From: Lee Jones <lee@kernel.org>
To: Benjamin Tissoires <bentiss@kernel.org>
Cc: Jiri Kosina <jikos@kernel.org>,
David Rheinsberg <david@readahead.eu>,
linux-input@vger.kernel.org, linux-kernel@vger.kernel.org,
stable@vger.kernel.org
Subject: Re: [PATCH 1/1] HID: uhid: Fix out-of-bounds write caused by raw events mismanagement
Date: Thu, 26 Feb 2026 14:08:10 +0000 [thread overview]
Message-ID: <20260226140810.GD8023@google.com> (raw)
In-Reply-To: <aaA6fioiB9_aiBrA@plouf>
On Thu, 26 Feb 2026, Benjamin Tissoires wrote:
> On Feb 26 2026, Lee Jones wrote:
> > On Tue, 24 Feb 2026, Jiri Kosina wrote:
> >
> > > On Tue, 24 Feb 2026, Benjamin Tissoires wrote:
> > >
> > > > Long story short: that patch is too intrusive as it makes assumption on
> > > > the behavior of the device. We need to understand where/if the bug was
> > > > spotted and fix the caller of hid_hw_raw_request, not the uhid
> > > > implementation.
> > >
> > > Thanks a lot for the analysis, Benjamin!
> > >
> > > I asked about that here:
> > >
> > > https://lore.kernel.org/all/172q4775-616s-p7s4-7n80-p8579n0r3516@xreary.bet/
> > >
> > > So let's wait for Lee to clarify. Until that, the patch stays out of the
> > > branch.
> >
> > Thanks to both of you for looking into this. I appreciate your efforts.
> >
> > This is very much real world.
> >
> > Is there a way to add an errata for the PS3 controller?
> >
>
> Unfortunatelly no. uhid merely emulates what a device can do, and HID is
> a convention. So if we were to have a special case to PS3 controllers,
> we would then start having to maintain an endless list of quirks when
> the issue is *not* in uhid, but in the processing of the device after
> (maybe in hid-core?).
Actually I think the issue is in UHID. At least the way I read it.
Are there legitimate use-cases for devices overwriting the Report ID
contained in the first index of the data buffer? From my very limited
knowledge of the subsystem, this sounds like an oversight.
--
Lee Jones [李琼斯]
next prev parent reply other threads:[~2026-02-26 14:08 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-02-11 16:40 [PATCH 1/1] HID: uhid: Fix out-of-bounds write caused by raw events mismanagement Lee Jones
2026-02-21 9:49 ` Jiri Kosina
2026-02-21 13:03 ` Benjamin Tissoires
2026-02-21 19:46 ` Jiri Kosina
2026-02-24 8:42 ` Jiri Kosina
2026-02-24 15:57 ` Benjamin Tissoires
2026-02-24 16:12 ` Jiri Kosina
2026-02-26 11:18 ` Lee Jones
2026-02-26 12:22 ` Benjamin Tissoires
2026-02-26 14:08 ` Lee Jones [this message]
2026-02-26 15:51 ` Benjamin Tissoires
2026-02-26 16:23 ` Lee Jones
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260226140810.GD8023@google.com \
--to=lee@kernel.org \
--cc=bentiss@kernel.org \
--cc=david@readahead.eu \
--cc=jikos@kernel.org \
--cc=linux-input@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.