]> git.ipfire.org Git - thirdparty/kernel/stable.git/commit
selftests/hid: Cover hid_bpf_get_data() size overflow
authorYiyang Chen <chenyy23@mails.tsinghua.edu.cn>
Tue, 23 Jun 2026 06:23:15 +0000 (06:23 +0000)
committerBenjamin Tissoires <bentiss@kernel.org>
Wed, 1 Jul 2026 07:55:36 +0000 (09:55 +0200)
commiteebbef7c468a5cb58c4772849ee5066441166cf0
tree4fd881bf317103ef8688b1adc0115ef19097177e
parent5aad55011a37d999cf99d14bafb6a093a1a70466
selftests/hid: Cover hid_bpf_get_data() size overflow

Add a HID-BPF regression check for hid_bpf_get_data() requests whose
size would overflow when added to the offset.

The new rdesc fixup callback asks for offset 2 and size ~0ULL, then
records whether the helper returns NULL. A vulnerable kernel returns a
non-NULL pointer because the runtime check wraps the addition. A fixed
kernel rejects the request. The callback records the helper result
without dereferencing any returned pointer.

The callback reports the helper result through BSS and returns 0
intentionally. hid_rdesc_fixup return values are consumed as report
descriptor fixup results, so a positive test-result value would be
interpreted as a replacement report descriptor size.

Also add KHDR_INCLUDES to the HID selftest build so hid_bpf.c sees the
current kernel UAPI HID definitions on systems whose installed headers do
not provide enum hid_report_type.

Fixes: 658ee5a64fcf ("HID: bpf: allocate data memory for device_event BPF programs")
Signed-off-by: Yiyang Chen <chenyy23@mails.tsinghua.edu.cn>
Signed-off-by: Benjamin Tissoires <bentiss@kernel.org>
tools/testing/selftests/hid/Makefile
tools/testing/selftests/hid/hid_bpf.c
tools/testing/selftests/hid/progs/hid.c