[PATCH] Bluetooth: HIDP: reject oversized report descriptor

[PATCH] Bluetooth: HIDP: reject oversized report descriptor

[Eric-Terminal]

From: Yufan Chen <ericterminal@gmail.com>

hidp_setup_hid() duplicates the report descriptor from userspace
based on req->rd_size. hidp_session_dev_init() only checked
rd_size > 0, so oversized values were accepted and propagated
to memdup_user().

Reject values larger than HID_MAX_DESCRIPTOR_SIZE and return
-EINVAL before entering the HID setup path.

Signed-off-by: Yufan Chen <ericterminal@gmail.com>
---
 net/bluetooth/hidp/core.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/net/bluetooth/hidp/core.c b/net/bluetooth/hidp/core.c
index 6fe815241..ce68b3c27 100644
--- a/net/bluetooth/hidp/core.c
+++ b/net/bluetooth/hidp/core.c
@@ -815,6 +815,9 @@ static int hidp_session_dev_init(struct hidp_session *session,
 {
 	int ret;
 
+	if (req->rd_size > HID_MAX_DESCRIPTOR_SIZE)
+		return -EINVAL;
+
 	if (req->rd_size > 0) {
 		ret = hidp_setup_hid(session, req);
 		if (ret && ret != -ENODEV)
-- 
2.53.0

RE: Bluetooth: HIDP: reject oversized report descriptor

[bluez.test.bot]

[-- Attachment #1: Type: text/plain, Size: 3149 bytes --]

This is automated email and please do not reply to this email!

Dear submitter,

Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=1057473

---Test result---

Test Summary:
CheckPatch                    PENDING   0.33 seconds
GitLint                       PENDING   0.25 seconds
SubjectPrefix                 PASS      0.08 seconds
BuildKernel                   PASS      26.05 seconds
CheckAllWarning               PASS      28.17 seconds
CheckSparse                   WARNING   31.76 seconds
BuildKernel32                 PASS      24.81 seconds
TestRunnerSetup               PASS      558.37 seconds
TestRunner_l2cap-tester       PASS      28.25 seconds
TestRunner_iso-tester         PASS      81.34 seconds
TestRunner_bnep-tester        PASS      6.47 seconds
TestRunner_mgmt-tester        FAIL      117.13 seconds
TestRunner_rfcomm-tester      PASS      9.53 seconds
TestRunner_sco-tester         FAIL      14.81 seconds
TestRunner_ioctl-tester       PASS      10.09 seconds
TestRunner_mesh-tester        FAIL      11.49 seconds
TestRunner_smp-tester         PASS      8.67 seconds
TestRunner_userchan-tester    PASS      6.73 seconds
IncrementalBuild              PENDING   0.89 seconds

Details
##############################
Test: CheckPatch - PENDING
Desc: Run checkpatch.pl script
Output:

##############################
Test: GitLint - PENDING
Desc: Run gitlint
Output:

##############################
Test: CheckSparse - WARNING
Desc: Run sparse tool with linux kernel
Output:
net/bluetooth/hidp/core.c:1477:1: error: bad constant expressionnet/bluetooth/hidp/core.c:1478:1: error: bad constant expressionnet/bluetooth/hidp/core.c:1479:1: error: bad constant expressionnet/bluetooth/hidp/core.c:1480:1: error: bad constant expressionnet/bluetooth/hidp/core.c:1481:1: error: bad constant expressionnet/bluetooth/hidp/core.c:1481:1: error: bad constant expressionnet/bluetooth/hidp/core.c:1482:1: error: bad constant expression
##############################
Test: TestRunner_mgmt-tester - FAIL
Desc: Run mgmt-tester with test-runner
Output:
Total: 494, Passed: 489 (99.0%), Failed: 1, Not Run: 4

Failed Test Cases
Read Exp Feature - Success                           Failed       0.107 seconds
##############################
Test: TestRunner_sco-tester - FAIL
Desc: Run sco-tester with test-runner
Output:
WARNING: possible circular locking dependency detected
BUG: sleeping function called from invalid context at net/core/sock.c:3782
Total: 30, Passed: 30 (100.0%), Failed: 0, Not Run: 0
##############################
Test: TestRunner_mesh-tester - FAIL
Desc: Run mesh-tester with test-runner
Output:
Total: 10, Passed: 8 (80.0%), Failed: 2, Not Run: 0

Failed Test Cases
Mesh - Send cancel - 1                               Timed out    1.887 seconds
Mesh - Send cancel - 2                               Timed out    1.991 seconds
##############################
Test: IncrementalBuild - PENDING
Desc: Incremental build with the patches in the series
Output:



