Oct 24, 2017, 1:30:08 AM10/24/17
to Andrey Konovalov, linux...@vger.kernel.org, LKML, Dmitry Vyukov, Kostya Serebryany, syzkaller
On Mon, Oct 23, 2017 at 01:24:23PM +0200, Andrey Konovalov wrote:
> I've got the following report while fuzzing the kernel with syzkaller.
> On commit 3e0cc09a3a2c40ec1ffb6b4e12da86e98feccb11 (4.14-rc5+).
> parse_hid_report_descriptor() has a while (i < length) loop, which
> only guarantees that there's at least 1 byte in the buffer, but the
> loop body can read multiple bytes which causes out-of-bounds access.
Ugh, this whole driver should be moved over to HID, but I am not sure
who has hardware to test... I just sent a patch plugging this hole.
Thanks for the report.