1
0
Fork 0
mirror of synced 2025-03-06 20:59:54 +01:00
linux/drivers/hid/hid-appleir.c
Daniil Dulov 2ff5baa9b5 HID: appleir: Fix potential NULL dereference at raw event handle
Syzkaller reports a NULL pointer dereference issue in input_event().

BUG: KASAN: null-ptr-deref in instrument_atomic_read include/linux/instrumented.h:68 [inline]
BUG: KASAN: null-ptr-deref in _test_bit include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline]
BUG: KASAN: null-ptr-deref in is_event_supported drivers/input/input.c:67 [inline]
BUG: KASAN: null-ptr-deref in input_event+0x42/0xa0 drivers/input/input.c:395
Read of size 8 at addr 0000000000000028 by task syz-executor199/2949

CPU: 0 UID: 0 PID: 2949 Comm: syz-executor199 Not tainted 6.13.0-rc4-syzkaller-00076-gf097a36ef88d #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
Call Trace:
 <IRQ>
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
 kasan_report+0xd9/0x110 mm/kasan/report.c:602
 check_region_inline mm/kasan/generic.c:183 [inline]
 kasan_check_range+0xef/0x1a0 mm/kasan/generic.c:189
 instrument_atomic_read include/linux/instrumented.h:68 [inline]
 _test_bit include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline]
 is_event_supported drivers/input/input.c:67 [inline]
 input_event+0x42/0xa0 drivers/input/input.c:395
 input_report_key include/linux/input.h:439 [inline]
 key_down drivers/hid/hid-appleir.c:159 [inline]
 appleir_raw_event+0x3e5/0x5e0 drivers/hid/hid-appleir.c:232
 __hid_input_report.constprop.0+0x312/0x440 drivers/hid/hid-core.c:2111
 hid_ctrl+0x49f/0x550 drivers/hid/usbhid/hid-core.c:484
 __usb_hcd_giveback_urb+0x389/0x6e0 drivers/usb/core/hcd.c:1650
 usb_hcd_giveback_urb+0x396/0x450 drivers/usb/core/hcd.c:1734
 dummy_timer+0x17f7/0x3960 drivers/usb/gadget/udc/dummy_hcd.c:1993
 __run_hrtimer kernel/time/hrtimer.c:1739 [inline]
 __hrtimer_run_queues+0x20a/0xae0 kernel/time/hrtimer.c:1803
 hrtimer_run_softirq+0x17d/0x350 kernel/time/hrtimer.c:1820
 handle_softirqs+0x206/0x8d0 kernel/softirq.c:561
 __do_softirq kernel/softirq.c:595 [inline]
 invoke_softirq kernel/softirq.c:435 [inline]
 __irq_exit_rcu+0xfa/0x160 kernel/softirq.c:662
 irq_exit_rcu+0x9/0x30 kernel/softirq.c:678
 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1049 [inline]
 sysvec_apic_timer_interrupt+0x90/0xb0 arch/x86/kernel/apic/apic.c:1049
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
 __mod_timer+0x8f6/0xdc0 kernel/time/timer.c:1185
 add_timer+0x62/0x90 kernel/time/timer.c:1295
 schedule_timeout+0x11f/0x280 kernel/time/sleep_timeout.c:98
 usbhid_wait_io+0x1c7/0x380 drivers/hid/usbhid/hid-core.c:645
 usbhid_init_reports+0x19f/0x390 drivers/hid/usbhid/hid-core.c:784
 hiddev_ioctl+0x1133/0x15b0 drivers/hid/usbhid/hiddev.c:794
 vfs_ioctl fs/ioctl.c:51 [inline]
 __do_sys_ioctl fs/ioctl.c:906 [inline]
 __se_sys_ioctl fs/ioctl.c:892 [inline]
 __x64_sys_ioctl+0x190/0x200 fs/ioctl.c:892
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
 </TASK>

This happens due to the malformed report items sent by the emulated device
which results in a report, that has no fields, being added to the report list.
Due to this appleir_input_configured() is never called, hidinput_connect()
fails which results in the HID_CLAIMED_INPUT flag is not being set. However,
it  does not make appleir_probe() fail and lets the event callback to be
called without the associated input device.

