From: Rosalie Wanders <rosalie@mailbox.org>
Date: Sun, 12 Apr 2026 01:12:03 +0000 (+0200)
Subject: HID: sony: add missing size validation for Rock Band 3 Pro instruments
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=12bd440b66ed8968afffc46928233967b5b79b98;p=thirdparty%2Fkernel%2Flinux.git

HID: sony: add missing size validation for Rock Band 3 Pro instruments

This commit adds the missing size validation for Rock Band 3 PS3 Pro
instruments in sony_raw_event(), this prevents a malicious device from
allowing hid-sony to read out of bounds of the provided buffer.

Signed-off-by: Rosalie Wanders <rosalie@mailbox.org>
Signed-off-by: Jiri Kosina <jkosina@suse.com>
---

diff --git a/drivers/hid/hid-sony.c b/drivers/hid/hid-sony.c
index 13fe7a3e57d7..315343415e8f 100644
--- a/drivers/hid/hid-sony.c
+++ b/drivers/hid/hid-sony.c
@@ -1188,7 +1188,7 @@ static int sony_raw_event(struct hid_device *hdev, struct hid_report *report,
 	/* Rock Band 3 PS3 Pro instruments set rd[24] to 0xE0 when they're
 	 * sending full reports, and 0x02 when only sending navigation.
 	 */
-	if ((sc->quirks & RB3_PRO_INSTRUMENT) && rd[24] == 0x02) {
+	if ((sc->quirks & RB3_PRO_INSTRUMENT) && size >= 25 && rd[24] == 0x02) {
 		/* Only attempt to enable full report every 8 seconds */
 		if (time_after(jiffies, sc->rb3_pro_poke_jiffies)) {
 			sc->rb3_pro_poke_jiffies = jiffies + secs_to_jiffies(8);