* [PATCH] Bluetooth: HIDP: reject oversized report descriptor @ 2026-02-25 1:35 Eric-Terminal 2026-02-25 4:25 ` bluez.test.bot 2026-02-27 15:04 ` [PATCH] " Luiz Augusto von Dentz 0 siblings, 2 replies; 8+ messages in thread From: Eric-Terminal @ 2026-02-25 1:35 UTC (permalink / raw) To: marcel, johan.hedberg, luiz.dentz Cc: linux-bluetooth, linux-kernel, ericterminal From: Yufan Chen <ericterminal@gmail.com> hidp_setup_hid() duplicates the report descriptor from userspace based on req->rd_size. hidp_session_dev_init() only checked rd_size > 0, so oversized values were accepted and propagated to memdup_user(). Reject values larger than HID_MAX_DESCRIPTOR_SIZE and return -EINVAL before entering the HID setup path. Signed-off-by: Yufan Chen <ericterminal@gmail.com> --- net/bluetooth/hidp/core.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/net/bluetooth/hidp/core.c b/net/bluetooth/hidp/core.c index 6fe815241..ce68b3c27 100644 --- a/net/bluetooth/hidp/core.c +++ b/net/bluetooth/hidp/core.c @@ -815,6 +815,9 @@ static int hidp_session_dev_init(struct hidp_session *session, { int ret; + if (req->rd_size > HID_MAX_DESCRIPTOR_SIZE) + return -EINVAL; + if (req->rd_size > 0) { ret = hidp_setup_hid(session, req); if (ret && ret != -ENODEV) -- 2.53.0 ^ permalink raw reply related [flat|nested] 8+ messages in thread
* RE: Bluetooth: HIDP: reject oversized report descriptor 2026-02-25 1:35 [PATCH] Bluetooth: HIDP: reject oversized report descriptor Eric-Terminal @ 2026-02-25 4:25 ` bluez.test.bot 2026-02-27 15:04 ` [PATCH] " Luiz Augusto von Dentz 1 sibling, 0 replies; 8+ messages in thread From: bluez.test.bot @ 2026-02-25 4:25 UTC (permalink / raw) To: linux-bluetooth, ericterminal [-- Attachment #1: Type: text/plain, Size: 3149 bytes --] This is automated email and please do not reply to this email! Dear submitter, Thank you for submitting the patches to the linux bluetooth mailing list. This is a CI test results with your patch series: PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=1057473 ---Test result--- Test Summary: CheckPatch PENDING 0.33 seconds GitLint PENDING 0.25 seconds SubjectPrefix PASS 0.08 seconds BuildKernel PASS 26.05 seconds CheckAllWarning PASS 28.17 seconds CheckSparse WARNING 31.76 seconds BuildKernel32 PASS 24.81 seconds TestRunnerSetup PASS 558.37 seconds TestRunner_l2cap-tester PASS 28.25 seconds TestRunner_iso-tester PASS 81.34 seconds TestRunner_bnep-tester PASS 6.47 seconds TestRunner_mgmt-tester FAIL 117.13 seconds TestRunner_rfcomm-tester PASS 9.53 seconds TestRunner_sco-tester FAIL 14.81 seconds TestRunner_ioctl-tester PASS 10.09 seconds TestRunner_mesh-tester FAIL 11.49 seconds TestRunner_smp-tester PASS 8.67 seconds TestRunner_userchan-tester PASS 6.73 seconds IncrementalBuild PENDING 0.89 seconds Details ############################## Test: CheckPatch - PENDING Desc: Run checkpatch.pl script Output: ############################## Test: GitLint - PENDING Desc: Run gitlint Output: ############################## Test: CheckSparse - WARNING Desc: Run sparse tool with linux kernel Output: net/bluetooth/hidp/core.c:1477:1: error: bad constant expressionnet/bluetooth/hidp/core.c:1478:1: error: bad constant expressionnet/bluetooth/hidp/core.c:1479:1: error: bad constant expressionnet/bluetooth/hidp/core.c:1480:1: error: bad constant expressionnet/bluetooth/hidp/core.c:1481:1: error: bad constant