From 27ce405039bfe6d3f4143415c638f56a3df77dca Mon Sep 17 00:00:00 2001 From: Jiri Kosina Date: Wed, 10 Jul 2013 19:56:27 +0200 Subject: HID: fix data access in implement() implement() is setting bytes in LE data stream. In case the data is not aligned to 64bits, it reads past the allocated buffer. It doesn't really change any value there (it's properly bitmasked), but in case that this read past the boundary hits a page boundary, pagefault happens when accessing 64bits of 'x' in implement(), and kernel oopses. This happens much more often when numbered reports are in use, as the initial 8bit skip in the buffer makes the whole process work on values which are not aligned to 64bits. This problem dates back to attempts in 2005 and 2006 to make implement() and extract() as generic as possible, and even back then the problem was realized by Adam Kroperlin, but falsely assumed to be impossible to cause any harm: http://www.mail-archive.com/linux-usb-devel@lists.sourceforge.net/msg47690.html I have made several attempts at fixing it "on the spot" directly in implement(), but the results were horrible; the special casing for processing last 64bit chunk and switching to different math makes it unreadable mess. I therefore took a path to allocate a few bytes more which will never make it into final report, but are there as a cushion for all the 64bit math operations happening in implement() and extract(). All callers of hid_output_report() are converted at the same time to allocate the buffer by newly introduced hid_alloc_report_buf() helper. Bruno noticed that the whole raw_size test can be dropped as well, as hid_alloc_report_buf() makes sure that the buffer is always of a proper size. Reviewed-by: Benjamin Tissoires Acked-by: Gustavo Padovan Signed-off-by: Jiri Kosina --- include/linux/hid.h | 1 + 1 file changed, 1 insertion(+) (limited to 'include/linux/hid.h') diff --git a/include/linux/hid.h b/include/linux/hid.h index 0c48991b0402..acccdf4eb485 100644 --- a/include/linux/hid.h +++ b/include/linux/hid.h @@ -744,6 +744,7 @@ struct hid_field *hidinput_get_led_field(struct hid_device *hid); unsigned int hidinput_count_leds(struct hid_device *hid); __s32 hidinput_calc_abs_res(const struct hid_field *field, __u16 code); void hid_output_report(struct hid_report *report, __u8 *data); +u8 *hid_alloc_report_buf(struct hid_report *report, gfp_t flags); struct hid_device *hid_allocate_device(void); struct hid_report *hid_register_report(struct hid_device *device, unsigned type, unsigned id); int hid_parse_report(struct hid_device *hid, __u8 *start, unsigned size); -- cgit v1.2.3 From ddf64a3c03d4d68431146a0f1622844cc6cb6c22 Mon Sep 17 00:00:00 2001 From: David Herrmann Date: Mon, 15 Jul 2013 19:10:10 +0200 Subject: HID: usbhid: make usbhid_set_leds() static usbhid_set_leds() is only used inside of usbhid/hid-core.c so no need to export it. Signed-off-by: David Herrmann Reviewed-by: Benjamin Tissoires Signed-off-by: Jiri Kosina --- include/linux/hid.h | 1 - 1 file changed, 1 deletion(-) (limited to 'include/linux/hid.h') diff --git a/include/linux/hid.h b/include/linux/hid.h index 0c48991b0402..b8058c5c5594 100644 --- a/include/linux/hid.h +++ b/include/linux/hid.h @@ -989,7 +989,6 @@ int hid_report_raw_event(struct hid_device *hid, int type, u8 *data, int size, u32 usbhid_lookup_quirk(const u16 idVendor, const u16 idProduct); int usbhid_quirks_init(char **quirks_param); void usbhid_quirks_exit(void); -void usbhid_set_leds(struct hid_device *hid); #ifdef CONFIG_HID_PID int hid_pidff_init(struct hid_device *hid); -- cgit v1.2.3 From 50c9d75b6f01a337aab728511bc1d2a0a3d7b800 Mon Sep 17 00:00:00 