---
Regards,
Linux Bluetooth

Re: [PATCH] Bluetooth: HIDP: reject oversized report descriptor

[Luiz Augusto von Dentz]

Hi Yafan,

On Tue, Feb 24, 2026 at 8:35 PM Eric-Terminal <ericterminal@gmail.com> wrote:
>
> From: Yufan Chen <ericterminal@gmail.com>
>
> hidp_setup_hid() duplicates the report descriptor from userspace
> based on req->rd_size. hidp_session_dev_init() only checked
> rd_size > 0, so oversized values were accepted and propagated
> to memdup_user().
>
> Reject values larger than HID_MAX_DESCRIPTOR_SIZE and return
> -EINVAL before entering the HID setup path.

Well this has the potential to break compatibility if a device
misbehaves. So is this causing a real problem or is it just defensive
coding? In case of the later, we may just truncate or something, if
that is not already truncated somewhere else.

> Signed-off-by: Yufan Chen <ericterminal@gmail.com>
> ---
>  net/bluetooth/hidp/core.c | 3 +++
>  1 file changed, 3 insertions(+)
>
> diff --git a/net/bluetooth/hidp/core.c b/net/bluetooth/hidp/core.c
> index 6fe815241..ce68b3c27 100644
> --- a/net/bluetooth/hidp/core.c
> +++ b/net/bluetooth/hidp/core.c
> @@ -815,6 +815,9 @@ static int hidp_session_dev_init(struct hidp_session *session,
>  {
>         int ret;
>
> +       if (req->rd_size > HID_MAX_DESCRIPTOR_SIZE)
> +               return -EINVAL;
> +
>         if (req->rd_size > 0) {
>                 ret = hidp_setup_hid(session, req);
>                 if (ret && ret != -ENODEV)
> --
> 2.53.0
>


-- 
Luiz Augusto von Dentz

[PATCH v2] Bluetooth: HIDP: cap report descriptor size in HID setup

[Eric-Terminal]

From: Yufan Chen <ericterminal@gmail.com>

hidp_setup_hid() duplicates the report descriptor from userspace based on
req->rd_size. Large values can trigger oversized copies.

Do not reject the connection when rd_size exceeds
HID_MAX_DESCRIPTOR_SIZE. Instead, cap rd_size in hidp_setup_hid()
and use the capped value for memdup_user() and session->rd_size.

This keeps compatibility with existing userspace behavior while
bounding memory usage in the HID setup path.

Signed-off-by: Yufan Chen <ericterminal@gmail.com>
---
 net/bluetooth/hidp/core.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/net/bluetooth/hidp/core.c b/net/bluetooth/hidp/core.c
index 6fe815241..31aeffa39 100644
--- a/net/bluetooth/hidp/core.c
+++ b/net/bluetooth/hidp/core.c
@@ -755,13 +755,16 @@ static int hidp_setup_hid(struct hidp_session *session,
 				const struct hidp_connadd_req *req)
 {
 	struct hid_device *hid;
+	unsigned int rd_size;
 	int err;
 
-	session->rd_data = memdup_user(req->rd_data, req->rd_size);
+	rd_size = min_t(unsigned int, req->rd_size, HID_MAX_DESCRIPTOR_SIZE);
+
+	session->rd_data = memdup_user(req->rd_data, rd_size);
 	if (IS_ERR(session->rd_data))
 		return PTR_ERR(session->rd_data);
 
-	session->rd_size = req->rd_size;
+	session->rd_size = rd_size;
 
 	hid = hid_allocate_device();
 	if (IS_ERR(hid)) {
-- 
2.47.3

RE: [v2] Bluetooth: HIDP: cap report descriptor size in HID setup

[bluez.test.bot]

[-- Attachment #1: Type: text/plain, Size: 3737 bytes --]

This is automated email and please do not reply to this email!

Dear submitter,

Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=1059479

---Test result---

Test Summary:
CheckPatch                    PENDING   0.32 seconds
GitLint                       PENDING   0.19 seconds
SubjectPrefix                 PASS      0.13 seconds
BuildKernel                   PASS      26.70 seconds
CheckAllWarning               PASS      29.21 seconds
CheckSparse                   WARNING   33.20 seconds
BuildKernel32                 PASS      25.72 seconds
TestRunnerSetup               PASS      569.31 seconds
TestRunner_l2cap-tester       FAIL      34.63 seconds
TestRunner_iso-tester         FAIL      65.28 seconds
TestRunner_bnep-tester        PASS      6.43 seconds
TestRunner_mgmt-tester        FAIL      124.24 seconds
TestRunner_rfcomm-tester      PASS      9.57 seconds
TestRunner_sco-tester         FAIL      14.69 seconds
TestRunner_ioctl-tester       PASS      10.30 seconds
TestRunner_mesh-tester        FAIL      11.42 seconds
TestRunner_smp-tester         PASS      8.82 seconds
TestRunner_userchan-tester    PASS      6.75 seconds
IncrementalBuild              PENDING   0.71 seconds

