, but falsely assumed to be impossible
to cause any harm:

  http://www.mail-archive.com/linux-usb-devel@lists.sourceforge.net/msg47690.html

I have made several attempts at fixing it "on the spot" directly in
implement(), but the results were horrible; the special casing for processing
last 64bit chunk and switching to different math makes it unreadable mess.

I therefore took a path to allocate a few bytes more which will never make
it into final report, but are there as a cushion for all the 64bit math
operations happening in implement() and extract().

All callers of hid_output_report() are converted at the same time to allocate
the buffer by newly introduced hid_alloc_report_buf() helper.

Bruno noticed that the whole raw_size test can be dropped as well, as
hid_alloc_report_buf() makes sure that the buffer is always of a proper
size.

Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Acked-by: Gustavo Padovan <gustavo.padovan@collabora.co.uk>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
2013-07-22 16:16:40 +02:00
..
accessibility
acpi Merge branch 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/benh/powerpc 2013-07-04 10:29:23 -07:00
amba
ata Merge branch 'for-3.11' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/libata 2013-07-03 19:49:46 -07:00
atm
auxdisplay
base Merge branch 'akpm' (updates from Andrew Morton) 2013-07-03 17:12:13 -07:00
bcma
block Merge branch 'akpm' (updates from Andrew Morton) 2013-07-03 17:12:13 -07:00
bluetooth
bus ARM SoC device tree changes 2013-07-02 14:23:01 -07:00
cdrom drivers/cdrom/cdrom.c: use kzalloc() for failing hardware 2013-07-03 16:07:25 -07:00
char Merge branch 'akpm' (updates from Andrew Morton) 2013-07-03 17:12:13 -07:00
clk Power management and ACPI updates for 3.11-rc1 2013-07-03 14:35:40 -07:00
clocksource Merge branch 'for-linus' of git://git.linaro.org/people/rmk/linux-arm 2013-07-03 09:46:29 -07:00
connector
cpufreq Power management and ACPI updates for 3.11-rc1 2013-07-03 14:35:40 -07:00
cpuidle Power management and ACPI updates for 3.11-rc1 2013-07-03 14:35:40 -07:00
crypto ARM SoC driver specific changes 2013-07-02 14:33:21 -07:00
dca
devfreq Merge branch 'akpm' (updates from Andrew Morton) 2013-07-03 17:12:13 -07:00
dio
dma Merge branch 'akpm' (updates from Andrew Morton) 2013-07-03 17:12:13 -07:00
edac Add MCE signatures for family 0x15, models 30-3f. 2013-07-03 13:11:18 -07:00
eisa
extcon drivers: avoid format string in dev_set_name 2013-07-03 16:07:41 -07:00
firewire
firmware Merge branch 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/benh/powerpc 2013-07-04 10:29:23 -07:00
fmc FMC: fix error handling in probe() function 2013-06-24 16:23:25 -07:00
gpio Power management and ACPI updates for 3.11-rc1 2013-07-03 14:35:40 -07:00
gpu radeon: remove redundant __list_for_each definition from mkregtable.c 2013-07-03 16:07:43 -07:00
hid HID: fix data access in implement() 2013-07-22 16:16:40 +02:00
hsi drivers: avoid format string in dev_set_name 2013-07-03 16:07:41 -07:00
hv drivers: hv: allocate synic structures before hv_synic_init() 2013-06-24 16:24:17 -07:00
hwmon New driver to support GMT G762/G763 pwm fan controllers 2013-07-03 19:56:35 -07:00
hwspinlock
i2c Merge branch 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/benh/powerpc 2013-07-04 10:29:23 -07:00
ide drivers: avoid format string in dev_set_name 2013-07-03 16:07:41 -07:00
idle
iio
infiniband drivers: avoid format string in dev_set_name 2013-07-03 16:07:41 -07:00
input Merge branch 'exotic-arch-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/geert/linux-m68k 2013-07-03 11:12:08 -07:00
iommu Merge branch 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/benh/powerpc 2013-07-04 10:29:23 -07:00
ipack
irqchip Merge branch 'irq-core-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2013-07-02 16:14:35 -07:00
isdn drivers: avoid format string in dev_set_name 2013-07-03 16:07:41 -07:00
leds leds: mc13783: Fix "uninitialized variable" warning 2013-07-02 08:44:02 -07:00