expressionnet/bluetooth/hidp/core.c:1481:1: error: bad constant expressionnet/bluetooth/hidp/core.c:1482:1: error: bad constant expression ############################## Test: TestRunner_mgmt-tester - FAIL Desc: Run mgmt-tester with test-runner Output: Total: 494, Passed: 489 (99.0%), Failed: 1, Not Run: 4 Failed Test Cases Read Exp Feature - Success Failed 0.107 seconds ############################## Test: TestRunner_sco-tester - FAIL Desc: Run sco-tester with test-runner Output: WARNING: possible circular locking dependency detected BUG: sleeping function called from invalid context at net/core/sock.c:3782 Total: 30, Passed: 30 (100.0%), Failed: 0, Not Run: 0 ############################## Test: TestRunner_mesh-tester - FAIL Desc: Run mesh-tester with test-runner Output: Total: 10, Passed: 8 (80.0%), Failed: 2, Not Run: 0 Failed Test Cases Mesh - Send cancel - 1 Timed out 1.887 seconds Mesh - Send cancel - 2 Timed out 1.991 seconds ############################## Test: IncrementalBuild - PENDING Desc: Incremental build with the patches in the series Output: --- Regards, Linux Bluetooth ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH] Bluetooth: HIDP: reject oversized report descriptor 2026-02-25 1:35 [PATCH] Bluetooth: HIDP: reject oversized report descriptor Eric-Terminal 2026-02-25 4:25 ` bluez.test.bot @ 2026-02-27 15:04 ` Luiz Augusto von Dentz 2026-02-28 17:26 ` [PATCH v2] Bluetooth: HIDP: cap report descriptor size in HID setup Eric-Terminal 1 sibling, 1 reply; 8+ messages in thread From: Luiz Augusto von Dentz @ 2026-02-27 15:04 UTC (permalink / raw) To: Eric-Terminal; +Cc: marcel, johan.hedberg, linux-bluetooth, linux-kernel Hi Yafan, On Tue, Feb 24, 2026 at 8:35 PM Eric-Terminal <ericterminal@gmail.com> wrote: > > From: Yufan Chen <ericterminal@gmail.com> > > hidp_setup_hid() duplicates the report descriptor from userspace > based on req->rd_size. hidp_session_dev_init() only checked > rd_size > 0, so oversized values were accepted and propagated > to memdup_user(). > > Reject values larger than HID_MAX_DESCRIPTOR_SIZE and return > -EINVAL before entering the HID setup path. Well this has the potential to break compatibility if a device misbehaves. So is this causing a real problem or is it just defensive coding? In case of the later, we may just truncate or something, if that is not already truncated somewhere else. > Signed-off-by: Yufan Chen <ericterminal@gmail.com> > --- > net/bluetooth/hidp/core.c | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/net/bluetooth/hidp/core.c b/net/bluetooth/hidp/core.c > index 6fe815241..ce68b3c27 100644 > --- a/net/bluetooth/hidp/core.c > +++ b/net/bluetooth/hidp/core.c > @@ -815,6 +815,9 @@ static int hidp_session_dev_init(struct hidp_session *session, > { > int ret; > > + if (req->rd_size > HID_MAX_DESCRIPTOR_SIZE) > + return -EINVAL; > + > if (req->rd_size > 0) { > ret = hidp_setup_hid(session, req); > if (ret && ret != -ENODEV) > -- > 2.53.0 > -- Luiz Augusto von Dentz ^ permalink raw reply [flat|nested] 8+ messages in thread
