commit d9d4b1e46d9543a82c23f6df03f4ad697dab361b upstream.
The syzbot fuzzer found a slab-out-of-bounds write bug in the hid-gaff
driver. The problem is caused by the driver's assumption that the
device must have an input report. While this will be true for all
normal HID input devices, a suitably malicious device can violate the
assumption.
The same assumption is present in over a dozen other HID drivers.
This patch fixes them by checking that the list of hid_inputs for the
hid_device is nonempty before allowing it to be used.
Reported-and-tested-by: syzbot+403741a091bf41d4ae79@syzkaller.appspotmail.com
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
CC: <stable@vger.kernel.org>
Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Lee Jones <lee.jones@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: Ica4d1b6adc1bcb30ce077f7d954cb8ba94bce730
commit 0fb6bd06e06792469acc15bbe427361b56ada528 upstream.
A HID device could send a malicious output report that would cause the
lg, lg3, and lg4 HID drivers to write beyond the output report allocation
during an event, causing a heap overflow:
[ 325.245240] usb 1-1: New USB device found, idVendor=046d, idProduct=c287
...
[ 414.518960] BUG kmalloc-4096 (Not tainted): Redzone overwritten
Additionally, while lg2 did correctly validate the report details, it was
cleaned up and shortened.
CVE-2013-2893
Signed-off-by: Kees Cook <keescook@chromium.org>
Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This allows the hid drivers to be independent from the transport layer.
The patch was constructed by replacing all occurences of
usbhid_submit_report() by its hid_hw_request() counterpart.
Then, drivers not requiring USB_HID anymore have their USB_HID
dependency cleaned in the Kconfig file.
Finally, few drivers still depends on USB_HID. Many of them
are requiring the io wait callback. They are found in the next patch.
Signed-off-by: Benjamin Tissoires <benjamin.tissoires@gmail.com>
Reviewed-by: Mika Westerberg <mika.westerberg@linux.intel.com>
For the sensor-hub part:
Tested-by: Mika Westerberg <mika.westerberg@linux.intel.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
This is the first out of five patches me and Simon Wood (CC'd) have been
working on. It separates the handling of Logite from the generic lgff driver
and adds additional features specific for the Logitech wheels, namely
- Native mode support for Driving Force GT, Driving Force Pro, G25 and G27
wheels Every Logitech wheel reports itself as generic Logitech Driving Force
wheel (VID 046d, PID c294). This is done to ensu wheel will work on every USB
HID-aware system even when no Logitech driver is available. It however limits
the capabilit wheel - range is limited to 200 degrees, G25/G27 don't report the
clutch pedal and there is only one combined axis for t brake. The switch to
native mode is done via hardware-specific command which is different for each
wheel. When the wheel receives such command, it simulates reconnect and reports
to the OS with its actual PID.
- Adjustable wheel range DFGT, DFP, G25 and G27 have variable range of the
steering wheel. The range is limited by applying a maximum constant when the
wheel is turned beyond the allowed range. The limit as also set by a
hardware-specific command. There is a comm command for DFGT, G25 and G27 and
another one for DFP. It is probably possible to use the DFP command to limit
the range other Logitech wheels too, but this is not supported by the official
Logitech driver for Windows. The patch adds a sysfs interface which allows for
the range to be set from userspace.
- Fixed autocentering command All Logitech wheels support FF_AUTOCENTER effect.
The original implementation in the lgff driver didn't work well with patch
fixes it. According to USB communication sniffs the Formula Force EX (pretty
much rebranded original Driving Force accept the generic autocentering command,
this issue is also addressed by the patch
There are still some features this patch doesn't cover, but since some of them
will most likely require modifications of memless driver we have decided not to
include them yet.
As first we decided to move the handling of Logitech wheels from hid-lgff
driver to hid-lg4ff driver (originally used fo At also adds PID of Logitech
Driving Force GT.
Signed-off-by: Michal Malý <madcatxster@gmail.com>
Signed-off-by: Simon Wood <simon@mungewell.org>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Gere's a small patch to add support for the Logitech G27 wheel, since
the prior patch only added FF support for the Driving Force Pro and G25.