Thus, add a check for the HID_CLAIMED_INPUT flag and leave the event hook
early if the driver didn't claim any input_dev for some reason. Moreover,
some other hid drivers accessing input_dev in their event callbacks do have
similar checks, too.

Found by Linux Verification Center (linuxtesting.org) with Syzkaller.

Fixes: 9a4a5574ce ("HID: appleir: add support for Apple ir devices")
Cc: stable@vger.kernel.org
Signed-off-by: Daniil Dulov <d.dulov@aladdin.ru>
Signed-off-by: Jiri Kosina <jkosina@suse.com>
2025-03-04 21:39:39 +01:00

344 lines
9.1 KiB
C

// SPDX-License-Identifier: GPL-2.0-only
/*
* HID driver for the apple ir device
*
* Original driver written by James McKenzie
* Ported to recent 2.6 kernel versions by Greg Kroah-Hartman <gregkh@suse.de>
* Updated to support newer remotes by Bastien Nocera <hadess@hadess.net>
* Ported to HID subsystem by Benjamin Tissoires <benjamin.tissoires@gmail.com>
*
* Copyright (C) 2006 James McKenzie
* Copyright (C) 2008 Greg Kroah-Hartman <greg@kroah.com>
* Copyright (C) 2008 Novell Inc.
* Copyright (C) 2010, 2012 Bastien Nocera <hadess@hadess.net>
* Copyright (C) 2013 Benjamin Tissoires <benjamin.tissoires@gmail.com>
* Copyright (C) 2013 Red Hat Inc. All Rights Reserved
*/
#include <linux/device.h>
#include <linux/hid.h>
#include <linux/module.h>
#include "hid-ids.h"
MODULE_AUTHOR("James McKenzie");
MODULE_AUTHOR("Benjamin Tissoires <benjamin.tissoires@redhat.com>");
MODULE_DESCRIPTION("HID Apple IR remote controls");
MODULE_LICENSE("GPL");
#define KEY_MASK 0x0F
#define TWO_PACKETS_MASK 0x40
/*
* James McKenzie has two devices both of which report the following
* 25 87 ee 83 0a +
* 25 87 ee 83 0c -
* 25 87 ee 83 09 <<
* 25 87 ee 83 06 >>
* 25 87 ee 83 05 >"
* 25 87 ee 83 03 menu
* 26 00 00 00 00 for key repeat
*/
/*
* Thomas Glanzmann reports the following responses
* 25 87 ee ca 0b +
* 25 87 ee ca 0d -
* 25 87 ee ca 08 <<
* 25 87 ee ca 07 >>
* 25 87 ee ca 04 >"
* 25 87 ee ca 02 menu
* 26 00 00 00 00 for key repeat
*
* He also observes the following event sometimes
* sent after a key is release, which I interpret
* as a flat battery message
* 25 87 e0 ca 06 flat battery
*/
/*
* Alexandre Karpenko reports the following responses for Device ID 0x8242
* 25 87 ee 47 0b +
* 25 87 ee 47 0d -
* 25 87 ee 47 08 <<
* 25 87 ee 47 07 >>
* 25 87 ee 47 04 >"
* 25 87 ee 47 02 menu
* 26 87 ee 47 ** for key repeat (** is the code of the key being held)
*/
/*
* Bastien Nocera's remote
* 25 87 ee 91 5f followed by
* 25 87 ee 91 05 gives you >"
*
* 25 87 ee 91 5c followed by
* 25 87 ee 91 05 gives you the middle button
*/
/*
* Fabien Andre's remote
* 25 87 ee a3 5e followed by
* 25 87 ee a3 04 gives you >"
*
* 25 87 ee a3 5d followed by
* 25 87 ee a3 04 gives you the middle button
*/
static const unsigned short appleir_key_table[] = {
KEY_RESERVED,
KEY_MENU,
KEY_PLAYPAUSE,
KEY_FORWARD,
KEY_BACK,
KEY_VOLUMEUP,
KEY_VOLUMEDOWN,
KEY_RESERVED,
KEY_RESERVED,
KEY_RESERVED,
KEY_RESERVED,
KEY_RESERVED,
KEY_RESERVED,
KEY_RESERVED,
KEY_ENTER,
KEY_PLAYPAUSE,
KEY_RESERVED,
};
struct appleir {
struct input_dev *input_dev;
struct hid_device *hid;