Details
##############################
Test: CheckPatch - PENDING
Desc: Run checkpatch.pl script
Output:

##############################
Test: GitLint - PENDING
Desc: Run gitlint
Output:

##############################
Test: CheckSparse - WARNING
Desc: Run sparse tool with linux kernel
Output:
net/bluetooth/hidp/core.c:1477:1: error: bad constant expressionnet/bluetooth/hidp/core.c:1478:1: error: bad constant expressionnet/bluetooth/hidp/core.c:1479:1: error: bad constant expressionnet/bluetooth/hidp/core.c:1480:1: error: bad constant expressionnet/bluetooth/hidp/core.c:1481:1: error: bad constant expressionnet/bluetooth/hidp/core.c:1481:1: error: bad constant expressionnet/bluetooth/hidp/core.c:1482:1: error: bad constant expression
##############################
Test: TestRunner_l2cap-tester - FAIL
Desc: Run l2cap-tester with test-runner
Output:
Total: 96, Passed: 94 (97.9%), Failed: 2, Not Run: 0

Failed Test Cases
L2CAP LE Client - Read 32k Success                   Timed out    2.398 seconds
L2CAP LE Client - RX Timestamping 32k                Timed out    1.891 seconds
##############################
Test: TestRunner_iso-tester - FAIL
Desc: Run iso-tester with test-runner
Output:
BUG: KASAN: slab-use-after-free in le_read_features_complete+0x7e/0x2b0
Total: 141, Passed: 141 (100.0%), Failed: 0, Not Run: 0
##############################
Test: TestRunner_mgmt-tester - FAIL
Desc: Run mgmt-tester with test-runner
Output:
Total: 494, Passed: 489 (99.0%), Failed: 1, Not Run: 4

Failed Test Cases
Read Exp Feature - Success                           Failed       0.112 seconds
##############################
Test: TestRunner_sco-tester - FAIL
Desc: Run sco-tester with test-runner
Output:
WARNING: possible circular locking dependency detected
BUG: sleeping function called from invalid context at net/core/sock.c:3782
Total: 30, Passed: 30 (100.0%), Failed: 0, Not Run: 0
##############################
Test: TestRunner_mesh-tester - FAIL
Desc: Run mesh-tester with test-runner
Output:
Total: 10, Passed: 8 (80.0%), Failed: 2, Not Run: 0

Failed Test Cases
Mesh - Send cancel - 1                               Timed out    1.786 seconds
Mesh - Send cancel - 2                               Timed out    1.996 seconds
##############################
Test: IncrementalBuild - PENDING
Desc: Incremental build with the patches in the series
Output:



---
Regards,
Linux Bluetooth

Re: [PATCH v2] Bluetooth: HIDP: cap report descriptor size in HID setup

[Bastien Nocera]

On Sun, 2026-03-01 at 01:26 +0800, Eric-Terminal wrote:
> From: Yufan Chen <ericterminal@gmail.com>
> 
> hidp_setup_hid() duplicates the report descriptor from userspace
> based on
> req->rd_size. Large values can trigger oversized copies.
> 
> Do not reject the connection when rd_size exceeds
> HID_MAX_DESCRIPTOR_SIZE. Instead, cap rd_size in hidp_setup_hid()
> and use the capped value for memdup_user() and session->rd_size.
> 
> This keeps compatibility with existing userspace behavior while
> bounding memory usage in the HID setup path.

Cross-sending this to linux-input@ for review, they would know the best
way to deal with oversized HID descriptors.

> 
> Signed-off-by: Yufan Chen <ericterminal@gmail.com>
> ---
>  net/bluetooth/hidp/core.c | 7 +++++--
>  1 file changed, 5 insertions(+), 2 deletions(-)
> 
> diff --git a/net/bluetooth/hidp/core.c b/net/bluetooth/hidp/core.c
> index 6fe815241..31aeffa39 100644
> --- a/net/bluetooth/hidp/core.c
> +++ b/net/bluetooth/hidp/core.c
> @@ -755,13 +755,16 @@ static int hidp_setup_hid(struct hidp_session
> *session,
>  				const struct hidp_connadd_req *req)
>  {
>  	struct hid_device *hid;
> +	unsigned int rd_size;
>  	int err;
>  
> -	session->rd_data = memdup_user(req->rd_data, req->rd_size);
> +	rd_size = min_t(unsigned int, req->rd_size,
> HID_MAX_DESCRIPTOR_SIZE);
> +
> +	session->rd_data = memdup_user(req->rd_data, rd_size);
>  	if (IS_ERR(session->rd_data))
>  		return PTR_ERR(session->rd_data);
>  
> -	session->rd_size = req->rd_size;
> +	session->rd_size = rd_size;
>  
>  	hid = hid_allocate_device();
>  	if (IS_ERR(hid)) {

