From: Lee Jones <lee@kernel.org>
To: Benjamin Tissoires <bentiss@kernel.org>
Cc: Ping Cheng <pinglinux@gmail.com>,
Ping Cheng <ping.cheng@wacom.com>,
Jason Gerecke <jason.gerecke@wacom.com>,
Jiri Kosina <jikos@kernel.org>,
linux-input@vger.kernel.org, linux-kernel@vger.kernel.org,
stable@vger.kernel.org
Subject: Re: [PATCH 1/1] HID: wacom: Fix OOB write in wacom_hid_set_device_mode()
Date: Thu, 21 May 2026 17:22:12 +0100 [thread overview]
Message-ID: <20260521162212.GF3591266@google.com> (raw)
In-Reply-To: <ag8ozWBDSDckicSS@beelink>
On Thu, 21 May 2026, Benjamin Tissoires wrote:
> On May 19 2026, Lee Jones wrote:
> > On Wed, 13 May 2026, Ping Cheng wrote:
> >
> > > On Wed, May 13, 2026 at 1:05 AM Lee Jones <lee@kernel.org> wrote:
> > > >
> > > > wacom_hid_set_device_mode() currently assumes that the HID_DG_INPUTMODE
> > > > usage is always located in the first field (field[0]) of the feature report.
> > > > However, a device can specify HID_DG_INPUTMODE in a different field.
> > > >
> > > > If HID_DG_INPUTMODE is in a field other than the first one and the first
> > > > field has a report_count smaller than the usage_index of HID_DG_INPUTMODE,
> > > > this leads to an out-of-bounds write to r->field[0]->value.
> > > >
> > > > Fix this by storing the field index of HID_DG_INPUTMODE in 'struct
> > > > hid_data' during feature mapping. In wacom_hid_set_device_mode(), use
> > > > this stored field index to access the correct field and add bounds
> > > > checks to ensure both the field index and the value index are within
> > > > valid ranges before writing.
> > > >
> > > > Cc: stable@vger.kernel.org
> > > > Fixes: 5ae6e89f7409 ("HID: wacom: implement the finger part of the HID generic handling")
> > > > Signed-off-by: Lee Jones <lee@kernel.org>
> > >
> > > Patch looks sensible to me. Thank you for your effort, Lee!
> > >
> > > Tested-by: Ping Cheng <ping.cheng@wacom.com>
> > > Reviewed-by: Ping Cheng <ping.cheng@wacom.com>
> >
> > Thank you Ping, I appreciate your review.
> >
> > HID folks - any movement on this please?
> >
>
> I wanted to apply it today, but the patch conflicts with our current
> for-7.1/upstream-fixes.
>
> Could you rebase on top of this branch so we can take this without me
> messing with your patch?
Sure. Leave it with me. Probably be early next week.
--
Lee Jones
next prev parent reply other threads:[~2026-05-21 16:22 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-13 7:59 [PATCH 1/1] HID: wacom: Fix OOB write in wacom_hid_set_device_mode() Lee Jones
2026-05-13 15:47 ` Ping Cheng
2026-05-19 11:13 ` Lee Jones
2026-05-21 15:47 ` Benjamin Tissoires
2026-05-21 16:22 ` Lee Jones [this message]
2026-05-27 15:57 ` Lee Jones
2026-05-27 16:07 ` Lee Jones
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260521162212.GF3591266@google.com \
--to=lee@kernel.org \
--cc=bentiss@kernel.org \
--cc=jason.gerecke@wacom.com \
--cc=jikos@kernel.org \
--cc=linux-input@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=ping.cheng@wacom.com \
--cc=pinglinux@gmail.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.