* [PATCH v2] Bluetooth: HIDP: cap report descriptor size in HID setup 2026-02-27 15:04 ` [PATCH] " Luiz Augusto von Dentz @ 2026-02-28 17:26 ` Eric-Terminal 2026-02-28 18:06 ` [v2] " bluez.test.bot 2026-03-01 9:19 ` [PATCH v2] " Bastien Nocera 0 siblings, 2 replies; 8+ messages in thread From: Eric-Terminal @ 2026-02-28 17:26 UTC (permalink / raw) To: marcel, johan.hedberg, luiz.dentz Cc: linux-bluetooth, linux-kernel, Yufan Chen From: Yufan Chen <ericterminal@gmail.com> hidp_setup_hid() duplicates the report descriptor from userspace based on req->rd_size. Large values can trigger oversized copies. Do not reject the connection when rd_size exceeds HID_MAX_DESCRIPTOR_SIZE. Instead, cap rd_size in hidp_setup_hid() and use the capped value for memdup_user() and session->rd_size. This keeps compatibility with existing userspace behavior while bounding memory usage in the HID setup path. Signed-off-by: Yufan Chen <ericterminal@gmail.com> --- net/bluetooth/hidp/core.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/net/bluetooth/hidp/core.c b/net/bluetooth/hidp/core.c index 6fe815241..31aeffa39 100644 --- a/net/bluetooth/hidp/core.c +++ b/net/bluetooth/hidp/core.c @@ -755,13 +755,16 @@ static int hidp_setup_hid(struct hidp_session *session, const struct hidp_connadd_req *req) { struct hid_device *hid; + unsigned int rd_size; int err; - session->rd_data = memdup_user(req->rd_data, req->rd_size); + rd_size = min_t(unsigned int, req->rd_size, HID_MAX_DESCRIPTOR_SIZE); + + session->rd_data = memdup_user(req->rd_data, rd_size); if (IS_ERR(session->rd_data)) return PTR_ERR(session->rd_data); - session->rd_size = req->rd_size; + session->rd_size = rd_size; hid = hid_allocate_device(); if (IS_ERR(hid)) { -- 2.47.3 ^ permalink raw reply related [flat|nested] 8+ messages in thread
* RE: [v2] Bluetooth: HIDP: cap report descriptor size in HID setup 2026-02-28 17:26 ` [PATCH v2] Bluetooth: HIDP: cap report descriptor size in HID setup Eric-Terminal @ 2026-02-28 18:06 ` bluez.test.bot 2026-03-01 9:19 ` [PATCH v2] " Bastien Nocera 1 sibling, 0 replies; 8+ messages in thread From: bluez.test.bot @ 2026-02-28 18:06 UTC (permalink / raw) To: linux-bluetooth, ericterminal [-- Attachment #1: Type: text/plain, Size: 3737 bytes --] This is automated email and please do not reply to this email! Dear submitter, Thank you for submitting the patches to the linux bluetooth mailing list. This is a CI test results with your patch series: PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=1059479 ---Test result--- Test Summary: CheckPatch PENDING 0.32 seconds GitLint PENDING 0.19 seconds SubjectPrefix PASS 0.13 seconds BuildKernel PASS 26.70 seconds CheckAllWarning PASS 29.21 seconds CheckSparse WARNING 33.20 seconds BuildKernel32 PASS 25.72 seconds TestRunnerSetup PASS 569.31 seconds TestRunner_l2cap-tester FAIL 34.63 seconds TestRunner_iso-tester FAIL 65.28 seconds TestRunner_bnep-tester PASS 6.43 seconds TestRunner_mgmt-tester FAIL 124.24 seconds TestRunner_rfcomm-tester PASS 9.57 seconds TestRunner_sco-tester FAIL 14.69 seconds TestRunner_ioctl-tester PASS 10.30 seconds TestRunner_mesh-tester FAIL 11.42 seconds TestRunner_smp-tester PASS 8.82 seconds TestRunner_userchan-tester PASS 6.75 seconds IncrementalBuild PENDING 0.71 seconds Details ############################## Test: CheckPatch - PENDING Desc: Run checkpatch.pl script Output: ############################## Test: GitLint - PENDING Desc: Run gitlint Output: ############################## Test: CheckSparse - WARNING Desc: Run sparse tool with linux kernel Output: net/bluetooth/hidp/core.c:1477:1: error: bad constant expressionnet/bluetooth/hidp/core.c:1478:1: error: bad constant expressionnet/bluetooth/hidp/core.c:1479:1: