From: Kean Date: Thu, 14 May 2026 12:58:38 +0000 (+0800) Subject: HID: lenovo: Fix buffer over-read and unaligned access in X12 Tab raw_event handler X-Git-Tag: v7.1-rc6~24^2~3 X-Git-Url: http://git.ipfire.org/gitweb/index.cgi?a=commitdiff_plain;h=c7ee0b73c8c4dfb7eafa49aaef5247890862a948;p=thirdparty%2Fkernel%2Flinux.git HID: lenovo: Fix buffer over-read and unaligned access in X12 Tab raw_event handler In lenovo_raw_event(), the X12 Tab keyboard handler reads a 4-byte little-endian value from the raw HID report buffer but: 1. The size guard is size >= 3, while the access reads 4 bytes. A malformed 3-byte report with ID 0x03 would over-read the buffer by one byte. 2. Casting u8 *data directly to __le32 * can trigger unaligned access faults on architectures like ARM, MIPS, and SPARC, because HID input buffers carry no alignment guarantee. (e.g. uhid payloads start at offset 6 in struct uhid_event, giving only 2-byte alignment.) Fix both by tightening the size check to >= 4 and replacing the open-coded cast + le32_to_cpu() with get_unaligned_le32(), which handles the LE-to-CPU conversion safely regardless of alignment. Link: https://sashiko.dev/#/message/20260512044911.99B6DC2BCB0%40smtp.kernel.org Assisted-by: CLAUDE:claude-4-sonnet Signed-off-by: Kean Signed-off-by: Benjamin Tissoires --- diff --git a/drivers/hid/hid-lenovo.c b/drivers/hid/hid-lenovo.c index a6b73e03c16b..c11957ae8b77 100644 --- a/drivers/hid/hid-lenovo.c +++ b/drivers/hid/hid-lenovo.c @@ -30,6 +30,7 @@ #include #include #include +#include #include #include "hid-ids.h" @@ -793,8 +794,8 @@ static int lenovo_raw_event(struct hid_device *hdev, */ if (unlikely((hdev->product == USB_DEVICE_ID_LENOVO_X12_TAB || hdev->product == USB_DEVICE_ID_LENOVO_X12_TAB2) - && size >= 3 && report->id == 0x03)) - return lenovo_raw_event_TP_X12_tab(hdev, le32_to_cpu(*(__le32 *)data)); + && size >= 4 && report->id == 0x03)) + return lenovo_raw_event_TP_X12_tab(hdev, get_unaligned_le32(data)); return 0; }