]> git.ipfire.org Git - thirdparty/kernel/linux.git/commit
projects / thirdparty / kernel / linux.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 278dd04) | patch
HID: ft260: validate i2c input report length
authorMichael Zaidman <michael.zaidman@gmail.com>
Sat, 11 Apr 2026 06:24:37 +0000 (09:24 +0300)
committerJiri Kosina <jkosina@suse.com>
Tue, 28 Apr 2026 16:24:52 +0000 (18:24 +0200)
commit80c4bbb2b38513e9c3d84805fa61a0ee16d79c45
tree7ed535d7db2594a47b9cc3073f226e345ae6b5adtree | snapshot
parent278dd0487907112de8e34e1a97ac6145a8081523commit | diff
HID: ft260: validate i2c input report length

Add two checks to ft260_raw_event() to prevent out-of-bounds reads
from malicious or malfunctioning devices:

First, reject reports shorter than the 2-byte header (report ID +
length fields). Without this, even accessing xfer->length on a
1-byte report is an OOB read.

Second, validate xfer->length against the actual data capacity of
the received HID report. Each I2C data report ID (0xD0 through
0xDE) defines a different report size in the HID descriptor, so the
available payload varies per report. A corrupted length field could
cause memcpy to read beyond the report buffer.

Reported-by: SebastiƔn JosuƩ Alba Vives <sebasjosue84@gmail.com>
Signed-off-by: Michael Zaidman <michael.zaidman@gmail.com>
Signed-off-by: Jiri Kosina <jkosina@suse.com>
drivers/hid/hid-ft260.c diff | blob | blame | history
A mirror of Linus' kernel repository