HID: wacom: fix out-of-bounds read in wacom_intuos_bt_irq

The wacom_intuos_bt_irq() function processes Bluetooth HID reports
without sufficient bounds checking. A maliciously crafted short report
can trigger an out-of-bounds read when copying data into the wacom
structure.

Specifically, report 0x03 requires at least 22 bytes to safely read
the processed data and battery status, while report 0x04 (which
falls through to 0x03) requires 32 bytes.

Add explicit length checks for these report IDs and log a warning if
a short report is received.

Signed-off-by: Benoît Sevens <bsevens@google.com>
Reviewed-by: Jason Gerecke <jason.gerecke@wacom.com>
Signed-off-by: Jiri Kosina <jkosina@suse.com>

diff --git a/drivers/hid/wacom_wac.c b/drivers/hid/wacom_wac.c
index 9b2c710f8da18274e943abd9ad48bbfc156a9611..da1f0ea85625dca7036db8512ed4f580d765fc5e 100644 (file)
--- a/drivers/hid/wacom_wac.c
+++ b/drivers/hid/wacom_wac.c
@@ -1208,10 +1208,20 @@ static int wacom_intuos_bt_irq(struct wacom_wac *wacom, size_t len)
 
        switch (data[0]) {
        case 0x04:
+               if (len < 32) {
+                       dev_warn(wacom->pen_input->dev.parent,
+                                "Report 0x04 too short: %zu bytes\n", len);
+                       break;
+               }
                wacom_intuos_bt_process_data(wacom, data + i);
                i += 10;
                fallthrough;
        case 0x03:
+               if (i == 1 && len < 22) {
+                       dev_warn(wacom->pen_input->dev.parent,
+                                "Report 0x03 too short: %zu bytes\n", len);
+                       break;
+               }
                wacom_intuos_bt_process_data(wacom, data + i);
                i += 10;
                wacom_intuos_bt_process_data(wacom, data + i);