Commit d3b50414 authored Jul 23, 2025 by Alan Stern Committed by Greg Kroah-Hartman Sep 09, 2025

HID: core: Harden s32ton() against conversion to 0 bits



[ Upstream commit a6b87bfc ]

Testing by the syzbot fuzzer showed that the HID core gets a
shift-out-of-bounds exception when it tries to convert a 32-bit
quantity to a 0-bit quantity.  Ideally this should never occur, but
there are buggy devices and some might have a report field with size
set to zero; we shouldn't reject the report or the device just because
of that.

Instead, harden the s32ton() routine so that it returns a reasonable
result instead of crashing when it is called with the number of bits
set to 0 -- the same as what snto32() does.

Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Reported-by:  <syzbot+b63d677d63bcac06cf90@syzkaller.appspotmail.com>
Closes: https://lore.kernel.org/linux-usb/68753a08.050a0220.33d347.0008.GAE@google.com/


Tested-by:  <syzbot+b63d677d63bcac06cf90@syzkaller.appspotmail.com>
Fixes: dde5845a ("[PATCH] Generic HID layer - code split")
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/613a66cd-4309-4bce-a4f7-2905f9bce0c9@rowland.harvard.edu


Signed-off-by: Benjamin Tissoires <bentiss@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>

parent d6cfa97a

Show whitespace changes

Inline Side-by-side

CodeLinaro @codelinaro
mentioned in commit a34fd739
· Nov 05, 2025

mentioned in commit a34fd739

mentioned in commit a34fd73937bb6e8b14551acc04bec53239d354f7

Toggle commit list
CodeLinaro @codelinaro
mentioned in commit bdc81b76
· Nov 05, 2025

mentioned in commit bdc81b76

mentioned in commit bdc81b76cc3e91b2a805bff546c72244ef2504fd

Toggle commit list

Please to comment