Re: [PATCH 5.4 17/78] HID: Fix slab-out-of-bounds read in hid_field_extract (Broken!)
From: Enderborg, Peter
Date: Thu Feb 06 2020 - 02:01:05 EST
On 2/5/20 4:00 PM, Alan Stern wrote:
> On Wed, 5 Feb 2020, Jiri Kosina wrote:
>
>> On Wed, 5 Feb 2020, Enderborg, Peter wrote:
>>
>>>>> This patch breaks Elgato StreamDeck.
>>>> Does that mean the device is broken with a too-large of a report?
>>> Yes.
>> In which way does the breakage pop up? Are you getting "report too long"
>> errors in dmesg, or the device just doesn't enumerate at all?
>>
>> Could you please post /sys/kernel/debug/hid/<device>/rdesc contents, and
>> if the device is at least semi-alive, also contents of
>> /sys/kernel/debug/hid/<device>/events from the time it misbehaves?
> Also, please post the output from "lsusb -v" for the StreamDeck.
Bus 002 Device 008: ID 0fd9:0060 Elgato Systems GmbH Stream Deck
Device Descriptor:
 bLength 18
 bDescriptorType 1
 bcdUSB 2.00
 bDeviceClass 0
 bDeviceSubClass 0
 bDeviceProtocol 0
 bMaxPacketSize0 64
 idVendor 0x0fd9 Elgato Systems GmbH
 idProduct 0x0060
 bcdDevice 1.00
 iManufacturer 1
 iProduct 2
 iSerial 3
 bNumConfigurations 1
 Configuration Descriptor:
ÂÂÂ bLengthÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ 9
ÂÂÂ bDescriptorTypeÂÂÂÂÂÂÂÂ 2
ÂÂÂ wTotalLengthÂÂÂÂÂÂ 0x0029
ÂÂÂ bNumInterfacesÂÂÂÂÂÂÂÂÂ 1
ÂÂÂ bConfigurationValueÂÂÂÂ 1
ÂÂÂ iConfigurationÂÂÂÂÂÂÂÂÂ 0
ÂÂÂ bmAttributesÂÂÂÂÂÂÂÂ 0xe0
ÂÂÂÂÂ Self Powered
ÂÂÂÂÂ Remote Wakeup
ÂÂÂ MaxPowerÂÂÂÂÂÂÂÂÂÂÂÂÂ 400mA
ÂÂÂ Interface Descriptor:
ÂÂÂÂÂ bLengthÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ 9
ÂÂÂÂÂ bDescriptorTypeÂÂÂÂÂÂÂÂ 4
ÂÂÂÂÂ bInterfaceNumberÂÂÂÂÂÂÂ 0
ÂÂÂÂÂ bAlternateSettingÂÂÂÂÂÂ 0
ÂÂÂÂÂ bNumEndpointsÂÂÂÂÂÂÂÂÂÂ 2
ÂÂÂÂÂ bInterfaceClassÂÂÂÂÂÂÂÂ 3 Human Interface Device
ÂÂÂÂÂ bInterfaceSubClassÂÂÂÂÂ 0
ÂÂÂÂÂ bInterfaceProtocolÂÂÂÂÂ 0
ÂÂÂÂÂ iInterfaceÂÂÂÂÂÂÂÂÂÂÂÂÂ 0
ÂÂÂÂÂÂÂ HID Device Descriptor:
ÂÂÂÂÂÂÂÂÂ bLengthÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ 9
ÂÂÂÂÂÂÂÂÂ bDescriptorTypeÂÂÂÂÂÂÂ 33
ÂÂÂÂÂÂÂÂÂ bcdHIDÂÂÂÂÂÂÂÂÂÂÂÂÂÂ 1.11
ÂÂÂÂÂÂÂÂÂ bCountryCodeÂÂÂÂÂÂÂÂÂÂÂ 0 Not supported
ÂÂÂÂÂÂÂÂÂ bNumDescriptorsÂÂÂÂÂÂÂÂ 1
ÂÂÂÂÂÂÂÂÂ bDescriptorTypeÂÂÂÂÂÂÂ 34 Report
ÂÂÂÂÂÂÂÂÂ wDescriptorLengthÂÂÂÂ 248
ÂÂÂÂÂÂÂÂ Report Descriptors:
ÂÂÂÂÂÂÂÂÂÂ ** UNAVAILABLE **
ÂÂÂÂÂ Endpoint Descriptor:
ÂÂÂÂÂÂÂ bLengthÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ 7
ÂÂÂÂÂÂÂ bDescriptorTypeÂÂÂÂÂÂÂÂ 5
ÂÂÂÂÂÂÂ bEndpointAddressÂÂÂÂ 0x81Â EP 1 IN
ÂÂÂÂÂÂÂ bmAttributesÂÂÂÂÂÂÂÂÂÂÂ 3
ÂÂÂÂÂÂÂÂÂ Transfer TypeÂÂÂÂÂÂÂÂÂÂÂ Interrupt
ÂÂÂÂÂÂÂÂÂ Synch TypeÂÂÂÂÂÂÂÂÂÂÂÂÂÂ None
ÂÂÂÂÂÂÂÂÂ Usage TypeÂÂÂÂÂÂÂÂÂÂÂÂÂÂ Data
ÂÂÂÂÂÂÂ wMaxPacketSizeÂÂÂÂ 0x0200Â 1x 512 bytes
ÂÂÂÂÂÂÂ bIntervalÂÂÂÂÂÂÂÂÂÂÂÂÂÂ 1
ÂÂÂÂÂ Endpoint Descriptor:
ÂÂÂÂÂÂÂ bLengthÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ 7
ÂÂÂÂÂÂÂ bDescriptorTypeÂÂÂÂÂÂÂÂ 5
ÂÂÂÂÂÂÂ bEndpointAddressÂÂÂÂ 0x02Â EP 2 OUT
ÂÂÂÂÂÂÂ bmAttributesÂÂÂÂÂÂÂÂÂÂÂ 3
ÂÂÂÂÂÂÂÂÂ Transfer TypeÂÂÂÂÂÂÂÂÂÂÂ Interrupt
ÂÂÂÂÂÂÂÂÂ Synch TypeÂÂÂÂÂÂÂÂÂÂÂÂÂÂ None
ÂÂÂÂÂÂÂÂÂ Usage TypeÂÂÂÂÂÂÂÂÂÂÂÂÂÂ Data
ÂÂÂÂÂÂÂ wMaxPacketSizeÂÂÂÂ 0x0200Â 1x 512 bytes
ÂÂÂÂÂÂÂ bIntervalÂÂÂÂÂÂÂÂÂÂÂÂÂÂ 1
> Alan Stern
>