linux/drivers/hid/hid-steelseries.c
Kees Cook 41df7f6d43 HID: steelseries: validate output report details
A HID device could send a malicious output report that would cause the
steelseries HID driver to write beyond the output report allocation
during initialization, causing a heap overflow:

[  167.981534] usb 1-1: New USB device found, idVendor=1038, idProduct=1410
...
[  182.050547] BUG kmalloc-256 (Tainted: G        W   ): Redzone overwritten

CVE-2013-2891

Signed-off-by: Kees Cook <keescook@chromium.org>
Cc: stable@vger.kernel.org
Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
2013-09-13 15:12:28 +02:00

390 lines
12 KiB
C

/*
* HID driver for Steelseries SRW-S1
*
* Copyright (c) 2013 Simon Wood
*/
/*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the Free
* Software Foundation; either version 2 of the License, or (at your option)
* any later version.
*/
#include <linux/device.h>
#include <linux/usb.h>
#include <linux/hid.h>
#include <linux/module.h>
#include "hid-ids.h"
#if IS_BUILTIN(CONFIG_LEDS_CLASS) || \
(IS_MODULE(CONFIG_LEDS_CLASS) && IS_MODULE(CONFIG_HID_STEELSERIES))
#define SRWS1_NUMBER_LEDS 15
struct steelseries_srws1_data {
__u16 led_state;
/* the last element is used for setting all leds simultaneously */
struct led_classdev *led[SRWS1_NUMBER_LEDS + 1];
};
#endif
/* Fixed report descriptor for Steelseries SRW-S1 wheel controller
*
* The original descriptor hides the sensitivity and assists dials
* a custom vendor usage page. This inserts a patch to make them
* appear in the 'Generic Desktop' usage.
*/
static __u8 steelseries_srws1_rdesc_fixed[] = {
0x05, 0x01, /* Usage Page (Desktop) */
0x09, 0x08, /* Usage (MultiAxis), Changed */
0xA1, 0x01, /* Collection (Application), */
0xA1, 0x02, /* Collection (Logical), */
0x95, 0x01, /* Report Count (1), */
0x05, 0x01, /* Changed Usage Page (Desktop), */
0x09, 0x30, /* Changed Usage (X), */
0x16, 0xF8, 0xF8, /* Logical Minimum (-1800), */
0x26, 0x08, 0x07, /* Logical Maximum (1800), */
0x65, 0x14, /* Unit (Degrees), */
0x55, 0x0F, /* Unit Exponent (15), */
0x75, 0x10, /* Report Size (16), */
0x81, 0x02, /* Input (Variable), */
0x09, 0x31, /* Changed Usage (Y), */
0x15, 0x00, /* Logical Minimum (0), */
0x26, 0xFF, 0x03, /* Logical Maximum (1023), */
0x75, 0x0C, /* Report Size (12), */
0x81, 0x02, /* Input (Variable), */
0x09, 0x32, /* Changed Usage (Z), */
0x15, 0x00, /* Logical Minimum (0), */
0x26, 0xFF, 0x03, /* Logical Maximum (1023), */
0x75, 0x0C, /* Report Size (12), */
0x81, 0x02, /* Input (Variable), */
0x05, 0x01, /* Usage Page (Desktop), */
0x09, 0x39, /* Usage (Hat Switch), */
0x25, 0x07, /* Logical Maximum (7), */
0x35, 0x00, /* Physical Minimum (0), */
0x46, 0x3B, 0x01, /* Physical Maximum (315), */
0x65, 0x14, /* Unit (Degrees), */
0x75, 0x04, /* Report Size (4), */
0x95, 0x01, /* Report Count (1), */
0x81, 0x02, /* Input (Variable), */
0x25, 0x01, /* Logical Maximum (1), */
0x45, 0x01, /* Physical Maximum (1), */
0x65, 0x00, /* Unit, */
0x75, 0x01, /* Report Size (1), */
0x95, 0x03, /* Report Count (3), */
0x81, 0x01, /* Input (Constant), */
0x05, 0x09, /* Usage Page (Button), */
0x19, 0x01, /* Usage Minimum (01h), */
0x29, 0x11, /* Usage Maximum (11h), */
0x95, 0x11, /* Report Count (17), */
0x81, 0x02, /* Input (Variable), */
/* ---- Dial patch starts here ---- */
0x05, 0x01, /* Usage Page (Desktop), */
0x09, 0x33, /* Usage (RX), */
0x75, 0x04, /* Report Size (4), */
0x95, 0x02, /* Report Count (2), */
0x15, 0x00, /* Logical Minimum (0), */
0x25, 0x0b, /* Logical Maximum (b), */
0x81, 0x02, /* Input (Variable), */
0x09, 0x35, /* Usage (RZ), */
0x75, 0x04, /* Report Size (4), */
0x95, 0x01, /* Report Count (1), */
0x25, 0x03, /* Logical Maximum (3), */
