diff options
| author | Kwok Kin Ming <kenkinming2002@gmail.com> | 2026-01-01 02:18:26 +0800 |
|---|---|---|
| committer | Benjamin Tissoires <bentiss@kernel.org> | 2026-01-07 18:35:58 +0100 |
| commit | 2497ff38c530b1af0df5130ca9f5ab22c5e92f29 (patch) | |
| tree | 4ceb17903fdf8cfb24a83b0fd3fefd45ec90cac3 /drivers | |
| parent | f287ba5951a4b3a47305b64a3fcde5d0911adb9b (diff) | |
HID: i2c-hid: fix potential buffer overflow in i2c_hid_get_report()
`i2c_hid_xfer` is used to read `recv_len + sizeof(__le16)` bytes of data
into `ihid->rawbuf`.
The former can come from the userspace in the hidraw driver and is only
bounded by HID_MAX_BUFFER_SIZE(16384) by default (unless we also set
`max_buffer_size` field of `struct hid_ll_driver` which we do not).
The latter has size determined at runtime by the maximum size of
different report types you could receive on any particular device and
can be a much smaller value.
Fix this by truncating `recv_len` to `ihid->bufsize - sizeof(__le16)`.
The impact is low since access to hidraw devices requires root.
Signed-off-by: Kwok Kin Ming <kenkinming2002@gmail.com>
Signed-off-by: Benjamin Tissoires <bentiss@kernel.org>
Diffstat (limited to 'drivers')
| -rw-r--r-- | drivers/hid/i2c-hid/i2c-hid-core.c | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/drivers/hid/i2c-hid/i2c-hid-core.c b/drivers/hid/i2c-hid/i2c-hid-core.c index 63f46a2e5788..5a183af3d5c6 100644 --- a/drivers/hid/i2c-hid/i2c-hid-core.c +++ b/drivers/hid/i2c-hid/i2c-hid-core.c @@ -286,6 +286,7 @@ static int i2c_hid_get_report(struct i2c_hid *ihid, * In addition to report data device will supply data length * in the first 2 bytes of the response, so adjust . */ + recv_len = min(recv_len, ihid->bufsize - sizeof(__le16)); error = i2c_hid_xfer(ihid, ihid->cmdbuf, length, ihid->rawbuf, recv_len + sizeof(__le16)); if (error) { |