HID: core: detect and skip invalid inputs to snto32()

bmastbergen · bmastbergen · commit e5007b77c715 · 2025-11-21T11:42:34.000-05:00
jira VULN-33524 cve-pre CVE-2022-48978 commit-author Randy Dunlap <rdunlap@infradead.org> commit a0312af Prevent invalid (0, 0) inputs to hid-core's snto32() function. Maybe it is just the dummy device here that is causing this, but there are hundreds of calls to snto32(0, 0). Having n (bits count) of 0 is causing the current UBSAN trap with a shift value of 0xffffffff (-1, or n - 1 in this function). Either of the value to shift being 0 or the bits count being 0 can be handled by just returning 0 to the caller, avoiding the following complex shift + OR operations: return value & (1 << (n - 1)) ? value | (~0U << n) : value; Fixes: dde5845 ("[PATCH] Generic HID layer - code split") Signed-off-by: Randy Dunlap <rdunlap@infradead.org> Reported-by: syzbot+1e911ad71dd4ea72e04a@syzkaller.appspotmail.com Cc: Jiri Kosina <jikos@kernel.org> Cc: Benjamin Tissoires <benjamin.tissoires@redhat.com> Cc: linux-input@vger.kernel.org Signed-off-by: Jiri Kosina <jkosina@suse.cz> (cherry picked from commit a0312af) Signed-off-by: Brett Mastbergen <bmastbergen@ciq.com>
diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c
@@ -1026,6 +1026,9 @@ EXPORT_SYMBOL_GPL(hid_open_report);
 
 static s32 snto32(__u32 value, unsigned n)
 {
+	if (!value || !n)
+		return 0;
+
 	switch (n) {
 	case 8:  return ((__s8)value);
 	case 16: return ((__s16)value);

Original file line number	Diff line number	Diff line change
`@@ -1026,6 +1026,9 @@ EXPORT_SYMBOL_GPL(hid_open_report);`
`1026`	`1026`
`1027`	`1027`	`static s32 snto32(__u32 value, unsigned n)`
`1028`	`1028`	`{`
	`1029`	`+ if (!value \|\| !n)`
	`1030`	`+ return 0;`
	`1031`	`+`
`1029`	`1032`	`switch (n) {`
`1030`	`1033`	`case 8: return ((__s8)value);`
`1031`	`1034`	`case 16: return ((__s16)value);`