From nobody Tue Jan 21 12:34:10 2025 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Ycmq66K9vz5l2rD; Tue, 21 Jan 2025 12:34:10 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R11" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Ycmq65Pwkz3lvt; Tue, 21 Jan 2025 12:34:10 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1737462850; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=jZkUlyhPMDdcHCl9Y8oEsye1NjqhlJSPsaOdk28il0c=; b=YTMdZskViD9ZNxOVF/2WhelU//pkKolYlfFpyb1z2bPzPX2oBY/lj/IZKirBn92UM+6gzv kGVBN2WGXSXWi/NWslohbZs9K87IJwHx/ZtllVd5sxzwIpkAe6pslCQ+tL1nmg86BBc3nN LtItkvmUJGR6SM8PhOZsZQGqCWhQX2ZV86VgGNk34B8xdsCd31tJKRt56xs97WAfnUvkW0 7ozApbR28J1R6AmPX1fWjczuWwFMqcdAYC4tFXh7FJDbGDlxb3Y2WjubnX2oMGAZtx0+8e ASFTEK+1Mjef9IId2j1Oy3g9nsmhYFXriDLBTD+3HAwQrqp6lSNr3n7MS+GnRQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1737462850; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=jZkUlyhPMDdcHCl9Y8oEsye1NjqhlJSPsaOdk28il0c=; b=DJadxV9xgW4aCWAJ1RuQuYpvf+wyxiIgeJLvLCZWQ1XMkUM5ewi0zaxm1P0FY7dUPmToz6 29rqdsKMQgzpCFHjsFhQ4HMdz9sI49zoE8AhErQc8sLGm5N5cN/DZrHtzIqbPQDbhWIFQI jNbyXEVm5nbrx8+ZIed6sc8KeePLa546z0RCqlbcpdrQ9geMwzFNvBjultpz0QV76VEEIh DRffwrl1ms+ZACKf+X9HW43Hjz1AhTw+3ZW0+tTBwP2pxeE0wD2p1qAC4u1tsFSto4IZ3f bIknWsadrzZGLfjD46xa5Z9eLEjIKe4lVEo3MNeXOjmo8rUqxY2lUEt4mrxVNg== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1737462850; a=rsa-sha256; cv=none; b=oU56vA7I+K304ABhxnzCm2HCXRTE4vghB2bVywB0mFEVRia4CZiPxrVfA/Y/Xm5igwTz4V ZRSqgGRhns9VoIczdaZmJ2QAKjedxo4Q1x8NSpIe7S3gmH7ZiIlCJn03S2J1Op7bkHd4dg y5WPiWCuIZVpP8uMjbNaJ9EptR/+VuY9OZgVJLcJ0wj4dlP2JRo+Wk3iVzpN4KjfZyOUDL TFy5WcNBuLveOCJizjkznj2UnOCcfmPVij1web3Xdogm3GK4lALqe+IAkEZqzPUGcWZJqY PGNSEKwfpD6ZzQbwKvjeUWAWIUzAwgfOjIK8FA8oKRAQEn4Yt1a29ilBv6Fd5Q== ARC-Authentication-Results: i=1; mx1.freebsd.org; none Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4Ycmq64vYkz15jg; Tue, 21 Jan 2025 12:34:10 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 50LCYAaA079288; Tue, 21 Jan 2025 12:34:10 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 50LCYADb079285; Tue, 21 Jan 2025 12:34:10 GMT (envelope-from git) Date: Tue, 21 Jan 2025 12:34:10 GMT Message-Id: <202501211234.50LCYADb079285@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Ed Maste Subject: git: ecf605de97b7 - stable/13 - hid: Correctly handle signed/unsigned quantities in kernel HID parser. List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-all@freebsd.org Sender: owner-dev-commits-src-all@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: emaste X-Git-Repository: src X-Git-Refname: refs/heads/stable/13 X-Git-Reftype: branch X-Git-Commit: ecf605de97b702ef09c64ee51c5a70f427ae0bfa Auto-Submitted: auto-generated The branch stable/13 has been updated by emaste: URL: https://cgit.FreeBSD.org/src/commit/?id=ecf605de97b702ef09c64ee51c5a70f427ae0bfa commit ecf605de97b702ef09c64ee51c5a70f427ae0bfa Author: Vladimir Kondratyev AuthorDate: 2024-12-22 03:16:11 +0000 Commit: Ed Maste CommitDate: 2025-01-21 12:33:47 +0000 hid: Correctly handle signed/unsigned quantities in kernel HID parser. Wrong signedness of usage value results in inverted range check in hmt(4) driver that allows out of bound array access leading to panic. Reported by: many Sponsored by: Future Crew, LLC Obtained from: NetBSD NetBSD PR: kern/53605 PR: 274014, 282592 (cherry picked from commit 38b67578fb4bbf568f7012ca3921a4d15cfe7c5d) (cherry picked from commit 1dda3a6ed9c51adc908fee4db5917b1232fa932c) --- sys/dev/hid/hid.c | 91 +++++++++++++++++++++++++++++-------------------------- sys/dev/hid/hid.h | 32 +++++++++---------- 2 files changed, 64 insertions(+), 59 deletions(-) diff --git a/sys/dev/hid/hid.c b/sys/dev/hid/hid.c index 5e6ad5bb7aef..b48fa01b31ec 100644 --- a/sys/dev/hid/hid.c +++ b/sys/dev/hid/hid.c @@ -73,7 +73,7 @@ hid_test_quirk_t *hid_test_quirk_p = &hid_test_quirk_w; #define MAXLOCCNT 2048 struct hid_pos_data { - int32_t rid; + uint32_t rid; uint32_t pos; }; @@ -83,9 +83,9 @@ struct hid_data { const uint8_t *p; struct hid_item cur[MAXPUSH]; struct hid_pos_data last_pos[MAXID]; - int32_t usages_min[MAXUSAGE]; - int32_t usages_max[MAXUSAGE]; - int32_t usage_last; /* last seen usage */ + uint32_t usages_min[MAXUSAGE]; + uint32_t usages_max[MAXUSAGE]; + uint32_t usage_last; /* last seen usage */ uint32_t loc_size; /* last seen size */ uint32_t loc_count; /* last seen count */ uint32_t ncount; /* end usage item count */ @@ -121,7 +121,7 @@ hid_clear_local(struct hid_item *c) } static void -hid_switch_rid(struct hid_data *s, struct hid_item *c, int32_t next_rID) +hid_switch_rid(struct hid_data *s, struct hid_item *c, uint32_t next_rID) { uint8_t i; @@ -246,6 +246,7 @@ hid_get_item(struct hid_data *s, struct hid_item *h) uint32_t oldpos; int32_t mask; int32_t dval; + uint32_t uval; if (s == NULL) return (0); @@ -257,10 +258,10 @@ hid_get_item(struct hid_data *s, struct hid_item *h) if (s->icount < s->ncount) { /* get current usage */ if (s->iusage < s->nusage) { - dval = s->usages_min[s->iusage] + s->ousage; - c->usage = dval; - s->usage_last = dval; - if (dval == s->usages_max[s->iusage]) { + uval = s->usages_min[s->iusage] + s->ousage; + c->usage = uval; + s->usage_last = uval; + if (uval == s->usages_max[s->iusage]) { s->iusage ++; s->ousage = 0; } else { @@ -268,7 +269,7 @@ hid_get_item(struct hid_data *s, struct hid_item *h) } } else { DPRINTFN(1, "Using last usage\n"); - dval = s->usage_last; + uval = s->usage_last; } c->nusages = 1; /* array type HID item may have multiple usages */ @@ -322,28 +323,32 @@ hid_get_item(struct hid_data *s, struct hid_item *h) } switch (bSize) { case 0: - dval = 0; + uval = 0; + dval = uval; mask = 0; break; case 1: - dval = (int8_t)hid_get_byte(s, 1); + uval = hid_get_byte(s, 1); + dval = (int8_t)uval; mask = 0xFF; break; case 2: - dval = hid_get_byte(s, 1); - dval |= hid_get_byte(s, 1) << 8; - dval = (int16_t)dval; + uval = hid_get_byte(s, 1); + uval |= hid_get_byte(s, 1) << 8; + dval = (int16_t)uval; mask = 0xFFFF; break; case 4: - dval = hid_get_byte(s, 1); - dval |= hid_get_byte(s, 1) << 8; - dval |= hid_get_byte(s, 1) << 16; - dval |= hid_get_byte(s, 1) << 24; + uval = hid_get_byte(s, 1); + uval |= hid_get_byte(s, 1) << 8; + uval |= hid_get_byte(s, 1) << 16; + uval |= hid_get_byte(s, 1) << 24; + dval = uval; mask = 0xFFFFFFFF; break; default: - dval = hid_get_byte(s, bSize); + uval = hid_get_byte(s, bSize); + dval = uval; DPRINTFN(0, "bad length %u (data=0x%02x)\n", bSize, dval); continue; @@ -355,7 +360,7 @@ hid_get_item(struct hid_data *s, struct hid_item *h) case 8: /* Input */ c->kind = hid_input; ret: - c->flags = dval; + c->flags = uval; c->loc.count = s->loc_count; c->loc.size = s->loc_size; @@ -385,7 +390,7 @@ hid_get_item(struct hid_data *s, struct hid_item *h) goto ret; case 10: /* Collection */ c->kind = hid_collection; - c->collection = dval; + c->collection = uval; c->collevel++; c->usage = s->usage_last; c->nusages = 1; @@ -411,7 +416,7 @@ hid_get_item(struct hid_data *s, struct hid_item *h) case 1: /* Global */ switch (bTag) { case 0: - c->_usage_page = dval << 16; + c->_usage_page = uval << 16; break; case 1: c->logical_minimum = dval; @@ -426,21 +431,21 @@ hid_get_item(struct hid_data *s, struct hid_item *h) c->physical_maximum = dval; break; case 5: - c->unit_exponent = dval; + c->unit_exponent = uval; break; case 6: - c->unit = dval; + c->unit = uval; break; case 7: /* mask because value is unsigned */ - s->loc_size = dval & mask; + s->loc_size = uval & mask; break; case 8: - hid_switch_rid(s, c, dval & mask); + hid_switch_rid(s, c, uval & mask); break; case 9: /* mask because value is unsigned */ - s->loc_count = dval & mask; + s->loc_count = uval & mask; break; case 10: /* Push */ /* stop parsing, if invalid push level */ @@ -483,14 +488,14 @@ hid_get_item(struct hid_data *s, struct hid_item *h) switch (bTag) { case 0: if (bSize != 4) - dval = (dval & mask) | c->_usage_page; + uval = (uval & mask) | c->_usage_page; /* set last usage, in case of a collection */ - s->usage_last = dval; + s->usage_last = uval; if (s->nusage < MAXUSAGE) { - s->usages_min[s->nusage] = dval; - s->usages_max[s->nusage] = dval; + s->usages_min[s->nusage] = uval; + s->usages_max[s->nusage] = uval; s->nusage ++; } else { DPRINTFN(0, "max usage reached\n"); @@ -503,16 +508,16 @@ hid_get_item(struct hid_data *s, struct hid_item *h) s->susage |= 1; if (bSize != 4) - dval = (dval & mask) | c->_usage_page; - c->usage_minimum = dval; + uval = (uval & mask) | c->_usage_page; + c->usage_minimum = uval; goto check_set; case 2: s->susage |= 2; if (bSize != 4) - dval = (dval & mask) | c->_usage_page; - c->usage_maximum = dval; + uval = (uval & mask) | c->_usage_page; + c->usage_maximum = uval; check_set: if (s->susage != 3) @@ -533,25 +538,25 @@ hid_get_item(struct hid_data *s, struct hid_item *h) s->susage = 0; break; case 3: - c->designator_index = dval; + c->designator_index = uval; break; case 4: - c->designator_minimum = dval; + c->designator_minimum = uval; break; case 5: - c->designator_maximum = dval; + c->designator_maximum = uval; break; case 7: - c->string_index = dval; + c->string_index = uval; break; case 8: - c->string_minimum = dval; + c->string_minimum = uval; break; case 9: - c->string_maximum = dval; + c->string_maximum = uval; break; case 10: - c->set_delimiter = dval; + c->set_delimiter = uval; break; default: DPRINTFN(0, "Local bTag=%d\n", bTag); diff --git a/sys/dev/hid/hid.h b/sys/dev/hid/hid.h index 5840c189352c..b8e733cde13d 100644 --- a/sys/dev/hid/hid.h +++ b/sys/dev/hid/hid.h @@ -236,31 +236,31 @@ struct hid_location { struct hid_item { /* Global */ - int32_t _usage_page; + uint32_t _usage_page; int32_t logical_minimum; int32_t logical_maximum; int32_t physical_minimum; int32_t physical_maximum; - int32_t unit_exponent; - int32_t unit; - int32_t report_ID; + uint32_t unit_exponent; + uint32_t unit; + uint32_t report_ID; /* Local */ int nusages; union { - int32_t usage; - int32_t usages[HID_ITEM_MAXUSAGE]; + uint32_t usage; + uint32_t usages[HID_ITEM_MAXUSAGE]; }; - int32_t usage_minimum; - int32_t usage_maximum; - int32_t designator_index; - int32_t designator_minimum; - int32_t designator_maximum; - int32_t string_index; - int32_t string_minimum; - int32_t string_maximum; - int32_t set_delimiter; + uint32_t usage_minimum; + uint32_t usage_maximum; + uint32_t designator_index; + uint32_t designator_minimum; + uint32_t designator_maximum; + uint32_t string_index; + uint32_t string_minimum; + uint32_t string_maximum; + uint32_t set_delimiter; /* Misc */ - int32_t collection; + uint32_t collection; int collevel; enum hid_kind kind; uint32_t flags;