git.ipfire.org Git - thirdparty/kernel/linux.git/commit

author	Benjamin Tissoires <bentiss@kernel.org>
	Mon, 4 May 2026 08:47:22 +0000 (10:47 +0200)
committer	Jiri Kosina <jkosina@suse.com>
	Tue, 12 May 2026 16:03:37 +0000 (18:03 +0200)
commit	2c85c61d1332e1e16f020d76951baf167dcb6f7a
tree	e0d6bc40e0c36922e10bc72e2af8d1a136af1c4c	tree \| snapshot
parent	b08665fe80fab0956e64741c07d9bbcec635c34d	commit \| diff

HID: pass the buffer size to hid_report_raw_event

commit 0a3fe972a7cb ("HID: core: Mitigate potential OOB by removing
bogus memset()") enforced the provided data to be at least the size of
the declared buffer in the report descriptor to prevent a buffer
overflow. However, we can try to be smarter by providing both the buffer
size and the data size, meaning that hid_report_raw_event() can make
better decision whether we should plaining reject the buffer (buffer
overflow attempt) or if we can safely memset it to 0 and pass it to the
rest of the stack.

Fixes: 0a3fe972a7cb ("HID: core: Mitigate potential OOB by removing bogus memset()")
Cc: stable@vger.kernel.org
Signed-off-by: Benjamin Tissoires <bentiss@kernel.org>
Acked-by: Johan Hovold <johan@kernel.org>
Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Jiri Kosina <jkosina@suse.com>

drivers/hid/bpf/hid_bpf_dispatch.c		diff \| blob \| blame \| history
drivers/hid/hid-core.c		diff \| blob \| blame \| history
drivers/hid/hid-gfrm.c		diff \| blob \| blame \| history
drivers/hid/hid-logitech-hidpp.c		diff \| blob \| blame \| history
drivers/hid/hid-multitouch.c		diff \| blob \| blame \| history
drivers/hid/hid-primax.c		diff \| blob \| blame \| history
drivers/hid/hid-vivaldi-common.c		diff \| blob \| blame \| history
drivers/hid/wacom_sys.c		diff \| blob \| blame \| history
drivers/staging/greybus/hid.c		diff \| blob \| blame \| history
include/linux/hid.h		diff \| blob \| blame \| history
include/linux/hid_bpf.h		diff \| blob \| blame \| history