From: Jiri Kosina jkosina@suse.com

stable inclusion from stable-v4.19.324 commit e7ea60184e1e88a3c9e437b3265cbb6439aa7e26 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IB5AVT CVE: CVE-2024-50302

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=...

--------------------------------

[ Upstream commit 177f25d1292c7e16e1199b39c85480f7f8815552 ]

Since the report buffer is used by all kinds of drivers in various ways, let's zero-initialize it during allocation to make sure that it can't be ever used to leak kernel memory via specially-crafted report.

Fixes: 27ce405039bf ("HID: fix data access in implement()") Reported-by: Benoît Sevens bsevens@google.com Acked-by: Benjamin Tissoires bentiss@kernel.org Signed-off-by: Jiri Kosina jkosina@suse.com Signed-off-by: Sasha Levin sashal@kernel.org Signed-off-by: Tirui Yin yintirui@huawei.com Reviewed-by: yongqiang Liu liuyongqiang13@huawei.com --- drivers/hid/hid-core.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c index a8f155bda610..7dd30deceda4 100644 --- a/drivers/hid/hid-core.c +++ b/drivers/hid/hid-core.c @@ -1462,7 +1462,7 @@ u8 *hid_alloc_report_buf(struct hid_report *report, gfp_t flags)

u32 len = hid_report_len(report) + 7;

- return kmalloc(len, flags); + return kzalloc(len, flags); } EXPORT_SYMBOL_GPL(hid_alloc_report_buf);