error: bad constant expressionnet/bluetooth/hidp/core.c:1480:1: error: bad constant expressionnet/bluetooth/hidp/core.c:1481:1: error: bad constant expressionnet/bluetooth/hidp/core.c:1481:1: error: bad constant expressionnet/bluetooth/hidp/core.c:1482:1: error: bad constant expression ############################## Test: TestRunner_l2cap-tester - FAIL Desc: Run l2cap-tester with test-runner Output: Total: 96, Passed: 94 (97.9%), Failed: 2, Not Run: 0 Failed Test Cases L2CAP LE Client - Read 32k Success Timed out 2.398 seconds L2CAP LE Client - RX Timestamping 32k Timed out 1.891 seconds ############################## Test: TestRunner_iso-tester - FAIL Desc: Run iso-tester with test-runner Output: BUG: KASAN: slab-use-after-free in le_read_features_complete+0x7e/0x2b0 Total: 141, Passed: 141 (100.0%), Failed: 0, Not Run: 0 ############################## Test: TestRunner_mgmt-tester - FAIL Desc: Run mgmt-tester with test-runner Output: Total: 494, Passed: 489 (99.0%), Failed: 1, Not Run: 4 Failed Test Cases Read Exp Feature - Success Failed 0.112 seconds ############################## Test: TestRunner_sco-tester - FAIL Desc: Run sco-tester with test-runner Output: WARNING: possible circular locking dependency detected BUG: sleeping function called from invalid context at net/core/sock.c:3782 Total: 30, Passed: 30 (100.0%), Failed: 0, Not Run: 0 ############################## Test: TestRunner_mesh-tester - FAIL Desc: Run mesh-tester with test-runner Output: Total: 10, Passed: 8 (80.0%), Failed: 2, Not Run: 0 Failed Test Cases Mesh - Send cancel - 1 Timed out 1.786 seconds Mesh - Send cancel - 2 Timed out 1.996 seconds ############################## Test: IncrementalBuild - PENDING Desc: Incremental build with the patches in the series Output: --- Regards, Linux Bluetooth ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH v2] Bluetooth: HIDP: cap report descriptor size in HID setup 2026-02-28 17:26 ` [PATCH v2] Bluetooth: HIDP: cap report descriptor size in HID setup Eric-Terminal 2026-02-28 18:06 ` [v2] " bluez.test.bot @ 2026-03-01 9:19 ` Bastien Nocera 2026-03-11 10:18 ` Benjamin Tissoires 1 sibling, 1 reply; 8+ messages in thread From: Bastien Nocera @ 2026-03-01 9:19 UTC (permalink / raw) To: Eric-Terminal, marcel, johan.hedberg, luiz.dentz Cc: linux-bluetooth, linux-kernel, linux-input On Sun, 2026-03-01 at 01:26 +0800, Eric-Terminal wrote: > From: Yufan Chen <ericterminal@gmail.com> > > hidp_setup_hid() duplicates the report descriptor from userspace > based on > req->rd_size. Large values can trigger oversized copies. > > Do not reject the connection when rd_size exceeds > HID_MAX_DESCRIPTOR_SIZE. Instead, cap rd_size in hidp_setup_hid() > and use the capped value for memdup_user() and session->rd_size. > > This keeps compatibility with existing userspace behavior while > bounding memory usage in the HID setup path. Cross-sending this to linux-input@ for review, they would know the best way to deal with oversized HID descriptors. > > Signed-off-by: Yufan Chen <ericterminal@gmail.com> > --- > net/bluetooth/hidp/core.c | 7 +++++-- > 1 file changed, 5 insertions(+), 2 deletions(-) > > diff --git a/net/bluetooth/hidp/core.c b/net/bluetooth/hidp/core.c > index 6fe815241..31aeffa39 100644 > --- a/net/bluetooth/hidp/core.c > +++ b/net/bluetooth/hidp/core.c > @@ -755,13 +755,16 @@ static int hidp_setup_hid(struct hidp_session > *session, > const struct hidp_connadd_req *req) > { > struct hid_device *hid; > + unsigned int rd_size; > int err; > > - session->rd_data = memdup_user(req->rd_data, req->rd_size); > + rd_size = min_t(unsigned int, req->rd_size, > HID_MAX_DESCRIPTOR_SIZE); > + > + session->rd_data = memdup_user(req->rd_data, rd_size); > if (IS_ERR(session->rd_data)) > return PTR_ERR(session->rd_data); > > - session->rd_size = req->rd_size; > + session->rd_size = rd_size; > > hid = hid_allocate_device(); > if (IS_ERR(hid)) { ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH v2] Bluetooth: HIDP: cap report descriptor size in HID setup 2026-03-01 9:19 ` [PATCH v2] " Bastien Nocera @ 2026-03-11 10:18 ` Benjamin Tissoires 2026-03-22 15:37 ` Eric_Terminal 0 siblings, 1 reply; 8+ messages in thread From: Benjamin Tissoires @ 2026-03-11 10:18 UTC (permalink / raw) To: Bastien Nocera Cc: Eric-Terminal, marcel, johan.hedberg, luiz.dentz, linux-bluetooth, linux-kernel, linux-input On Mar 01 2026, Bastien Nocera wrote: > On Sun, 2026-03-01 at 01:26 +0800, Eric-Terminal wrote: > > From: Yufan Chen <ericterminal@gmail.com> > > > > hidp_setup_hid() duplicates the report descriptor from userspace > > based on > > req->rd_size. Large values can trigger oversized copies. > > > > Do not reject the connection when rd_size exceeds > > HID_MAX_DESCRIPTOR_SIZE. Instead, cap rd_size in hidp_setup_hid() > > and use the capped value for memdup_user() and session->rd_size. > > > > This keeps compatibility with existing userspace behavior while > > bounding memory usage in the HID setup path. > > Cross-sending this to linux-input@ for review, they would know the best > way to deal with oversized HID descriptors. AFAICT the hid-core code would be fine with it (it would parse it), but there will be some issues (hidraw will not be able to export the entire rdesc, so is the sysfs). For reference, usbhid just returns -EINVAL for oversize report descriptors. Anyway, if the report descriptor is truncated, like in this patch, the hid core parse will fail if the data is not correct, so I thing this should be safe. Cheers, Benjamin > > > > > Signed-off-by: Yufan Chen <ericterminal@gmail.com> > > --- > > net/bluetooth/hidp/core.c | 7 +++++-- > > 1 file changed, 5 insertions(+), 2 deletions(-) > > > > diff --git a/net/bluetooth/hidp/core.c b/net/bluetooth/hidp/core.c > > index 6fe815241..31aeffa39 100644 > > --- a/net/bluetooth/hidp/core.c > > +++ b/net/bluetooth/hidp/core.c > > @@ -755,13 +755,16 @@ static int hidp_setup_hid(struct hidp_session > > *session, > > const struct hidp_connadd_req *req) > > { > > struct hid_device *hid; > > + unsigned int rd_size; > > int err; > > > > - session->rd_data = memdup_user(req->rd_data, req->rd_size); > > + rd_size = min_t(unsigned int, req->rd_size, > > HID_MAX_DESCRIPTOR_SIZE); > > + > > + session->rd_data = memdup_user(req->rd_data, rd_size); > > if (IS_ERR(session->rd_data)) > > return PTR_ERR(session->rd_data); > > > > - session->rd_size = req->rd_size; > > + session->rd_size = rd_size; > > > > hid = hid_allocate_device(); > > if (IS_ERR(hid)) { > ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH v2] Bluetooth: HIDP: cap report descriptor size in HID setup 2026-03-11 10:18 ` Benjamin Tissoires @ 2026-03-22 15:37 ` Eric_Terminal 0 siblings, 0 replies; 8+ messages in thread From: Eric_Terminal @ 2026-03-22 15:37 UTC (permalink / raw) To: Benjamin Tissoires Cc: Bastien Nocera, marcel, johan.hedberg, luiz.dentz, linux-bluetooth, linux-kernel, linux-input Hi all, Just a gentle ping on this patch. Since Benjamin reviewed it from the input side and concluded it should be safe, I was wondering if there are any further comments from the Bluetooth side, or if anything else is needed from me for this to be merged? Thanks, Yufan On Wed, Mar 11, 2026 at 6:19 PM Benjamin Tissoires <bentiss@kernel.org> wrote: > > On Mar 01 2026, Bastien Nocera wrote: > > On Sun, 2026-03-01 at 01:26 +0800, Eric-Terminal wrote: > > > From: Yufan Chen <ericterminal@gmail.com> > > > > > > hidp_setup_hid() duplicates the report descriptor from userspace > > > based on > > > req->rd_size. Large values can trigger oversized copies. > > > > > > Do not reject the connection when rd_size exceeds > > > HID_MAX_DESCRIPTOR_SIZE. Instead, cap rd_size in hidp_setup_hid() > > > and use the capped value for memdup_user() and session->rd_size. > > > > > > This keeps compatibility with existing userspace behavior while > > > bounding memory usage in the HID setup path. > > > > Cross-sending this to linux-input@ for review, they would know the best > > way to deal with oversized HID descriptors. > > AFAICT the hid-core code would be fine with it (it would parse it), but > there will be some issues (hidraw will not be able to export the entire > rdesc, so is the sysfs). > > For reference, usbhid just returns -EINVAL for oversize report > descriptors. > > Anyway, if the report descriptor is truncated, like in this patch, the > hid core parse will fail if the data is not correct, so I thing this > should be safe. > > Cheers, > Benjamin > > > > > > > > > Signed-off-by: Yufan Chen <ericterminal@gmail.com> > > > --- > > > net/bluetooth/hidp/core.c | 7 +++++-- > > > 1 file changed, 5 insertions(+), 2 deletions(-) > > > > > > diff --git a/net/bluetooth/hidp/core.c b/net/bluetooth/hidp/core.c > > > index 6fe815241..31aeffa39 100644 > > > --- a/net/bluetooth/hidp/core.c > > > +++ b/net/bluetooth/hidp/core.c > > > @@ -755,13 +755,16 @@ static int hidp_setup_hid(struct hidp_session > > > *session, > > > const struct hidp_connadd_req *req) > > > { > > > struct hid_device *hid; > > > + unsigned int rd_size; > > > int err; > > > > > > - session->rd_data = memdup_user(req->rd_data, req->rd_size); > > > + rd_size = min_t(unsigned int, req->rd_size, > > > HID_MAX_DESCRIPTOR_SIZE); > > > + > > > + session->rd_data = memdup_user(req->rd_data, rd_size); > > > if (IS_ERR(session->rd_data)) > > > return PTR_ERR(session->rd_data); > > > > > > - session->rd_size = req->rd_size; > > > + session->rd_size = rd_size; > > > > > > hid = hid_allocate_device(); > > > if (IS_ERR(hid)) { > > ^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2026-03-22 15:38 UTC | newest] Thread overview: 8+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2026-02-25 1:35 [PATCH] Bluetooth: HIDP: reject oversized report descriptor Eric-Terminal 2026-02-25 4:25 ` bluez.test.bot 2026-02-27 15:04 ` [PATCH] " Luiz Augusto von Dentz 2026-02-28 17:26 ` [PATCH v2] Bluetooth: HIDP: cap report descriptor size in HID setup Eric-Terminal 2026-02-28 18:06 ` [v2] " bluez.test.bot 2026-03-01 9:19 ` [PATCH v2] " Bastien Nocera 2026-03-11 10:18 ` Benjamin Tissoires 2026-03-22 15:37 ` Eric_Terminal
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox