Dmitry Torokhov
unread,Oct 24, 2017, 1:30:08 AM10/24/17Sign in to reply to author
Sign in to forward
You do not have permission to delete messages in this group
Either email addresses are anonymous for this group or you need the view member email addresses permission to view the original message
to Andrey Konovalov, linux...@vger.kernel.org, LKML, Dmitry Vyukov, Kostya Serebryany, syzkaller
On Mon, Oct 23, 2017 at 01:24:23PM +0200, Andrey Konovalov wrote:
> Hi!
>
> I've got the following report while fuzzing the kernel with syzkaller.
>
> On commit 3e0cc09a3a2c40ec1ffb6b4e12da86e98feccb11 (4.14-rc5+).
>
> parse_hid_report_descriptor() has a while (i < length) loop, which
> only guarantees that there's at least 1 byte in the buffer, but the
> loop body can read multiple bytes which causes out-of-bounds access.
Ugh, this whole driver should be moved over to HID, but I am not sure
who has hardware to test... I just sent a patch plugging this hole.
Thanks for the report.
--
Dmitry