0x81, 0x02, /* Input (Variable), */
/* ---- Dial patch ends here ---- */
0x06, 0x00, 0xFF, /* Usage Page (FF00h), */
0x09, 0x01, /* Usage (01h), */
0x75, 0x04, /* Changed Report Size (4), */
0x95, 0x0D, /* Changed Report Count (13), */
0x81, 0x02, /* Input (Variable), */
0xC0, /* End Collection, */
0xA1, 0x02, /* Collection (Logical), */
0x09, 0x02, /* Usage (02h), */
0x75, 0x08, /* Report Size (8), */
0x95, 0x10, /* Report Count (16), */
0x91, 0x02, /* Output (Variable), */
0xC0, /* End Collection, */
0xC0 /* End Collection */
};
#if IS_BUILTIN(CONFIG_LEDS_CLASS) || \
(IS_MODULE(CONFIG_LEDS_CLASS) && IS_MODULE(CONFIG_HID_STEELSERIES))
static void steelseries_srws1_set_leds(struct hid_device *hdev, __u16 leds)
{
struct list_head *report_list = &hdev->report_enum[HID_OUTPUT_REPORT].report_list;
struct hid_report *report = list_entry(report_list->next, struct hid_report, list);
__s32 *value = report->field[0]->value;
value[0] = 0x40;
value[1] = leds & 0xFF;
value[2] = leds >> 8;
value[3] = 0x00;
value[4] = 0x00;
value[5] = 0x00;
value[6] = 0x00;
value[7] = 0x00;
value[8] = 0x00;
value[9] = 0x00;
value[10] = 0x00;
value[11] = 0x00;
value[12] = 0x00;
value[13] = 0x00;
value[14] = 0x00;
value[15] = 0x00;
hid_hw_request(hdev, report, HID_REQ_SET_REPORT);
/* Note: LED change does not show on device until the device is read/polled */
}
static void steelseries_srws1_led_all_set_brightness(struct led_classdev *led_cdev,
enum led_brightness value)
{
struct device *dev = led_cdev->dev->parent;
struct hid_device *hid = container_of(dev, struct hid_device, dev);
struct steelseries_srws1_data *drv_data = hid_get_drvdata(hid);
if (!drv_data) {
hid_err(hid, "Device data not found.");
return;
}
if (value == LED_OFF)
drv_data->led_state = 0;
else
drv_data->led_state = (1 << (SRWS1_NUMBER_LEDS + 1)) - 1;
steelseries_srws1_set_leds(hid, drv_data->led_state);
}
static enum led_brightness steelseries_srws1_led_all_get_brightness(struct led_classdev *led_cdev)
{
struct device *dev = led_cdev->dev->parent;
struct hid_device *hid = container_of(dev, struct hid_device, dev);
struct steelseries_srws1_data *drv_data;
drv_data = hid_get_drvdata(hid);
if (!drv_data) {
hid_err(hid, "Device data not found.");
return LED_OFF;
}
return (drv_data->led_state >> SRWS1_NUMBER_LEDS) ? LED_FULL : LED_OFF;
}
static void steelseries_srws1_led_set_brightness(struct led_classdev *led_cdev,
enum led_brightness value)
{
struct device *dev = led_cdev->dev->parent;
struct hid_device *hid = container_of(dev, struct hid_device, dev);
struct steelseries_srws1_data *drv_data = hid_get_drvdata(hid);
int i, state = 0;
if (!drv_data) {
hid_err(hid, "Device data not found.");
return;
}
for (i = 0; i < SRWS1_NUMBER_LEDS; i++) {
if (led_cdev != drv_data->led[i])
continue;
state = (drv_data->led_state >> i) & 1;
if (value == LED_OFF && state) {
drv_data->led_state &= ~(1 << i);
steelseries_srws1_set_leds(hid, drv_data->led_state);
} else if (value != LED_OFF && !state) {
drv_data->led_state |= 1 << i;
steelseries_srws1_set_leds(hid, drv_data->led_state);
}
break;
}
}
static enum led_brightness steelseries_srws1_led_get_brightness(struct led_classdev *led_cdev)
{
struct device *dev = led_cdev->dev->parent;
struct hid_device *hid = container_of(dev, struct hid_device, dev);
struct steelseries_srws1_data *drv_data;
int i, value = 0;
drv_data = hid_get_drvdata(hid);
if (!drv_data) {
hid_err(hid, "Device data not found.");
return LED_OFF;
}
for (i = 0; i < SRWS1_NUMBER_LEDS; i++)
if (led_cdev == drv_data->led[i]) {
value = (drv_data->led_state >> i) & 1;
break;
}
return value ? LED_FULL : LED_OFF;
}
static int steelseries_srws1_probe(struct hid_device *hdev,
const struct hid_device_id *id)
{
int ret, i;