unsigned short keymap[ARRAY_SIZE(appleir_key_table)];
struct timer_list key_up_timer; /* timer for key up */
spinlock_t lock; /* protects .current_key */
int current_key; /* the currently pressed key */
int prev_key_idx; /* key index in a 2 packets message */
};
static int get_key(int data)
{
/*
* The key is coded accross bits 2..9:
*
* 0x00 or 0x01 ( ) key: 0 -> KEY_RESERVED
* 0x02 or 0x03 ( menu ) key: 1 -> KEY_MENU
* 0x04 or 0x05 ( >" ) key: 2 -> KEY_PLAYPAUSE
* 0x06 or 0x07 ( >> ) key: 3 -> KEY_FORWARD
* 0x08 or 0x09 ( << ) key: 4 -> KEY_BACK
* 0x0a or 0x0b ( + ) key: 5 -> KEY_VOLUMEUP
* 0x0c or 0x0d ( - ) key: 6 -> KEY_VOLUMEDOWN
* 0x0e or 0x0f ( ) key: 7 -> KEY_RESERVED
* 0x50 or 0x51 ( ) key: 8 -> KEY_RESERVED
* 0x52 or 0x53 ( ) key: 9 -> KEY_RESERVED
* 0x54 or 0x55 ( ) key: 10 -> KEY_RESERVED
* 0x56 or 0x57 ( ) key: 11 -> KEY_RESERVED
* 0x58 or 0x59 ( ) key: 12 -> KEY_RESERVED
* 0x5a or 0x5b ( ) key: 13 -> KEY_RESERVED
* 0x5c or 0x5d ( middle ) key: 14 -> KEY_ENTER
* 0x5e or 0x5f ( >" ) key: 15 -> KEY_PLAYPAUSE
*
* Packets starting with 0x5 are part of a two-packets message,
* we notify the caller by sending a negative value.
*/
int key = (data >> 1) & KEY_MASK;
if ((data & TWO_PACKETS_MASK))
/* Part of a 2 packets-command */
key = -key;
return key;
}
static void key_up(struct hid_device *hid, struct appleir *appleir, int key)
{
input_report_key(appleir->input_dev, key, 0);
input_sync(appleir->input_dev);
}
static void key_down(struct hid_device *hid, struct appleir *appleir, int key)
{
input_report_key(appleir->input_dev, key, 1);
input_sync(appleir->input_dev);
}
static void battery_flat(struct appleir *appleir)
{
dev_err(&appleir->input_dev->dev, "possible flat battery?\n");
}
static void key_up_tick(struct timer_list *t)
{
struct appleir *appleir = from_timer(appleir, t, key_up_timer);
struct hid_device *hid = appleir->hid;
unsigned long flags;
spin_lock_irqsave(&appleir->lock, flags);
if (appleir->current_key) {
key_up(hid, appleir, appleir->current_key);
appleir->current_key = 0;
}
spin_unlock_irqrestore(&appleir->lock, flags);
}
static int appleir_raw_event(struct hid_device *hid, struct hid_report *report,
u8 *data, int len)
{
struct appleir *appleir = hid_get_drvdata(hid);
static const u8 keydown[] = { 0x25, 0x87, 0xee };
static const u8 keyrepeat[] = { 0x26, };
static const u8 flatbattery[] = { 0x25, 0x87, 0xe0 };
unsigned long flags;
if (len != 5 || !(hid->claimed & HID_CLAIMED_INPUT))
goto out;
if (!memcmp(data, keydown, sizeof(keydown))) {
int index;
spin_lock_irqsave(&appleir->lock, flags);
/*
* If we already have a key down, take it up before marking
* this one down
*/
if (appleir->current_key)
key_up(hid, appleir, appleir->current_key);
/* Handle dual packet commands */
if (appleir->prev_key_idx > 0)
index = appleir->prev_key_idx;
else
index = get_key(data[4]);
if (index >= 0) {
appleir->current_key = appleir->keymap[index];
key_down(hid, appleir, appleir->current_key);
/*
* Remote doesn't do key up, either pull them up, in
* the test above, or here set a timer which pulls
* them up after 1/8 s
*/
mod_timer(&appleir->key_up_timer, jiffies + HZ / 8);
