From: Benjamin Tissoires <bentiss@kernel.org>
To: Icenowy Zheng <uwu@icenowy.me>
Cc: "Jiri Kosina" <jikos@kernel.org>,
"Filipe Laíns" <lains@riseup.net>,
"Bastien Nocera" <hadess@hadess.net>,
"Ping Cheng" <ping.cheng@wacom.com>,
"Jason Gerecke" <jason.gerecke@wacom.com>,
"Viresh Kumar" <vireshk@kernel.org>,
"Johan Hovold" <johan@kernel.org>,
"Alex Elder" <elder@kernel.org>,
"Greg Kroah-Hartman" <gregkh@linuxfoundation.org>,
"Lee Jones" <lee@kernel.org>,
linux-input@vger.kernel.org, linux-kernel@vger.kernel.org,
greybus-dev@lists.linaro.org, linux-staging@lists.linux.dev,
linux-usb@vger.kernel.org, stable@vger.kernel.org
Subject: Re: [PATCH v2 1/4] HID: pass the buffer size to hid_report_raw_event
Date: Mon, 20 Apr 2026 10:01:55 +0200 [thread overview]
Message-ID: <aeXdKFJe8JyatqLR@beelink> (raw)
In-Reply-To: <938e8afadcbf2d7b9f0397e24926224985d9c385.camel@icenowy.me>
On Apr 20 2026, Icenowy Zheng wrote:
> 在 2026-04-16四的 16:48 +0200,Benjamin Tissoires写道:
> > commit 0a3fe972a7cb ("HID: core: Mitigate potential OOB by removing
> > bogus memset()") enforced the provided data to be at least the size
> > of
> > the declared buffer in the report descriptor to prevent a buffer
> > overflow. However, we can try to be smarter by providing both the
> > buffer
> > size and the data size, meaning that hid_report_raw_event() can make
> > better decision whether we should plaining reject the buffer (buffer
> > overflow attempt) or if we can safely memset it to 0 and pass it to
> > the
> > rest of the stack.
> >
> > Fixes: 0a3fe972a7cb ("HID: core: Mitigate potential OOB by removing
> > bogus memset()")
> > Cc: stable@vger.kernel.org
> > Signed-off-by: Benjamin Tissoires <bentiss@kernel.org>
> > ---
> > drivers/hid/bpf/hid_bpf_dispatch.c | 6 ++++--
> > drivers/hid/hid-core.c | 42 +++++++++++++++++++++++++---
> > ----------
> > drivers/hid/hid-gfrm.c | 4 ++--
> > drivers/hid/hid-logitech-hidpp.c | 2 +-
> > drivers/hid/hid-multitouch.c | 2 +-
> > drivers/hid/hid-primax.c | 2 +-
> > drivers/hid/hid-vivaldi-common.c | 2 +-
> > drivers/hid/wacom_sys.c | 6 +++---
> > drivers/staging/greybus/hid.c | 2 +-
> > include/linux/hid.h | 4 ++--
> > include/linux/hid_bpf.h | 14 ++++++++-----
> > 11 files changed, 53 insertions(+), 33 deletions(-)
>
> ============ 8< ===================
>
> > diff --git a/drivers/staging/greybus/hid.c
> > b/drivers/staging/greybus/hid.c
> > index 1f58c907c036..37e8605c6767 100644
> > --- a/drivers/staging/greybus/hid.c
> > +++ b/drivers/staging/greybus/hid.c
> > @@ -201,7 +201,7 @@ static void gb_hid_init_report(struct gb_hid
> > *ghid, struct hid_report *report)
> > * we just need to setup the input fields, so using
> > * hid_report_raw_event is safe.
> > */
> > - hid_report_raw_event(ghid->hid, report->type, ghid->inbuf,
> > size, 1);
> > + hid_report_raw_event(ghid->hid, report->type, ghid->inbuf,
> > ghib->bufsize, size, 1);
>
> Oops, "ghid" is misspelled here...
Damn, you're correct. Sorry.
Jiri, do you want me to send v3? Or can you fix it while applying?
>
> Found this when building some gaint kernel with this patchset.
Thanks a lot for spotting this.
Cheers,
Benjamin
>
> Thanks,
> Icenowy
>
> > }
> >
> > static void gb_hid_init_reports(struct gb_hid *ghid)
>
next prev parent reply other threads:[~2026-04-20 8:02 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-16 14:48 [PATCH v2 0/4] HID: Proper fix for OOM in hid-core Benjamin Tissoires
2026-04-16 14:48 ` [PATCH v2 1/4] HID: pass the buffer size to hid_report_raw_event Benjamin Tissoires
2026-04-19 16:26 ` Icenowy Zheng
2026-04-20 8:01 ` Benjamin Tissoires [this message]
2026-04-28 16:02 ` Jiri Kosina
2026-04-16 14:48 ` [PATCH v2 2/4] HID: core: introduce hid_safe_input_report() Benjamin Tissoires
2026-04-16 14:48 ` [PATCH v2 3/4] HID: multitouch: use __free(kfree) to clean up temporary buffers Benjamin Tissoires
2026-04-16 14:48 ` [PATCH v2 4/4] HID: wacom: " Benjamin Tissoires
2026-04-24 1:08 ` kernel test robot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aeXdKFJe8JyatqLR@beelink \
--to=bentiss@kernel.org \
--cc=elder@kernel.org \
--cc=gregkh@linuxfoundation.org \
--cc=greybus-dev@lists.linaro.org \
--cc=hadess@hadess.net \
--cc=jason.gerecke@wacom.com \
--cc=jikos@kernel.org \
--cc=johan@kernel.org \
--cc=lains@riseup.net \
--cc=lee@kernel.org \
--cc=linux-input@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-staging@lists.linux.dev \
--cc=linux-usb@vger.kernel.org \
--cc=ping.cheng@wacom.com \
--cc=stable@vger.kernel.org \
--cc=uwu@icenowy.me \
--cc=vireshk@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.