fix(hidpp10): validate Receiver register and event parsers#552
Open
jelmerdehen wants to merge 1 commit into
Open
fix(hidpp10): validate Receiver register and event parsers#552jelmerdehen wants to merge 1 commit into
jelmerdehen wants to merge 1 commit into
Conversation
Several Receiver methods indexed device-supplied response buffers and
HID++ reports without checking the buffer length:
* getNotificationFlags, getConnectionState, getDeviceActivity,
getPairingInfo and getExtendedPairingInfo dereferenced bytes from
a register response that the device controls.
* deviceConnectionEvent, fillDeviceDiscoveryEvent, pairStatusEvent,
boltPairStatusEvent, discoveryStatusEvent and passkeyEvent only
asserted on subId/type, so a malicious or buggy device could feed
a Short report to a Long-expecting parser and trigger out-of-bounds
reads. Asserts compile out under NDEBUG.
Replace asserts with runtime checks that throw on bad subId or short
type, and validate response/param length before indexing.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Several
Receivermethods index device-supplied response buffers and HID++ reports without checking the buffer length:getNotificationFlags,getConnectionState,getDeviceActivity,getPairingInfo, andgetExtendedPairingInfodereference bytes from a register response that the device controls.deviceConnectionEvent,fillDeviceDiscoveryEvent,pairStatusEvent,boltPairStatusEvent,discoveryStatusEvent, andpasskeyEventonlyassertonsubId/typeand then indexparamBegin()[N]. Asserts compile out underNDEBUG, so a malicious or buggy device can feed a Short report to a Long-expecting parser and trigger out-of-bounds reads up to ~14 bytes past the heap allocation.logid runs as root, so reads here are at minimum an information leak from a process the device should not be able to read.
Fix
assertwith runtime checks that throwstd::runtime_erroron badsubId/type.paramEnd - paramBeginlength before indexing.Throwing was chosen over silent return so the calling state machine sees the error and can drop the malformed report instead of acting on uninitialized fields.
Test plan