HID: bigben: fix slab-out-of-bounds Write in bigben_probe

[ Upstream commit fc4ef9d5724973193bfa5ebed181dba6de3a56db ]

There is a slab-out-of-bounds Write bug in hid-bigbenff driver.
The problem is the driver assumes the device must have an input but
some malicious devices violate this assumption.

Fix this by checking hid_device's input is non-empty before its usage.

Reported-by: syzkaller <syzkaller@googlegroups.com>
Signed-off-by: Dongliang Mu <mudongliangabcd@gmail.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/drivers/hid/hid-bigbenff.c b/drivers/hid/hid-bigbenff.c
index 74ad8bf98bfd5acea3d24ecff58300bdab434a26..e8c5e3ac9fff1596b4962697cbf42be116c9d600 100644 (file)
--- a/drivers/hid/hid-bigbenff.c
+++ b/drivers/hid/hid-bigbenff.c
@@ -347,6 +347,12 @@ static int bigben_probe(struct hid_device *hid,
        bigben->report = list_entry(report_list->next,
                struct hid_report, list);
 
+       if (list_empty(&hid->inputs)) {
+               hid_err(hid, "no inputs found\n");
+               error = -ENODEV;
+               goto error_hw_stop;
+       }
+
        hidinput = list_first_entry(&hid->inputs, struct hid_input, list);
        set_bit(FF_RUMBLE, hidinput->input->ffbit);