usb_hid: use user_memcpy to read/write the user buffers.

also check buffer addresses.

src/add-ons/kernel/drivers/input/usb_hid/KeyboardProtocolHandler.cpp

@@ -369,6 +369,9 @@ KeyboardProtocolHandler::Control(uint32 *cookie, uint32 op, void *buffer,
 					continue;
 				}
 
+				if (!IS_USER_ADDRESS(buffer))
+					return B_BAD_ADDRESS;
+
 				// process what is in the ring_buffer, it could be written
 				// there because we handled an interrupt transfer or because
 				// we wrote the current repeat key
@@ -379,16 +382,21 @@ KeyboardProtocolHandler::Control(uint32 *cookie, uint32 op, void *buffer,
 		case KB_SET_LEDS:
 		{
 			uint8 ledData[4];
-			if (user_memcpy(ledData, buffer, sizeof(ledData)) != B_OK)
+			if (!IS_USER_ADDRESS(buffer)
+				|| user_memcpy(ledData, buffer, sizeof(ledData)) != B_OK) {
 				return B_BAD_ADDRESS;
+			}
 			return _SetLEDs(ledData);
 		}
 
 		case KB_SET_KEY_REPEAT_RATE:
 		{
 			int32 repeatRate;
-			if (user_memcpy(&repeatRate, buffer, sizeof(repeatRate)) != B_OK)
+			if (!IS_USER_ADDRESS(buffer)
+				|| user_memcpy(&repeatRate, buffer, sizeof(repeatRate))
+					!= B_OK) {
 				return B_BAD_ADDRESS;
+			}
 
 			if (repeatRate == 0 || repeatRate > 1000000)
 				return B_BAD_VALUE;
@@ -400,21 +408,28 @@ KeyboardProtocolHandler::Control(uint32 *cookie, uint32 op, void *buffer,
 		case KB_GET_KEY_REPEAT_RATE:
 		{
 			int32 repeatRate = 10000000 / fRepeatRate;
-			if (user_memcpy(buffer, &repeatRate, sizeof(repeatRate)) != B_OK)
+			if (!IS_USER_ADDRESS(buffer)
+				|| user_memcpy(buffer, &repeatRate, sizeof(repeatRate))
+					!= B_OK) {
 				return B_BAD_ADDRESS;
+			}
 			return B_OK;
 		}
 
 		case KB_SET_KEY_REPEAT_DELAY:
-			if (user_memcpy(&fRepeatDelay, buffer, sizeof(fRepeatDelay))
-					!= B_OK)
+			if (!IS_USER_ADDRESS(buffer)
+				|| user_memcpy(&fRepeatDelay, buffer, sizeof(fRepeatDelay))
+					!= B_OK) {
 				return B_BAD_ADDRESS;
+			}
 			return B_OK;
 
 		case KB_GET_KEY_REPEAT_DELAY:
-			if (user_memcpy(buffer, &fRepeatDelay, sizeof(fRepeatDelay))
-					!= B_OK)
+			if (!IS_USER_ADDRESS(buffer)
+				|| user_memcpy(buffer, &fRepeatDelay, sizeof(fRepeatDelay))
+					!= B_OK) {
 				return B_BAD_ADDRESS;
+			}
 			return B_OK;
 
 		case KB_SET_DEBUG_READER:

src/add-ons/kernel/drivers/input/usb_hid/MouseProtocolHandler.cpp

@@ -19,6 +19,7 @@
 #include <string.h>
 #include <usb/USB_hid.h>
 
+#include <kernel.h>
 #include <keyboard_mouse_driver.h>
 
 
@@ -132,9 +133,18 @@ MouseProtocolHandler::Control(uint32 *cookie, uint32 op, void *buffer,
 				return B_BUFFER_OVERFLOW;
 
 			while (true) {
-				status_t result = _ReadReport(buffer, cookie);
-				if (result != B_INTERRUPTED)
-					return result;
+				mouse_movement movement;
+				status_t result = _ReadReport(&movement, cookie);
+				if (result == B_INTERRUPTED)
+					continue;
+
+				if (!IS_USER_ADDRESS(buffer)
+					|| user_memcpy(buffer, &movement, sizeof(movement))
+						!= B_OK) {
+					return B_BAD_ADDRESS;
+				}
+
+				return result;
 			}
 		}
 
@@ -148,12 +158,13 @@ MouseProtocolHandler::Control(uint32 *cookie, uint32 op, void *buffer,
 		}
 
 		case MS_SET_CLICKSPEED:
-#ifdef __HAIKU__
-				return user_memcpy(&fClickSpeed, buffer, sizeof(bigtime_t));
-#else
-				fClickSpeed = *(bigtime_t *)buffer;
-				return B_OK;
-#endif
+			if (!IS_USER_ADDRESS(buffer)
+				|| user_memcpy(&fClickSpeed, buffer, sizeof(bigtime_t))
+					!= B_OK) {
+				return B_BAD_ADDRESS;
+			}
+
+			return B_OK;
 	}
 
 	return B_ERROR;