lguest x86, flags: Rename X86_EFLAGS_BIT1 to X86_EFLAGS_FIXED 2013-06-25 16:25:32 -07:00
macintosh macintosh/windfarm: Remove obsolete cleanup for clientdata 2013-07-01 11:46:56 +10:00
mailbox
md md/raid10: fix bug which causes all RAID10 reshapes to move no data. 2013-07-04 16:42:57 +10:00
media Merge branch 'akpm' (updates from Andrew Morton) 2013-07-03 17:12:13 -07:00
memory memory: tegra30-mc: Fix IRQ handler. 2013-06-17 16:46:06 -07:00
memstick drivers/memstick/host/r592.c: convert to module_pci_driver 2013-07-03 16:08:06 -07:00
message drivers: avoid format strings in names passed to alloc_workqueue() 2013-07-03 16:07:41 -07:00
mfd sound updates for 3.11 2013-07-03 19:52:22 -07:00
misc sound updates for 3.11 2013-07-03 19:52:22 -07:00
mmc Power management and ACPI updates for 3.11-rc1 2013-07-03 14:35:40 -07:00
mtd drivers: avoid parsing names as kthread_run() format strings 2013-07-03 16:07:41 -07:00
net Merge branch 'akpm' (updates from Andrew Morton) 2013-07-03 17:12:13 -07:00
nfc
ntb
nubus
of PM voltage domain clean-up via Kevin Hilman <khilman@linaro.org>: 2013-06-20 16:41:37 +02:00
oprofile
parisc Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2013-07-03 09:10:19 -07:00
parport Merge branch 'akpm' (updates from Andrew Morton) 2013-07-03 17:12:13 -07:00
pci Merge branch 'akpm' (updates from Andrew Morton) 2013-07-03 17:12:13 -07:00
pcmcia Driver core patches for 3.11-rc1 2013-07-02 11:44:19 -07:00
pinctrl Pin control changes for the v3.11 kernel cycle: 2013-07-03 11:48:03 -07:00
platform drivers: avoid format string in dev_set_name 2013-07-03 16:07:41 -07:00
pnp Power management and ACPI updates for 3.11-rc1 2013-07-03 14:35:40 -07:00
power
pps pps-gpio: add device-tree binding and support 2013-07-03 16:08:06 -07:00
ps3
ptp build some drivers only when compile-testing 2013-06-24 16:41:32 -07:00
pwm
rapidio rapidio: change endpoint device name format 2013-07-03 16:08:05 -07:00
regulator regulator: Updates for v3.11 2013-07-03 11:56:38 -07:00
remoteproc
reset
rpmsg
rtc drivers/rtc/rtc-sirfsoc.c: add rtc drivers for CSR SiRFprimaII and SiRFatlasVI 2013-07-03 16:08:01 -07:00
s390 Merge branch 'akpm' (updates from Andrew Morton) 2013-07-03 17:12:13 -07:00
sbus
scsi Merge branch 'for-3.11' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/libata 2013-07-03 19:49:46 -07:00
sfi
sh Merge branch 'pm-assorted' 2013-06-28 13:01:40 +02:00
sn
spi Merge branch 'akpm' (updates from Andrew Morton) 2013-07-03 17:12:13 -07:00
ssb
ssbi Cleanups for MSM for 3.11 2013-06-14 18:28:02 -07:00
staging Merge branch 'akpm' (updates from Andrew Morton) 2013-07-03 17:12:13 -07:00
target iscsi-target: Remove left over v3.10-rc debug printks 2013-06-20 16:47:41 -07:00
tc
thermal thermal: exynos: Support both EXYNOS4X12 SoCs 2013-06-19 01:31:50 +09:00
tty Power management and ACPI updates for 3.11-rc1 2013-07-03 14:35:40 -07:00
uio uio: use vma_pages() to replace (vm_end - vm_start) >> PAGE_SHIFT 2013-07-03 16:07:26 -07:00
usb Merge branch 'akpm' (updates from Andrew Morton) 2013-07-03 17:12:13 -07:00
uwb drivers: avoid format string in dev_set_name 2013-07-03 16:07:41 -07:00
vfio Merge branch 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/benh/powerpc 2013-07-04 10:29:23 -07:00
vhost
video Merge branch 'akpm' (updates from Andrew Morton) 2013-07-03 17:12:13 -07:00
virt
virtio Merge branch 'akpm' (updates from Andrew Morton) 2013-07-03 17:12:13 -07:00
vlynq
vme vme: vme_tsi148.c: fix error return code in tsi148_probe() 2013-06-24 16:23:25 -07:00
w1 drivers/w1/slaves/w1_ds2408.c: add magic sequence to disable P0 test mode 2013-07-03 16:08:06 -07:00
watchdog Merge branch 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/benh/powerpc 2013-07-04 10:29:23 -07:00
xen Merge branch 'akpm' (updates from Andrew Morton) 2013-07-03 17:12:13 -07:00
zorro zorro: switch to fixed_size_llseek() 2013-06-29 12:57:28 +04:00
Kconfig FMC: create drivers/fmc and toplevel Kconfig question 2013-06-17 16:38:57 -07:00
Makefile FMC: create drivers/fmc and toplevel Kconfig question 2013-06-17 16:38:57 -07:00