The patch contains the changes from the G25 and DFP, too.
I tested the changes with wine/LFS and got full support for all axes and
buttons.
Signed-off: Peter Gundermann <slim-one@users.sourceforge.net>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Small patch to add support for the G25/G27 by adding USB ID's
as suggested by Peter.
Boots but otherwise untested as I don't have hardware, .debs for
kernel (2.6.38) here if want to test/run Ubuntu/Debian:
http://www.mungewell.org/Logitech_Wii_Wheel/
Reported-by: Peter Gundermann <slim-one@users.sourceforge.net>
Signed-off-by: Simon Wood <simon@mungewell.org>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Neaten current uses of dev_<level> by adding and using
hid specific hid_<level> macros.
Convert existing uses of dev_<level> uses to hid_<level>.
Convert hid-pidff printk uses to hid_<level>.
Remove err_hid and use hid_err instead.
Add missing newlines to logging messages where necessary.
Coalesce format strings.
Add and use pr_fmt(fmt) KBUILD_MODNAME ": " fmt
Other miscellaneous changes:
Add const struct hid_device * argument to hid-core functions
extract() and implement() so hid_<level> can be used by them.
Fix bad indentation in hid-core hid_input_field function
that calls extract() function above.
Signed-off-by: Joe Perches <joe@perches.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Implements a new USB-HID for Force Feedback based on the normal
Logitech Force Feedback code and FF-Memless.
Currently only supports the FF_CONSTANT effect although the joystick
appears to support additional non-standard ones.
Signed-off-by: Gary Stein <LordCnidarian@gmail.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
list_entry, which is an alias for container_of, cannot return NULL, as
there is no way to add a NULL value to a doubly linked list.
A simplified version of the semantic match that findds this problem is as
follows:
(http://www.emn.fr/x-info/coccinelle/)
// <smpl>
@r@
expression x,E;
statement S1,S2;
position p,p1;
@@
*x = list_entry@p(...)
... when != x = E
*if@p1 (x == NULL) S1 else S2
// </smpl>
Signed-off-by: Julia Lawall <julia@diku.dk>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Add force feedback support for Logitech WingMan Formula Force GP
(0x046d/0xc293).
Reported-by: wylda@volny.cz
Tested-by: wylda@volny.cz
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
This patch adds autocentering support for Logitech Force 3D Pro.
Signed-off-by: Sergey Belyashov <Sergey.Belyashov@gmail.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Some months ago I send patch which adds autocentering for Logitech MOMO Wheel.
Now I have access to Logitech G25 Racing Wheel and test autocentering for it. I
write patch for current kernel to support autocentering for G25 in legacy mode
(this device supports other modes, but after switching device reconnects with
ID 0xc299 and FF support comes out) and others Logitech (Driving Force,
Formula Force Ex etc) wheels with ID 046d:c294.
Signed-off-by: Sergey Belyashov <Sergey.Belyashov@gmail.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Current kernel has no support for autocentering for Logitech wheels. By
default autocentering enabled in wheel and constant effect does not work
properly. Using USB sniffer I found command which change autocentering
settings: 0xFE, 0x0D, 0x0R, 0x0L, 0x80, 0x00, 0x00, where R - clockwise force,
L - counter-clockwise (0x0-0xF, 0xC = 100%).
Signed-off-by: Sergey Belyashov <Sergey.Belyashov@gmail.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Merge the logitech force feedback processing directly into logitech
driver from the usbhid core.
Signed-off-by: Jiri Slaby <jirislaby@gmail.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
2008-10-14 23:50:56 +02:00
Renamed from drivers/hid/usbhid/hid-lgff.c (Browse further)
Alan Stern
Kees Cook
Benjamin Tissoires
Michal Malý
Jiri Kosina
Peter Gundermann
Simon Wood
Joe Perches
Gary Stein
Julia Lawall
Sergey Belyashov
Jiri Slaby