git.ipfire.org Git - thirdparty/linux.git/commit

author	Lee Jones <lee@kernel.org>
	Wed, 27 May 2026 16:05:26 +0000 (17:05 +0100)
committer	Benjamin Tissoires <bentiss@kernel.org>
	Thu, 28 May 2026 15:43:16 +0000 (17:43 +0200)
commit	c0a8899e02ddebd51e2589835182c239c2e224ae
tree	2606c735ac516b452f4d353a8c0502af3f59121c	tree \| snapshot
parent	da7f96a68c39de9eb1c351a261e7fbf716375c91	commit \| diff

HID: wacom: Fix OOB write in wacom_hid_set_device_mode()

wacom_hid_set_device_mode() currently assumes that the HID_DG_INPUTMODE
usage is always located in the first field (field[0]) of the feature report.
However, a device can specify HID_DG_INPUTMODE in a different field.

If HID_DG_INPUTMODE is in a field other than the first one and the first
field has a report_count smaller than the usage_index of HID_DG_INPUTMODE,
this leads to an out-of-bounds write to r->field[0]->value.

Fix this by storing the field index of HID_DG_INPUTMODE in 'struct
hid_data' during feature mapping. In wacom_hid_set_device_mode(), use
this stored field index to access the correct field and add bounds
checks to ensure both the field index and the value index are within
valid ranges before writing.

Cc: stable@vger.kernel.org
Fixes: 5ae6e89f7409 ("HID: wacom: implement the finger part of the HID generic handling")
Tested-by: Ping Cheng <ping.cheng@wacom.com>
Reviewed-by: Ping Cheng <ping.cheng@wacom.com>
Signed-off-by: Lee Jones <lee@kernel.org>
Signed-off-by: Benjamin Tissoires <bentiss@kernel.org>

drivers/hid/wacom_sys.c		diff \| blob \| blame \| history
drivers/hid/wacom_wac.h		diff \| blob \| blame \| history