202999 – The HID Parser has some bugs and limitations

Bug 202999 - The HID Parser has some bugs and limitations

Summary: The HID Parser has some bugs and limitations

Status:	NEW

Alias:	None

Product:	Drivers
Classification:	Unclassified
Component:	Bluetooth (show other bugs)
Hardware:	All Linux

Importance:	P1 normal
Assignee:	linux-bluetooth@vger.kernel.org

URL:
Keywords:

Depends on:
Blocks:

Reported:	2019-03-22 07:25 UTC by Remy Zimmermann
Modified:	2019-03-22 07:25 UTC (History)
CC List:	0 users

See Also:
Kernel Version:	4.9
Subsystem:
Regression:	No
Bisected commit-id:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Remy Zimmermann 2019-03-22 07:25:50 UTC

From hid-core.c:

	case HID_GLOBAL_ITEM_TAG_REPORT_SIZE:
		parser->global.report_size = item_udata(item);
		if (parser->global.report_size > 96) {
			dbg_hid("invalid report_size %d\n",
					parser->global.report_size);
			return -1;
		}
		return 0;

The 96 bits limit is arbitrary. For new categories of devices this can be a limitation (in our case an array of structure larger than 12 bytes) I would recommend either no limit (dynamic) or something like 64 * 8 bits.


	if (parser->global.logical_maximum < parser->global.logical_minimum) {
		dbg_hid("logical range invalid %d %d\n", parser->global.logical_minimum, parser->global.logical_maximum);
		return -1;
	}

If the item is 32bit and the logical extent is (0 - 0xFFFFFFFF), the logical_maximum will flip sign as it is a 32 bit signed variable and the assertion will fail.

Those issue are not found on Windows/MacOS/iOS

Note You need to log in before you can comment on or make changes to this bug.