Description
In the Linux kernel, the following vulnerability has been resolved: HID: core: clamp report_size in s32ton() to avoid undefined shift s32ton() shifts by n-1 where n is the field's report_size, a value that comes directly from a HID device. The HID parser bounds report_size only to <= 256, so a broken HID device can supply a report descriptor with a wide field that triggers shift exponents up to 256 on a 32-bit type when an output report is built via hid_output_field() or hid_set_field(). Commit ec61b41918587 ("HID: core: fix shift-out-of-bounds in hid_report_raw_event") added the same n > 32 clamp to the function snto32(), but s32ton() was never given the same fix as I guess syzbot hadn't figured out how to fuzz a device the same way. Fix this up by just clamping the max value of n, just like snto32() does.
Product status
dde5845a529ff753364a6d1aea61180946270bfa (git) before 58386f00af710922cafb0fb69211497beddfaa95
dde5845a529ff753364a6d1aea61180946270bfa (git) before 8a8333237f1f5caab8d4c3d2c2e7578c4263a97f
dde5845a529ff753364a6d1aea61180946270bfa (git) before ea363a34086ddb4231adc581a7f36c39ec154bfc
dde5845a529ff753364a6d1aea61180946270bfa (git) before 97014719bb8fccb1ffcbbc299e84b1f11b114195
2.6.20
Any version before 2.6.20
6.12.83 (semver)
6.18.24 (semver)
6.19.14 (semver)
7.0.1 (semver)
References
git.kernel.org/...c/58386f00af710922cafb0fb69211497beddfaa95
git.kernel.org/...c/8a8333237f1f5caab8d4c3d2c2e7578c4263a97f
git.kernel.org/...c/ea363a34086ddb4231adc581a7f36c39ec154bfc
git.kernel.org/...c/97014719bb8fccb1ffcbbc299e84b1f11b114195