appleir->prev_key_idx = 0;
} else
/* Remember key for next packet */
appleir->prev_key_idx = -index;
spin_unlock_irqrestore(&appleir->lock, flags);
goto out;
}
appleir->prev_key_idx = 0;
if (!memcmp(data, keyrepeat, sizeof(keyrepeat))) {
key_down(hid, appleir, appleir->current_key);
/*
* Remote doesn't do key up, either pull them up, in the test
* above, or here set a timer which pulls them up after 1/8 s
*/
mod_timer(&appleir->key_up_timer, jiffies + HZ / 8);
goto out;
}
if (!memcmp(data, flatbattery, sizeof(flatbattery))) {
battery_flat(appleir);
/* Fall through */
}
out:
/* let hidraw and hiddev handle the report */
return 0;
}
static int appleir_input_configured(struct hid_device *hid,
struct hid_input *hidinput)
{
struct input_dev *input_dev = hidinput->input;
struct appleir *appleir = hid_get_drvdata(hid);
int i;
appleir->input_dev = input_dev;
input_dev->keycode = appleir->keymap;
input_dev->keycodesize = sizeof(unsigned short);
input_dev->keycodemax = ARRAY_SIZE(appleir->keymap);
input_dev->evbit[0] = BIT(EV_KEY) | BIT(EV_REP);
memcpy(appleir->keymap, appleir_key_table, sizeof(appleir->keymap));
for (i = 0; i < ARRAY_SIZE(appleir_key_table); i++)
set_bit(appleir->keymap[i], input_dev->keybit);
clear_bit(KEY_RESERVED, input_dev->keybit);
return 0;
}
static int appleir_input_mapping(struct hid_device *hid,
struct hid_input *hi, struct hid_field *field,
struct hid_usage *usage, unsigned long **bit, int *max)
{
return -1;
}
static int appleir_probe(struct hid_device *hid, const struct hid_device_id *id)
{
int ret;
struct appleir *appleir;
appleir = devm_kzalloc(&hid->dev, sizeof(struct appleir), GFP_KERNEL);
if (!appleir)
return -ENOMEM;
appleir->hid = hid;
/* force input as some remotes bypass the input registration */
hid->quirks |= HID_QUIRK_HIDINPUT_FORCE;
spin_lock_init(&appleir->lock);
timer_setup(&appleir->key_up_timer, key_up_tick, 0);
hid_set_drvdata(hid, appleir);
ret = hid_parse(hid);
if (ret) {
hid_err(hid, "parse failed\n");
goto fail;
}
ret = hid_hw_start(hid, HID_CONNECT_DEFAULT | HID_CONNECT_HIDDEV_FORCE);
if (ret) {
hid_err(hid, "hw start failed\n");
goto fail;
}
return 0;
fail:
devm_kfree(&hid->dev, appleir);
return ret;
}
static void appleir_remove(struct hid_device *hid)
{
struct appleir *appleir = hid_get_drvdata(hid);
hid_hw_stop(hid);
del_timer_sync(&appleir->key_up_timer);
}
static const struct hid_device_id appleir_devices[] = {
{ HID_USB_DEVICE(USB_VENDOR_ID_APPLE, USB_DEVICE_ID_APPLE_IRCONTROL) },
{ HID_USB_DEVICE(USB_VENDOR_ID_APPLE, USB_DEVICE_ID_APPLE_IRCONTROL2) },
{ HID_USB_DEVICE(USB_VENDOR_ID_APPLE, USB_DEVICE_ID_APPLE_IRCONTROL3) },
{ HID_USB_DEVICE(USB_VENDOR_ID_APPLE, USB_DEVICE_ID_APPLE_IRCONTROL4) },
{ HID_USB_DEVICE(USB_VENDOR_ID_APPLE, USB_DEVICE_ID_APPLE_IRCONTROL5) },
{ }
};
MODULE_DEVICE_TABLE(hid, appleir_devices);
static struct hid_driver appleir_driver = {
.name = "appleir",
.id_table = appleir_devices,
.raw_event = appleir_raw_event,
.input_configured = appleir_input_configured,
.probe = appleir_probe,
.remove = appleir_remove,
.input_mapping = appleir_input_mapping,
};
module_hid_driver(appleir_driver);