Linux Kernel HID Report Size Clamping Vulnerability in s32ton Function

A vulnerability exists in the Linux kernel's HID (Human Interface Device) subsystem, specifically within the s32ton function. This issue arises because s32ton shifts data by n-1, where n is the report size obtained from a HID device. The HID parser restricts report size to a maximum of 256, allowing a malfunctioning HID device to present a report descriptor with an excessively wide field. This can lead to undefined behavior by causing shift operations on a 32-bit integer that exceed safe limits, particularly when output reports are processed through hid_output_field or hid_set_field. Although a previous commit addressed similar shift-out-of-bounds issues in another function, s32ton was overlooked. The vulnerability has been patched by adding a clamp to limit the maximum shift value, ensuring safer handling of report sizes.

Impact

The vulnerability could be exploited to cause undefined behavior in the kernel, potentially leading to memory corruption or other unintended consequences.

Reproduction

The vulnerability can be reproduced by using a broken HID device that sends a report descriptor with a wide field, exceeding the safe report size limit. This can be done by crafting a HID report descriptor that triggers the s32ton function to shift data by an unsafe amount, exploiting the lack of proper clamping in the function.

Remediation

Users can apply the patch included in the Linux kernel stable release that addresses this vulnerability. Instructions for downloading the patched version are available on the Linux kernel official website.