commit d9d4b1e46d9543a82c23f6df03f4ad697dab361b upstream.
The syzbot fuzzer found a slab-out-of-bounds write bug in the hid-gaff
driver. The problem is caused by the driver's assumption that the
device must have an input report. While this will be true for all
normal HID input devices, a suitably malicious device can violate the
assumption.
The same assumption is present in over a dozen other HID drivers.
This patch fixes them by checking that the list of hid_inputs for the
hid_device is nonempty before allowing it to be used.
Reported-and-tested-by: syzbot+403741a091bf41d4ae79@syzkaller.appspotmail.com
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
[bwh: Backported to 3.16:
- Drop changes in hid-logitech-hidpp, hid-microsoft
- Adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
[haggertk: Backported to android/3.4:
- Drop changes to hid-sony, add changes to hid-pidff]
CVE-2019-19532
Signed-off-by: Kevin F. Haggerty <haggertk@lineageos.org>
Change-Id: Icfe325236f0c40aa0c3ca638e903179b3935ad1e
f9cc3d1366