Re: Serious bug in HID core

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Jul 09 2025, Alan Stern wrote:
> On Wed, Jul 09, 2025 at 05:35:41PM +0200, Benjamin Tissoires wrote:
> > On Jul 09 2025, Alan Stern wrote:
> > > On Wed, Jul 09, 2025 at 10:44:35AM +0200, Benjamin Tissoires wrote:
> > > > On Jul 08 2025, Alan Stern wrote:
> > > > > On Tue, Jul 08, 2025 at 05:51:08PM +0200, Benjamin Tissoires wrote:
> > > > > > The second one would need a little bit more understanding of the fake
> > > > > > report descriptor provided by syzbot.
> > > > > 
> > > > > I suppose we can get the information from syzbot if it's really 
> > > > > necessary.  But it seems to be a minor point.
> > > > 
> > > > Well, to me it's important because I can get an easier reproducer and
> > > > add this corner case in the HID test suite :) Not to mention the
> > > > understanding on how we can get to this corner case.
> > > 
> > > I can get it for you if you really want to see it.  It's just a question 
> > > of asking syzbot to run the reproducer with a patch that prints all the 
> > > report descriptors.
> > 
> > I would very much appreciate that :)
> 
> Here's the output from syzbot, with all the extra fluff removed:
> 
> 	96 01 00 06 01 00 03 00 00 00 00 2a 90 a0 27 00
> 	00 00 00 b3 81 3e 25 03 1b dd e8 40 50 3b 5d 8c
> 	3d da
> 
> This is the full USB report descriptor contents.  Hopefully you have a 
> tool that can translate these byte values.
> 

Thanks a lot. After a little bit of trial/errors, I managed to reproduce
locally.

The parsed report descriptor is the following:

        0x96, 0x01, 0x00,              # Report Count (1)                    0
        0x06, 0x01, 0x00,              # Usage Page (Generic Desktop)        3
        # 0x03, 0x00, 0x00, 0x00, 0x00,  # Ignored by the kernel somehow
        0x2a, 0x90, 0xa0,              # Usage Maximum (41104)               6
        0x27, 0x00, 0x00, 0x00, 0x00,  # Logical Maximum (0)                 9
        0xb3, 0x81, 0x3e, 0x25, 0x03,  # Feature (Cnst,Arr,Abs,Vol)          14
        0x1b, 0xdd, 0xe8, 0x40, 0x50,  # Usage Minimum (1346431197)          19
        0x3b, 0x5d, 0x8c, 0x3d, 0xda,  # Designator Index                    24

(as expected, full of garbage, and just one Feature report, no Input
report).

And to trigger the bug, I need to actually set the VID/PID to the one
from the syzbot report (0x045e, 0x07da).

With that, I have now:
[    2.425586] __hidinput_change_resolution_multipliers report->size: 0 drivers/hid/hid-input.c:1912

Which means I can play around with this now.

Cheers,
Benjamin
[Index of Archives]     [Linux Media Devel]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]     [Linux Wireless Networking]     [Linux Omap]

  Powered by Linux