]> git.ipfire.org Git - thirdparty/kernel/linux.git/commitdiff
HID: core: Fix OOB read in hid_get_report for numbered reports
authorLee Jones <lee@kernel.org>
Tue, 16 Jun 2026 11:26:56 +0000 (11:26 +0000)
committerJiri Kosina <jkosina@suse.com>
Mon, 29 Jun 2026 09:10:23 +0000 (11:10 +0200)
When a caller passes a size of 0 to hid_report_raw_event() for a
numbered report, the function originally called hid_get_report() before
performing any size validation.

Inside hid_get_report(), if the report is numbered (report_enum->numbered
is true), it unconditionally dereferences data[0] to extract the report ID.
With a size of 0, this results in an out-of-bounds read or kernel panic.

Fix this by moving the numbered report size validation check before the
call to hid_get_report(), ensuring that size is at least 1 before
dereferencing the data pointer.

Fixes: 2c85c61d1332 ("HID: pass the buffer size to hid_report_raw_event")
Signed-off-by: Lee Jones <lee@kernel.org>
Signed-off-by: Jiri Kosina <jkosina@suse.com>
drivers/hid/hid-core.c

index 41a79e43c82b32c8a04187f08d76497a71d2da50..cf123347a2af7bfe466bd0b502bf3c753d237bb3 100644 (file)
@@ -2045,6 +2045,13 @@ int hid_report_raw_event(struct hid_device *hid, enum hid_report_type type, u8 *
        u8 *cdata = data;
        int ret = 0;
 
+       if (report_enum->numbered && (size < 1 || bufsize < 1)) {
+               hid_warn_ratelimited(hid,
+                                    "Event data for numbered report is too short (%d vs %zu)\n",
+                                    size, bufsize);
+               return -EINVAL;
+       }
+
        report = hid_get_report(report_enum, data);
        if (!report)
                return 0;