A variety of HID drivers have off-by-one or similar bugs in their report descriptor fixup code. The following cases were identified:

- In hid-cherry.c, ch_report_fixup checks for rsize >= 17 and then sets rdesc[17].
- In hid-kye.c, kye_report_fixup checks for rsize >= 74 and then sets rdesc[74].
- In hid-lg.c, lg_report_fixup checks for rsize >= 90 and then sets rdesc[90]. Similar case with (quirks & LG_RDESC_REL_ABS) condition in same function.
- In hid-monterey.c, mr_report_fixup checks for rsize >= 30 and then sets rdesc[30].
- In hid-petalynx.c, pl_report_fixup checks for rsize >= 60 and then sets rdesc[60].
- In hid-sunplus.c, sp_report_fixup checks for rsize >= 107 and then sets both rdesc[110] and rdesc[111].

In practice it doesn't look like any of these would be exploitable due to kmalloc size alignment - i.e. none of these constant offsets appear to straddle a slab size class.

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

 

hid-off-by-one-fix.patch 4.1 KB Download