git.ipfire.org Git - thirdparty/kernel/stable.git/commit

author	Seungjin Bae <eeodqql09@gmail.com>
	Mon, 24 Nov 2025 19:20:46 +0000 (14:20 -0500)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Wed, 3 Dec 2025 11:45:22 +0000 (12:45 +0100)
commit	c4e746651bd74c38f581e1cf31651119a94de8cd
tree	c40595af72eb98f7c66cb9a213a4e5f95c489cba	tree \| snapshot
parent	a643fecbcac0a343fc83393ebf31eb09cd556e5b	commit \| diff

Input: pegasus-notetaker - fix potential out-of-bounds access

[ Upstream commit 69aeb507312306f73495598a055293fa749d454e ]

In the pegasus_notetaker driver, the pegasus_probe() function allocates
the URB transfer buffer using the wMaxPacketSize value from
the endpoint descriptor. An attacker can use a malicious USB descriptor
to force the allocation of a very small buffer.

Subsequently, if the device sends an interrupt packet with a specific
pattern (e.g., where the first byte is 0x80 or 0x42),
the pegasus_parse_packet() function parses the packet without checking
the allocated buffer size. This leads to an out-of-bounds memory access.

Fixes: 1afca2b66aac ("Input: add Pegasus Notetaker tablet driver")
Signed-off-by: Seungjin Bae <eeodqql09@gmail.com>
Link: https://lore.kernel.org/r/20251007214131.3737115-2-eeodqql09@gmail.com
Cc: stable@vger.kernel.org
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>