2001 From: David Herrmann Date: Mon, 15 Jul 2013 19:10:12 +0200 Subject: HID: input: generic hidinput_input_event handler The hidinput_input_event() callback converts input events written from userspace into HID reports and sends them to the device. We currently implement this in every HID transport driver, even though most of them do the same. This provides a generic hidinput_input_event() implementation which is mostly copied from usbhid. It uses a delayed worker to allow multiple LED events to be collected into a single output event. We use the custom ->request() transport driver callback to allow drivers to adjust the outgoing report and handle the request asynchronously. If no custom ->request() callback is available, we fall back to the generic raw output report handler (which is synchronous). Drivers can still provide custom hidinput_input_event() handlers (see logitech-dj) if the generic implementation doesn't fit their needs. Signed-off-by: David Herrmann Signed-off-by: Jiri Kosina --- include/linux/hid.h | 1 + 1 file changed, 1 insertion(+) (limited to 'include/linux/hid.h') diff --git a/include/linux/hid.h b/include/linux/hid.h index b8058c5c5594..ea4b828cb9cd 100644 --- a/include/linux/hid.h +++ b/include/linux/hid.h @@ -456,6 +456,7 @@ struct hid_device { /* device report descriptor */ enum hid_type type; /* device type (mouse, kbd, ...) */ unsigned country; /* HID country */ struct hid_report_enum report_enum[HID_REPORT_TYPES]; + struct work_struct led_work; /* delayed LED worker */ struct semaphore driver_lock; /* protects the current driver, except during input */ struct semaphore driver_input_lock; /* protects the current driver */ -- cgit v1.2.3 From f961bd3516e4f699bbacff5d7f5247d6d87c59f0 Mon Sep 17 00:00:00 2001 From: Benjamin Tissoires Date: Thu, 22 Aug 2013 14:51:08 +0200 Subject: HID: detect Win 8 multitouch devices in core Detecting Win 8 multitouch devices in core allows us to set quirks before the device is parsed through hid_hw_start(). It also simplifies the detection of those devices in hid-multitouch and makes the handling of those devices cleaner. As Win 8 multitouch panels are in the group multitouch and rely on a special feature to be detected, this patch adds a bitfield in the parser. Signed-off-by: Benjamin Tissoires Reviewed-by: Henrik Rydberg Tested-by: Srinivas Pandruvada Signed-off-by: Jiri Kosina --- include/linux/hid.h | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'include/linux/hid.h') diff --git a/include/linux/hid.h b/include/linux/hid.h index 0c48991b0402..cef1e9b86cc4 100644 --- a/include/linux/hid.h +++ b/include/linux/hid.h @@ -295,6 +295,7 @@ struct hid_item { #define HID_GROUP_GENERIC 0x0001 #define HID_GROUP_MULTITOUCH 0x0002 #define HID_GROUP_SENSOR_HUB 0x0003 +#define HID_GROUP_MULTITOUCH_WIN_8 0x0004 /* * This is the global environment of the parser. This information is @@ -532,6 +533,8 @@ static inline void hid_set_drvdata(struct hid_device *hdev, void *data) #define HID_GLOBAL_STACK_SIZE 4 #define HID_COLLECTION_STACK_SIZE 4 +#define HID_SCAN_FLAG_MT_WIN_8 0x00000001 + struct hid_parser { struct hid_global global; struct hid_global global_stack[HID_GLOBAL_STACK_SIZE]; @@ -540,6 +543,7 @@ struct hid_parser { unsigned collection_stack[HID_COLLECTION_STACK_SIZE]; unsigned collection_stack_ptr; struct hid_device *device; + unsigned scan_flags; }; struct hid_class_descriptor { -- cgit v1.2.3 From 595e9276ce68791317484ec7f0f9f2e0457c3b34 Mon Sep 17 00:00:00 2001 From: Benjamin Tissoires Date: Thu, 22 Aug 2013 14:51:09 +0200 Subject: HID: do not init input reports for Win 8 multitouch devices Some multitouch screens