Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 01 Oct 2023 15:37:58 +0000
From:      bugzilla-noreply@freebsd.org
To:        bugs@FreeBSD.org
Subject:   [Bug 274014] hmt.ko kernel panic - Asus Expertbook B5602
Message-ID:  <bug-274014-227-oFQiu3DQfn@https.bugs.freebsd.org/bugzilla/>
In-Reply-To: <bug-274014-227@https.bugs.freebsd.org/bugzilla/>
References:  <bug-274014-227@https.bugs.freebsd.org/bugzilla/>
next in thread | previous in thread | raw e-mail | index | archive | help 
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D274014

Mark Johnston <markj@FreeBSD.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |markj@FreeBSD.org,
                   |                            |wulf@freebsd.org

--- Comment #1 from Mark Johnston <markj@FreeBSD.org> ---
Here we're crashing while parsing a HID report descriptor, it looks like the
descriptor is invalid somehow but the driver isn't doing enough validation:

753                         if (hi.collevel =3D=3D 1 &&=20=20=20=20=20=20=
=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20
754                             hi.usage >=3D HID_USAGE2(HUP_BUTTON, left_b=
tn) &&=20
755                             hi.usage <=3D HID_USAGE2(HUP_BUTTON,
HMT_BTN_MAX)) {=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=
=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=
=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20
756                                 btn =3D (hi.usage & 0xFFFF) - left_btn;=
=20=20=20=20=20=20=20
757                                 setbit(sc->buttons, btn);=20=20=20=20=
=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20
758                                 sc->btn_loc[btn] =3D hi.loc;=20=20=20=
=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20
759                                 if (btn >=3D sc->max_button)=20=20=20=
=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20
760                                         sc->max_button =3D btn + 1;=20=
=20=20=20=20=20=20=20=20=20=20
761                                 break;=20=20=20=20=20=20=20=20=20=20=20=
=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=
=20=20
762                         }

In particular, we don't check that "btn" is in the range [0, 7].

I'm not sure if this means that the descriptor is invalid or whether we're
missing some special case?

--=20
You are receiving this mail because:
You are the assignee for the bug.=

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-274014-227-oFQiu3DQfn>