Commit 48e98735 authored Dec 04, 2024 by Jiri Kosina Committed by Tirui Yin Dec 04, 2024

HID: core: zero-initialize the report buffer

stable inclusion
from stable-v4.19.324
commit e7ea60184e1e88a3c9e437b3265cbb6439aa7e26
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IB5AVT
CVE: CVE-2024-50302

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=e7ea60184e1e88a3c9e437b3265cbb6439aa7e26



--------------------------------

[ Upstream commit 177f25d1292c7e16e1199b39c85480f7f8815552 ]

Since the report buffer is used by all kinds of drivers in various ways, let's
zero-initialize it during allocation to make sure that it can't be ever used
to leak kernel memory via specially-crafted report.

Fixes: 27ce4050 ("HID: fix data access in implement()")
Reported-by: Benoît Sevens <bsevens@google.com>
Acked-by: Benjamin Tissoires <bentiss@kernel.org>
Signed-off-by: Jiri Kosina <jkosina@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Tirui Yin <yintirui@huawei.com>
Reviewed-by: yongqiang Liu <liuyongqiang13@huawei.com>

parent 98beb6bc

drivers/hid/hid-core.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -1462,7 +1462,7 @@ u8 hid_alloc_report_buf(struct hid_report report, gfp_t flags)

		u32 len = hid_report_len(report) + 7;

		return kmalloc(len, flags);
		return kzalloc(len, flags);
		}
		EXPORT_SYMBOL_GPL(hid_alloc_report_buf);