struct led_classdev *led;
size_t name_sz;
char *name;
struct steelseries_srws1_data *drv_data = kzalloc(sizeof(*drv_data), GFP_KERNEL);
if (drv_data == NULL) {
hid_err(hdev, "can't alloc SRW-S1 memory\n");
return -ENOMEM;
}
hid_set_drvdata(hdev, drv_data);
ret = hid_parse(hdev);
if (ret) {
hid_err(hdev, "parse failed\n");
goto err_free;
}
if (!hid_validate_values(hdev, HID_OUTPUT_REPORT, 0, 0, 16)) {
ret = -ENODEV;
goto err_free;
}
ret = hid_hw_start(hdev, HID_CONNECT_DEFAULT);
if (ret) {
hid_err(hdev, "hw start failed\n");
goto err_free;
}
/* register led subsystem */
drv_data->led_state = 0;
for (i = 0; i < SRWS1_NUMBER_LEDS + 1; i++)
drv_data->led[i] = NULL;
steelseries_srws1_set_leds(hdev, 0);
name_sz = strlen(hdev->uniq) + 16;
/* 'ALL', for setting all LEDs simultaneously */
led = kzalloc(sizeof(struct led_classdev)+name_sz, GFP_KERNEL);
if (!led) {
hid_err(hdev, "can't allocate memory for LED ALL\n");
goto err_led;
}
name = (void *)(&led[1]);
snprintf(name, name_sz, "SRWS1::%s::RPMALL", hdev->uniq);
led->name = name;
led->brightness = 0;
led->max_brightness = 1;
led->brightness_get = steelseries_srws1_led_all_get_brightness;
led->brightness_set = steelseries_srws1_led_all_set_brightness;
drv_data->led[SRWS1_NUMBER_LEDS] = led;
ret = led_classdev_register(&hdev->dev, led);
if (ret)
goto err_led;
/* Each individual LED */
for (i = 0; i < SRWS1_NUMBER_LEDS; i++) {
led = kzalloc(sizeof(struct led_classdev)+name_sz, GFP_KERNEL);
if (!led) {
hid_err(hdev, "can't allocate memory for LED %d\n", i);
goto err_led;
}
name = (void *)(&led[1]);
snprintf(name, name_sz, "SRWS1::%s::RPM%d", hdev->uniq, i+1);
led->name = name;
led->brightness = 0;
led->max_brightness = 1;
led->brightness_get = steelseries_srws1_led_get_brightness;
led->brightness_set = steelseries_srws1_led_set_brightness;
drv_data->led[i] = led;
ret = led_classdev_register(&hdev->dev, led);
if (ret) {
hid_err(hdev, "failed to register LED %d. Aborting.\n", i);
err_led:
/* Deregister all LEDs (if any) */
for (i = 0; i < SRWS1_NUMBER_LEDS + 1; i++) {
led = drv_data->led[i];
drv_data->led[i] = NULL;
if (!led)
continue;
led_classdev_unregister(led);
kfree(led);
}
goto out; /* but let the driver continue without LEDs */
}
}
out:
return 0;
err_free:
kfree(drv_data);
return ret;
}
static void steelseries_srws1_remove(struct hid_device *hdev)
{
int i;
struct led_classdev *led;
struct steelseries_srws1_data *drv_data = hid_get_drvdata(hdev);
if (drv_data) {
/* Deregister LEDs (if any) */
for (i = 0; i < SRWS1_NUMBER_LEDS + 1; i++) {
led = drv_data->led[i];
drv_data->led[i] = NULL;
if (!led)
continue;
led_classdev_unregister(led);
kfree(led);
}
}
hid_hw_stop(hdev);
kfree(drv_data);
return;
}
#endif
static __u8 *steelseries_srws1_report_fixup(struct hid_device *hdev, __u8 *rdesc,
unsigned int *rsize)
{
if (*rsize >= 115 && rdesc[11] == 0x02 && rdesc[13] == 0xc8
&& rdesc[29] == 0xbb && rdesc[40] == 0xc5) {
hid_info(hdev, "Fixing up Steelseries SRW-S1 report descriptor\n");
rdesc = steelseries_srws1_rdesc_fixed;
*rsize = sizeof(steelseries_srws1_rdesc_fixed);
}
return rdesc;
}
static const struct hid_device_id steelseries_srws1_devices[] = {
{ HID_USB_DEVICE(USB_VENDOR_ID_STEELSERIES, USB_DEVICE_ID_STEELSERIES_SRWS1) },
{ }
};
MODULE_DEVICE_TABLE(hid, steelseries_srws1_devices);
static struct hid_driver steelseries_srws1_driver = {
.name = "steelseries_srws1",
.id_table = steelseries_srws1_devices,
#if IS_BUILTIN(CONFIG_LEDS_CLASS) || \
(IS_MODULE(CONFIG_LEDS_CLASS) && IS_MODULE(CONFIG_HID_STEELSERIES))
.probe = steelseries_srws1_probe,
.remove = steelseries_srws1_remove,
#endif
.report_fixup = steelseries_srws1_report_fixup
};
module_hid_driver(steelseries_srws1_driver);
MODULE_LICENSE("GPL");