HID: usbhid: fix info leak in hid_submit_ctrl
stable inclusion from stable-v4.19.196 commit 0e280502be1b003c3483ae03fc60dea554fcfa82 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I93XA7 CVE: CVE-2021-46906 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=0e280502be1b003c3483ae03fc60dea554fcfa82 -------------------------------- [ Upstream commit 6be388f4 ] In hid_submit_ctrl(), the way of calculating the report length doesn't take into account that report->size can be zero. When running the syzkaller reproducer, a report of size 0 causes hid_submit_ctrl) to calculate transfer_buffer_length as 16384. When this urb is passed to the usb core layer, KMSAN reports an info leak of 16384 bytes. To fix this, first modify hid_report_len() to account for the zero report size case by using DIV_ROUND_UP for the division. Then, call it from hid_submit_ctrl(). Reported-by:<syzbot+7c2bb71996f95a82524c@syzkaller.appspotmail.com> Signed-off-by:
Loading
Please sign in to comment