search

KSPP / linux

Linux kernel source tree (Kernel Self Protection Project)
https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project
Other
81 stars 5 forks source link

Replace 1-element arrays in drivers/hid/hid-hyperv.c #210

Closed GustavoARSilva closed 1 year ago

GustavoARSilva commented 1 year ago

Replace one-element arrays with flexible-array members in drivers/hid/hid-hyperv.c:

 54 /*
 55  * Basic message structures.
 56  */
 57 struct synthhid_msg_hdr {
 58         enum synthhid_msg_type type;
 59         u32 size;
 60 };
 61 
 62 struct synthhid_msg {
 63         struct synthhid_msg_hdr header;
 64         char data[1]; /* Enclosed message */
 65 };
 66 

100 struct synthhid_input_report {
101         struct synthhid_msg_hdr header;
102         char buffer[1];
103 };

118 struct pipe_prt_msg {
119         enum pipe_prot_msg_type type;
120         u32 size;
121         char data[1];
122 };

Audit (at least) all these places where the flex arrays are being used:

diff -u -p ./drivers/hid/hid-hyperv.c /tmp/nothing/drivers/hid/hid-hyperv.c
--- ./drivers/hid/hid-hyperv.c
+++ /tmp/nothing/drivers/hid/hid-hyperv.c
@@ -262,7 +262,6 @@ static void mousevsc_on_receive(struct h
        if (pipe_msg->type != PIPE_MESSAGE_DATA)
                return;

-       hid_msg = (struct synthhid_msg *)pipe_msg->data;

        switch (hid_msg->header.type) {
        case SYNTH_HID_PROTOCOL_RESPONSE:
@@ -292,17 +291,14 @@ static void mousevsc_on_receive(struct h
                 * hid desc and report desc
                 */
                mousevsc_on_receive_device_info(input_dev,
-                       (struct synthhid_device_info *)pipe_msg->data);
                break;
        case SYNTH_HID_INPUT_REPORT:
                input_report =
-                       (struct synthhid_input_report *)pipe_msg->data;
                if (!input_dev->init_complete)
                        break;

                len = min(input_report->header.size,
                          (u32)sizeof(input_dev->input_buf));
-               memcpy(input_dev->input_buf, input_report->buffer, len);
                hid_input_report(input_dev->hid_device, HID_INPUT_REPORT,
                                 input_dev->input_buf, len, 1);
PauloMigAlmeida commented 1 year ago

That one seems to have no owner for now. @GustavoARSilva Could you assign that one to me please?

GustavoARSilva commented 1 year ago

Done. Thanks! :)

PauloMigAlmeida commented 1 year ago

Patch sent: https://lore.kernel.org/lkml/Y00JenqCzKRrcTiF@mail.google.com/T/#u

PauloMigAlmeida commented 1 year ago

Patch was merged. You may close this one @GustavoARSilva