From: Greg KH <gregkh@linuxfoundation.org>
To: Muhammad Bilal <meatuni001@gmail.com>
Cc: linux-bluetooth@vger.kernel.org, linux-kernel@vger.kernel.org,
marcel@holtmann.org, luiz.dentz@gmail.com,
johan.hedberg@gmail.com, stable@vger.kernel.org
Subject: Re: [PATCH] Bluetooth: HIDP: fix missing length checks in hidp_input_report()
Date: Mon, 18 May 2026 07:18:08 +0200 [thread overview]
Message-ID: <2026051801-oops-makeover-da91@gregkh> (raw)
In-Reply-To: <20260517234805.116570-1-meatuni001@gmail.com>
On Sun, May 17, 2026 at 07:48:05PM -0400, Muhammad Bilal wrote:
> hidp_input_report() reads keyboard and mouse payload data from an skb
> without first verifying that skb->len contains enough data.
>
> hidp_recv_intr_frame() pulls the 1-byte HIDP header before dispatching
> to hidp_input_report(). If a paired device sends a truncated packet,
> the handler reads beyond the valid skb data, resulting in
> an out-of-bounds read of skb data.
> The OOB bytes may be interpreted as phantom key presses or
> spurious mouse movement.
>
> Add a check that skb->len is non-zero before the type switch, and
> per-report-type minimum length checks before accessing the payload.
>
> Signed-off-by: Muhammad Bilal <meatuni001@gmail.com>
> ---
> net/bluetooth/hidp/core.c | 19 ++++++++++++++++---
> 1 file changed, 16 insertions(+), 3 deletions(-)
>
> diff --git a/net/bluetooth/hidp/core.c b/net/bluetooth/hidp/core.c
> index 976f91eeb..03838a6ff 100644
> --- a/net/bluetooth/hidp/core.c
> +++ b/net/bluetooth/hidp/core.c
> @@ -179,12 +179,22 @@ static void hidp_input_report(struct hidp_session *session, struct sk_buff *skb)
> {
> struct input_dev *dev = session->input;
> unsigned char *keys = session->keys;
> - unsigned char *udata = skb->data + 1;
> - signed char *sdata = skb->data + 1;
> - int i, size = skb->len - 1;
> + unsigned char *udata;
> + signed char *sdata;
> + int i, size;
> +
> + if (!skb->len)
> + return;
> +
> + udata = skb->data + 1;
> + sdata = skb->data + 1;
> + size = skb->len - 1;
>
> switch (skb->data[0]) {
> case 0x01: /* Keyboard report */
> + if (size < 8)
> + break;
> +
> for (i = 0; i < 8; i++)
> input_report_key(dev, hidp_keycode[i + 224], (udata[0] >> i) & 1);
>
> @@ -213,6 +223,9 @@ static void hidp_input_report(struct hidp_session *session, struct sk_buff *skb)
> break;
>
> case 0x02: /* Mouse report */
> + if (size < 3)
> + break;
> +
> input_report_key(dev, BTN_LEFT, sdata[0] & 0x01);
> input_report_key(dev, BTN_RIGHT, sdata[0] & 0x02);
> input_report_key(dev, BTN_MIDDLE, sdata[0] & 0x04);
> --
> 2.54.0
>
>
<formletter>
This is not the correct way to submit patches for inclusion in the
stable kernel tree. Please read:
https://www.kernel.org/doc/html/latest/process/stable-kernel-rules.html
for how to do this properly.
</formletter>
prev parent reply other threads:[~2026-05-18 5:18 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-17 23:48 [PATCH] Bluetooth: HIDP: fix missing length checks in hidp_input_report() Muhammad Bilal
2026-05-18 2:56 ` bluez.test.bot
2026-05-18 5:18 ` Greg KH [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2026051801-oops-makeover-da91@gregkh \
--to=gregkh@linuxfoundation.org \
--cc=johan.hedberg@gmail.com \
--cc=linux-bluetooth@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=luiz.dentz@gmail.com \
--cc=marcel@holtmann.org \
--cc=meatuni001@gmail.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox