mirror of
https://github.com/FEX-Emu/linux.git
synced 2025-01-10 03:20:49 +00:00
41df7f6d43
A HID device could send a malicious output report that would cause the steelseries HID driver to write beyond the output report allocation during initialization, causing a heap overflow: [ 167.981534] usb 1-1: New USB device found, idVendor=1038, idProduct=1410 ... [ 182.050547] BUG kmalloc-256 (Tainted: G W ): Redzone overwritten CVE-2013-2891 Signed-off-by: Kees Cook <keescook@chromium.org> Cc: stable@vger.kernel.org Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com> Signed-off-by: Jiri Kosina <jkosina@suse.cz>
390 lines
12 KiB
C
390 lines
12 KiB
C
/*
|
|
* HID driver for Steelseries SRW-S1
|
|
*
|
|
* Copyright (c) 2013 Simon Wood
|
|
*/
|
|
|
|
/*
|
|
* This program is free software; you can redistribute it and/or modify it
|
|
* under the terms of the GNU General Public License as published by the Free
|
|
* Software Foundation; either version 2 of the License, or (at your option)
|
|
* any later version.
|
|
*/
|
|
|
|
#include <linux/device.h>
|
|
#include <linux/usb.h>
|
|
#include <linux/hid.h>
|
|
#include <linux/module.h>
|
|
|
|
#include "hid-ids.h"
|
|
|
|
#if IS_BUILTIN(CONFIG_LEDS_CLASS) || \
|
|
(IS_MODULE(CONFIG_LEDS_CLASS) && IS_MODULE(CONFIG_HID_STEELSERIES))
|
|
#define SRWS1_NUMBER_LEDS 15
|
|
struct steelseries_srws1_data {
|
|
__u16 led_state;
|
|
/* the last element is used for setting all leds simultaneously */
|
|
struct led_classdev *led[SRWS1_NUMBER_LEDS + 1];
|
|
};
|
|
#endif
|
|
|
|
/* Fixed report descriptor for Steelseries SRW-S1 wheel controller
|
|
*
|
|
* The original descriptor hides the sensitivity and assists dials
|
|
* a custom vendor usage page. This inserts a patch to make them
|
|
* appear in the 'Generic Desktop' usage.
|
|
*/
|
|
|
|
static __u8 steelseries_srws1_rdesc_fixed[] = {
|
|
0x05, 0x01, /* Usage Page (Desktop) */
|
|
0x09, 0x08, /* Usage (MultiAxis), Changed */
|
|
0xA1, 0x01, /* Collection (Application), */
|
|
0xA1, 0x02, /* Collection (Logical), */
|
|
0x95, 0x01, /* Report Count (1), */
|
|
0x05, 0x01, /* Changed Usage Page (Desktop), */
|
|
0x09, 0x30, /* Changed Usage (X), */
|
|
0x16, 0xF8, 0xF8, /* Logical Minimum (-1800), */
|
|
0x26, 0x08, 0x07, /* Logical Maximum (1800), */
|
|
0x65, 0x14, /* Unit (Degrees), */
|
|
0x55, 0x0F, /* Unit Exponent (15), */
|
|
0x75, 0x10, /* Report Size (16), */
|
|
0x81, 0x02, /* Input (Variable), */
|
|
0x09, 0x31, /* Changed Usage (Y), */
|
|
0x15, 0x00, /* Logical Minimum (0), */
|
|
0x26, 0xFF, 0x03, /* Logical Maximum (1023), */
|
|
0x75, 0x0C, /* Report Size (12), */
|
|
0x81, 0x02, /* Input (Variable), */
|
|
0x09, 0x32, /* Changed Usage (Z), */
|
|
0x15, 0x00, /* Logical Minimum (0), */
|
|
0x26, 0xFF, 0x03, /* Logical Maximum (1023), */
|
|
0x75, 0x0C, /* Report Size (12), */
|
|
0x81, 0x02, /* Input (Variable), */
|
|
0x05, 0x01, /* Usage Page (Desktop), */
|
|
0x09, 0x39, /* Usage (Hat Switch), */
|
|
0x25, 0x07, /* Logical Maximum (7), */
|
|
0x35, 0x00, /* Physical Minimum (0), */
|
|
0x46, 0x3B, 0x01, /* Physical Maximum (315), */
|
|
0x65, 0x14, /* Unit (Degrees), */
|
|
0x75, 0x04, /* Report Size (4), */
|
|
0x95, 0x01, /* Report Count (1), */
|
|
0x81, 0x02, /* Input (Variable), */
|
|
0x25, 0x01, /* Logical Maximum (1), */
|
|
0x45, 0x01, /* Physical Maximum (1), */
|
|
0x65, 0x00, /* Unit, */
|
|
0x75, 0x01, /* Report Size (1), */
|
|
0x95, 0x03, /* Report Count (3), */
|
|
0x81, 0x01, /* Input (Constant), */
|
|
0x05, 0x09, /* Usage Page (Button), */
|
|
0x19, 0x01, /* Usage Minimum (01h), */
|
|
0x29, 0x11, /* Usage Maximum (11h), */
|
|
0x95, 0x11, /* Report Count (17), */
|
|
0x81, 0x02, /* Input (Variable), */
|
|
/* ---- Dial patch starts here ---- */
|
|
0x05, 0x01, /* Usage Page (Desktop), */
|
|
0x09, 0x33, /* Usage (RX), */
|
|
0x75, 0x04, /* Report Size (4), */
|
|
0x95, 0x02, /* Report Count (2), */
|
|
0x15, 0x00, /* Logical Minimum (0), */
|
|
0x25, 0x0b, /* Logical Maximum (b), */
|
|
0x81, 0x02, /* Input (Variable), */
|
|
0x09, 0x35, /* Usage (RZ), */
|
|
0x75, 0x04, /* Report Size (4), */
|
|
0x95, 0x01, /* Report Count (1), */
|
|
0x25, 0x03, /* Logical Maximum (3), */
|
|
0x81, 0x02, /* Input (Variable), */
|
|
/* ---- Dial patch ends here ---- */
|
|
0x06, 0x00, 0xFF, /* Usage Page (FF00h), */
|
|
0x09, 0x01, /* Usage (01h), */
|
|
0x75, 0x04, /* Changed Report Size (4), */
|
|
0x95, 0x0D, /* Changed Report Count (13), */
|
|
0x81, 0x02, /* Input (Variable), */
|
|
0xC0, /* End Collection, */
|
|
0xA1, 0x02, /* Collection (Logical), */
|
|
0x09, 0x02, /* Usage (02h), */
|
|
0x75, 0x08, /* Report Size (8), */
|
|
0x95, 0x10, /* Report Count (16), */
|
|
0x91, 0x02, /* Output (Variable), */
|
|
0xC0, /* End Collection, */
|
|
0xC0 /* End Collection */
|
|
};
|
|
|
|
#if IS_BUILTIN(CONFIG_LEDS_CLASS) || \
|
|
(IS_MODULE(CONFIG_LEDS_CLASS) && IS_MODULE(CONFIG_HID_STEELSERIES))
|
|
static void steelseries_srws1_set_leds(struct hid_device *hdev, __u16 leds)
|
|
{
|
|
struct list_head *report_list = &hdev->report_enum[HID_OUTPUT_REPORT].report_list;
|
|
struct hid_report *report = list_entry(report_list->next, struct hid_report, list);
|
|
__s32 *value = report->field[0]->value;
|
|
|
|
value[0] = 0x40;
|
|
value[1] = leds & 0xFF;
|
|
value[2] = leds >> 8;
|
|
value[3] = 0x00;
|
|
value[4] = 0x00;
|
|
value[5] = 0x00;
|
|
value[6] = 0x00;
|
|
value[7] = 0x00;
|
|
value[8] = 0x00;
|
|
value[9] = 0x00;
|
|
value[10] = 0x00;
|
|
value[11] = 0x00;
|
|
value[12] = 0x00;
|
|
value[13] = 0x00;
|
|
value[14] = 0x00;
|
|
value[15] = 0x00;
|
|
|
|
hid_hw_request(hdev, report, HID_REQ_SET_REPORT);
|
|
|
|
/* Note: LED change does not show on device until the device is read/polled */
|
|
}
|
|
|
|
static void steelseries_srws1_led_all_set_brightness(struct led_classdev *led_cdev,
|
|
enum led_brightness value)
|
|
{
|
|
struct device *dev = led_cdev->dev->parent;
|
|
struct hid_device *hid = container_of(dev, struct hid_device, dev);
|
|
struct steelseries_srws1_data *drv_data = hid_get_drvdata(hid);
|
|
|
|
if (!drv_data) {
|
|
hid_err(hid, "Device data not found.");
|
|
return;
|
|
}
|
|
|
|
if (value == LED_OFF)
|
|
drv_data->led_state = 0;
|
|
else
|
|
drv_data->led_state = (1 << (SRWS1_NUMBER_LEDS + 1)) - 1;
|
|
|
|
steelseries_srws1_set_leds(hid, drv_data->led_state);
|
|
}
|
|
|
|
static enum led_brightness steelseries_srws1_led_all_get_brightness(struct led_classdev *led_cdev)
|
|
{
|
|
struct device *dev = led_cdev->dev->parent;
|
|
struct hid_device *hid = container_of(dev, struct hid_device, dev);
|
|
struct steelseries_srws1_data *drv_data;
|
|
|
|
drv_data = hid_get_drvdata(hid);
|
|
|
|
if (!drv_data) {
|
|
hid_err(hid, "Device data not found.");
|
|
return LED_OFF;
|
|
}
|
|
|
|
return (drv_data->led_state >> SRWS1_NUMBER_LEDS) ? LED_FULL : LED_OFF;
|
|
}
|
|
|
|
static void steelseries_srws1_led_set_brightness(struct led_classdev *led_cdev,
|
|
enum led_brightness value)
|
|
{
|
|
struct device *dev = led_cdev->dev->parent;
|
|
struct hid_device *hid = container_of(dev, struct hid_device, dev);
|
|
struct steelseries_srws1_data *drv_data = hid_get_drvdata(hid);
|
|
int i, state = 0;
|
|
|
|
if (!drv_data) {
|
|
hid_err(hid, "Device data not found.");
|
|
return;
|
|
}
|
|
|
|
for (i = 0; i < SRWS1_NUMBER_LEDS; i++) {
|
|
if (led_cdev != drv_data->led[i])
|
|
continue;
|
|
|
|
state = (drv_data->led_state >> i) & 1;
|
|
if (value == LED_OFF && state) {
|
|
drv_data->led_state &= ~(1 << i);
|
|
steelseries_srws1_set_leds(hid, drv_data->led_state);
|
|
} else if (value != LED_OFF && !state) {
|
|
drv_data->led_state |= 1 << i;
|
|
steelseries_srws1_set_leds(hid, drv_data->led_state);
|
|
}
|
|
break;
|
|
}
|
|
}
|
|
|
|
static enum led_brightness steelseries_srws1_led_get_brightness(struct led_classdev *led_cdev)
|
|
{
|
|
struct device *dev = led_cdev->dev->parent;
|
|
struct hid_device *hid = container_of(dev, struct hid_device, dev);
|
|
struct steelseries_srws1_data *drv_data;
|
|
int i, value = 0;
|
|
|
|
drv_data = hid_get_drvdata(hid);
|
|
|
|
if (!drv_data) {
|
|
hid_err(hid, "Device data not found.");
|
|
return LED_OFF;
|
|
}
|
|
|
|
for (i = 0; i < SRWS1_NUMBER_LEDS; i++)
|
|
if (led_cdev == drv_data->led[i]) {
|
|
value = (drv_data->led_state >> i) & 1;
|
|
break;
|
|
}
|
|
|
|
return value ? LED_FULL : LED_OFF;
|
|
}
|
|
|
|
static int steelseries_srws1_probe(struct hid_device *hdev,
|
|
const struct hid_device_id *id)
|
|
{
|
|
int ret, i;
|
|
struct led_classdev *led;
|
|
size_t name_sz;
|
|
char *name;
|
|
|
|
struct steelseries_srws1_data *drv_data = kzalloc(sizeof(*drv_data), GFP_KERNEL);
|
|
|
|
if (drv_data == NULL) {
|
|
hid_err(hdev, "can't alloc SRW-S1 memory\n");
|
|
return -ENOMEM;
|
|
}
|
|
|
|
hid_set_drvdata(hdev, drv_data);
|
|
|
|
ret = hid_parse(hdev);
|
|
if (ret) {
|
|
hid_err(hdev, "parse failed\n");
|
|
goto err_free;
|
|
}
|
|
|
|
if (!hid_validate_values(hdev, HID_OUTPUT_REPORT, 0, 0, 16)) {
|
|
ret = -ENODEV;
|
|
goto err_free;
|
|
}
|
|
|
|
ret = hid_hw_start(hdev, HID_CONNECT_DEFAULT);
|
|
if (ret) {
|
|
hid_err(hdev, "hw start failed\n");
|
|
goto err_free;
|
|
}
|
|
|
|
/* register led subsystem */
|
|
drv_data->led_state = 0;
|
|
for (i = 0; i < SRWS1_NUMBER_LEDS + 1; i++)
|
|
drv_data->led[i] = NULL;
|
|
|
|
steelseries_srws1_set_leds(hdev, 0);
|
|
|
|
name_sz = strlen(hdev->uniq) + 16;
|
|
|
|
/* 'ALL', for setting all LEDs simultaneously */
|
|
led = kzalloc(sizeof(struct led_classdev)+name_sz, GFP_KERNEL);
|
|
if (!led) {
|
|
hid_err(hdev, "can't allocate memory for LED ALL\n");
|
|
goto err_led;
|
|
}
|
|
|
|
name = (void *)(&led[1]);
|
|
snprintf(name, name_sz, "SRWS1::%s::RPMALL", hdev->uniq);
|
|
led->name = name;
|
|
led->brightness = 0;
|
|
led->max_brightness = 1;
|
|
led->brightness_get = steelseries_srws1_led_all_get_brightness;
|
|
led->brightness_set = steelseries_srws1_led_all_set_brightness;
|
|
|
|
drv_data->led[SRWS1_NUMBER_LEDS] = led;
|
|
ret = led_classdev_register(&hdev->dev, led);
|
|
if (ret)
|
|
goto err_led;
|
|
|
|
/* Each individual LED */
|
|
for (i = 0; i < SRWS1_NUMBER_LEDS; i++) {
|
|
led = kzalloc(sizeof(struct led_classdev)+name_sz, GFP_KERNEL);
|
|
if (!led) {
|
|
hid_err(hdev, "can't allocate memory for LED %d\n", i);
|
|
goto err_led;
|
|
}
|
|
|
|
name = (void *)(&led[1]);
|
|
snprintf(name, name_sz, "SRWS1::%s::RPM%d", hdev->uniq, i+1);
|
|
led->name = name;
|
|
led->brightness = 0;
|
|
led->max_brightness = 1;
|
|
led->brightness_get = steelseries_srws1_led_get_brightness;
|
|
led->brightness_set = steelseries_srws1_led_set_brightness;
|
|
|
|
drv_data->led[i] = led;
|
|
ret = led_classdev_register(&hdev->dev, led);
|
|
|
|
if (ret) {
|
|
hid_err(hdev, "failed to register LED %d. Aborting.\n", i);
|
|
err_led:
|
|
/* Deregister all LEDs (if any) */
|
|
for (i = 0; i < SRWS1_NUMBER_LEDS + 1; i++) {
|
|
led = drv_data->led[i];
|
|
drv_data->led[i] = NULL;
|
|
if (!led)
|
|
continue;
|
|
led_classdev_unregister(led);
|
|
kfree(led);
|
|
}
|
|
goto out; /* but let the driver continue without LEDs */
|
|
}
|
|
}
|
|
out:
|
|
return 0;
|
|
err_free:
|
|
kfree(drv_data);
|
|
return ret;
|
|
}
|
|
|
|
static void steelseries_srws1_remove(struct hid_device *hdev)
|
|
{
|
|
int i;
|
|
struct led_classdev *led;
|
|
|
|
struct steelseries_srws1_data *drv_data = hid_get_drvdata(hdev);
|
|
|
|
if (drv_data) {
|
|
/* Deregister LEDs (if any) */
|
|
for (i = 0; i < SRWS1_NUMBER_LEDS + 1; i++) {
|
|
led = drv_data->led[i];
|
|
drv_data->led[i] = NULL;
|
|
if (!led)
|
|
continue;
|
|
led_classdev_unregister(led);
|
|
kfree(led);
|
|
}
|
|
|
|
}
|
|
|
|
hid_hw_stop(hdev);
|
|
kfree(drv_data);
|
|
return;
|
|
}
|
|
#endif
|
|
|
|
static __u8 *steelseries_srws1_report_fixup(struct hid_device *hdev, __u8 *rdesc,
|
|
unsigned int *rsize)
|
|
{
|
|
if (*rsize >= 115 && rdesc[11] == 0x02 && rdesc[13] == 0xc8
|
|
&& rdesc[29] == 0xbb && rdesc[40] == 0xc5) {
|
|
hid_info(hdev, "Fixing up Steelseries SRW-S1 report descriptor\n");
|
|
rdesc = steelseries_srws1_rdesc_fixed;
|
|
*rsize = sizeof(steelseries_srws1_rdesc_fixed);
|
|
}
|
|
return rdesc;
|
|
}
|
|
|
|
static const struct hid_device_id steelseries_srws1_devices[] = {
|
|
{ HID_USB_DEVICE(USB_VENDOR_ID_STEELSERIES, USB_DEVICE_ID_STEELSERIES_SRWS1) },
|
|
{ }
|
|
};
|
|
MODULE_DEVICE_TABLE(hid, steelseries_srws1_devices);
|
|
|
|
static struct hid_driver steelseries_srws1_driver = {
|
|
.name = "steelseries_srws1",
|
|
.id_table = steelseries_srws1_devices,
|
|
#if IS_BUILTIN(CONFIG_LEDS_CLASS) || \
|
|
(IS_MODULE(CONFIG_LEDS_CLASS) && IS_MODULE(CONFIG_HID_STEELSERIES))
|
|
.probe = steelseries_srws1_probe,
|
|
.remove = steelseries_srws1_remove,
|
|
#endif
|
|
.report_fixup = steelseries_srws1_report_fixup
|
|
};
|
|
|
|
module_hid_driver(steelseries_srws1_driver);
|
|
MODULE_LICENSE("GPL");
|