do not like to be polled for input reports. However, the Win8 spec says that all touches should be sent during each report, making the initialization of reports unnecessary. The Win7 spec is less precise, so do not use this for those devices. Add the quirk HID_QUIRK_NO_INIT_INPUT_REPORTS so that we do not have to introduce a quirk for each problematic device. This quirk makes the driver behave the same way the Win 8 does. It actually retrieves the features, but not the inputs. Signed-off-by: Benjamin Tissoires Reviewed-by: Henrik Rydberg Tested-by: Srinivas Pandruvada Signed-off-by: Jiri Kosina --- include/linux/hid.h | 1 + 1 file changed, 1 insertion(+) (limited to 'include/linux/hid.h') diff --git a/include/linux/hid.h b/include/linux/hid.h index cef1e9b86cc4..bc132d2a20aa 100644 --- a/include/linux/hid.h +++ b/include/linux/hid.h @@ -283,6 +283,7 @@ struct hid_item { #define HID_QUIRK_MULTI_INPUT 0x00000040 #define HID_QUIRK_HIDINPUT_FORCE 0x00000080 #define HID_QUIRK_NO_EMPTY_INPUT 0x00000100 +#define HID_QUIRK_NO_INIT_INPUT_REPORTS 0x00000200 #define HID_QUIRK_SKIP_OUTPUT_REPORTS 0x00010000 #define HID_QUIRK_FULLSPEED_INTERVAL 0x10000000 #define HID_QUIRK_NO_INIT_REPORTS 0x20000000 -- cgit v1.2.3 From 43622021d2e2b82ea03d883926605bdd0525e1d1 Mon Sep 17 00:00:00 2001 From: Kees Cook Date: Wed, 28 Aug 2013 22:29:55 +0200 Subject: HID: validate HID report id size The "Report ID" field of a HID report is used to build indexes of reports. The kernel's index of these is limited to 256 entries, so any malicious device that sets a Report ID greater than 255 will trigger memory corruption on the host: [ 1347.156239] BUG: unable to handle kernel paging request at ffff88094958a878 [ 1347.156261] IP: [] hid_register_report+0x2a/0x8b CVE-2013-2888 Signed-off-by: Kees Cook Cc: stable@kernel.org Signed-off-by: Jiri Kosina --- include/linux/hid.h | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'include/linux/hid.h') diff --git a/include/linux/hid.h b/include/linux/hid.h index 0c48991b0402..ff545cc33c3a 100644 --- a/include/linux/hid.h +++ b/include/linux/hid.h @@ -393,10 +393,12 @@ struct hid_report { struct hid_device *device; /* associated device */ }; +#define HID_MAX_IDS 256 + struct hid_report_enum { unsigned numbered; struct list_head report_list; - struct hid_report *report_id_hash[256]; + struct hid_report *report_id_hash[HID_MAX_IDS]; }; #define HID_REPORT_TYPES 3 -- cgit v1.2.3 From 39054a5afbb05f83aaa26f6cf55027e269744ba3 Mon Sep 17 00:00:00 2001 From: David Herrmann Date: Mon, 2 Sep 2013 14:00:05 +0200 Subject: HID: move HID_REPORT_TYPES closer to the report-definitions HID_REPORT_TYPES defines the number of available report-types. Move it closer to the actualy definition of the report-types so we can see the relation more clearly (and hopefully will never forget to update it). Signed-off-by: David Herrmann Signed-off-by: Jiri Kosina --- include/linux/hid.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'include/linux/hid.h') diff --git a/include/linux/hid.h b/include/linux/hid.h index d50137691a78..729bf27aac8f 100644 --- a/include/linux/hid.h +++ b/include/linux/hid.h @@ -252,6 +252,8 @@ struct hid_item { #define HID_OUTPUT_REPORT 1 #define HID_FEATURE_REPORT 2 +#define HID_REPORT_TYPES 3 + /* * HID connect requests */ @@ -401,8 +403,6 @@ struct hid_report_enum { struct hid_report *report_id_hash[HID_MAX_IDS]; }; -#define HID_REPORT_TYPES 3 - #define HID_MIN_BUFFER_SIZE 64 /* make sure there is at least a packet size of space */ #define HID_MAX_BUFFER_SIZE 4096 /* 4kb */ #define HID_CONTROL_FIFO_SIZE 256 /* to init devices with >100 reports */ -- cgit v1.2.3