mirror of
https://github.com/torvalds/linux.git
synced 2026-05-30 00:29:35 +08:00
2c85c61d13
commit0a3fe972a7("HID: core: Mitigate potential OOB by removing bogus memset()") enforced the provided data to be at least the size of the declared buffer in the report descriptor to prevent a buffer overflow. However, we can try to be smarter by providing both the buffer size and the data size, meaning that hid_report_raw_event() can make better decision whether we should plaining reject the buffer (buffer overflow attempt) or if we can safely memset it to 0 and pass it to the rest of the stack. Fixes:0a3fe972a7("HID: core: Mitigate potential OOB by removing bogus memset()") Cc: stable@vger.kernel.org Signed-off-by: Benjamin Tissoires <bentiss@kernel.org> Acked-by: Johan Hovold <johan@kernel.org> Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Jiri Kosina <jkosina@suse.com>
75 lines
1.9 KiB
C
75 lines
1.9 KiB
C
// SPDX-License-Identifier: GPL-2.0-only
|
|
/*
|
|
* HID driver for primax and similar keyboards with in-band modifiers
|
|
*
|
|
* Copyright 2011 Google Inc. All Rights Reserved
|
|
*
|
|
* Author:
|
|
* Terry Lambert <tlambert@google.com>
|
|
*/
|
|
|
|
#include <linux/device.h>
|
|
#include <linux/hid.h>
|
|
#include <linux/module.h>
|
|
|
|
#include "hid-ids.h"
|
|
|
|
static int px_raw_event(struct hid_device *hid, struct hid_report *report,
|
|
u8 *data, int size)
|
|
{
|
|
int idx = size;
|
|
|
|
switch (report->id) {
|
|
case 0: /* keyboard input */
|
|
/*
|
|
* Convert in-band modifier key values into out of band
|
|
* modifier bits and pull the key strokes from the report.
|
|
* Thus a report data set which looked like:
|
|
*
|
|
* [00][00][E0][30][00][00][00][00]
|
|
* (no modifier bits + "Left Shift" key + "1" key)
|
|
*
|
|
* Would be converted to:
|
|
*
|
|
* [01][00][00][30][00][00][00][00]
|
|
* (Left Shift modifier bit + "1" key)
|
|
*
|
|
* As long as it's in the size range, the upper level
|
|
* drivers don't particularly care if there are in-band
|
|
* 0-valued keys, so they don't stop parsing.
|
|
*/
|
|
while (--idx > 1) {
|
|
if (data[idx] < 0xE0 || data[idx] > 0xE7)
|
|
continue;
|
|
data[0] |= (1 << (data[idx] - 0xE0));
|
|
data[idx] = 0;
|
|
}
|
|
hid_report_raw_event(hid, HID_INPUT_REPORT, data, size, size, 0);
|
|
return 1;
|
|
|
|
default: /* unknown report */
|
|
/* Unknown report type; pass upstream */
|
|
hid_info(hid, "unknown report type %d\n", report->id);
|
|
break;
|
|
}
|
|
|
|
return 0;
|
|
}
|
|
|
|
static const struct hid_device_id px_devices[] = {
|
|
{ HID_USB_DEVICE(USB_VENDOR_ID_PRIMAX, USB_DEVICE_ID_PRIMAX_KEYBOARD) },
|
|
{ }
|
|
};
|
|
MODULE_DEVICE_TABLE(hid, px_devices);
|
|
|
|
static struct hid_driver px_driver = {
|
|
.name = "primax",
|
|
.id_table = px_devices,
|
|
.raw_event = px_raw_event,
|
|
};
|
|
module_hid_driver(px_driver);
|
|
|
|
MODULE_AUTHOR("Terry Lambert <tlambert@google.com>");
|
|
MODULE_DESCRIPTION("HID driver for primax and similar keyboards with in-band modifiers");
|
|
MODULE_LICENSE("GPL");
|