Re: [PATCH v2] Bluetooth: HIDP: cap report descriptor size in HID setup

[Benjamin Tissoires]

On Mar 01 2026, Bastien Nocera wrote:
> On Sun, 2026-03-01 at 01:26 +0800, Eric-Terminal wrote:
> > From: Yufan Chen <ericterminal@gmail.com>
> > 
> > hidp_setup_hid() duplicates the report descriptor from userspace
> > based on
> > req->rd_size. Large values can trigger oversized copies.
> > 
> > Do not reject the connection when rd_size exceeds
> > HID_MAX_DESCRIPTOR_SIZE. Instead, cap rd_size in hidp_setup_hid()
> > and use the capped value for memdup_user() and session->rd_size.
> > 
> > This keeps compatibility with existing userspace behavior while
> > bounding memory usage in the HID setup path.
> 
> Cross-sending this to linux-input@ for review, they would know the best
> way to deal with oversized HID descriptors.

AFAICT the hid-core code would be fine with it (it would parse it), but
there will be some issues (hidraw will not be able to export the entire
rdesc, so is the sysfs).

For reference, usbhid just returns -EINVAL for oversize report
descriptors.

Anyway, if the report descriptor is truncated, like in this patch, the
hid core parse will fail if the data is not correct, so I thing this
should be safe.

Cheers,
Benjamin

> 
> > 
> > Signed-off-by: Yufan Chen <ericterminal@gmail.com>
> > ---
> >  net/bluetooth/hidp/core.c | 7 +++++--
> >  1 file changed, 5 insertions(+), 2 deletions(-)
> > 
> > diff --git a/net/bluetooth/hidp/core.c b/net/bluetooth/hidp/core.c
> > index 6fe815241..31aeffa39 100644
> > --- a/net/bluetooth/hidp/core.c
> > +++ b/net/bluetooth/hidp/core.c
> > @@ -755,13 +755,16 @@ static int hidp_setup_hid(struct hidp_session
> > *session,
> >  				const struct hidp_connadd_req *req)
> >  {
> >  	struct hid_device *hid;
> > +	unsigned int rd_size;
> >  	int err;
> >  
> > -	session->rd_data = memdup_user(req->rd_data, req->rd_size);
> > +	rd_size = min_t(unsigned int, req->rd_size,
> > HID_MAX_DESCRIPTOR_SIZE);
> > +
> > +	session->rd_data = memdup_user(req->rd_data, rd_size);
> >  	if (IS_ERR(session->rd_data))
> >  		return PTR_ERR(session->rd_data);
> >  
> > -	session->rd_size = req->rd_size;
> > +	session->rd_size = rd_size;
> >  
> >  	hid = hid_allocate_device();
> >  	if (IS_ERR(hid)) {
> 

Re: [PATCH v2] Bluetooth: HIDP: cap report descriptor size in HID setup

[Eric_Terminal]

Hi all,

Just a gentle ping on this patch.

Since Benjamin reviewed it from the input side and concluded it should
be safe, I was wondering if there are any further comments from the
Bluetooth side, or if anything else is needed from me for this to be
merged?

Thanks,
Yufan

On Wed, Mar 11, 2026 at 6:19 PM Benjamin Tissoires <bentiss@kernel.org> wrote:
>
> On Mar 01 2026, Bastien Nocera wrote:
> > On Sun, 2026-03-01 at 01:26 +0800, Eric-Terminal wrote:
> > > From: Yufan Chen <ericterminal@gmail.com>
> > >
> > > hidp_setup_hid() duplicates the report descriptor from userspace
> > > based on
> > > req->rd_size. Large values can trigger oversized copies.
> > >
> > > Do not reject the connection when rd_size exceeds
> > > HID_MAX_DESCRIPTOR_SIZE. Instead, cap rd_size in hidp_setup_hid()
> > > and use the capped value for memdup_user() and session->rd_size.
> > >
> > > This keeps compatibility with existing userspace behavior while
> > > bounding memory usage in the HID setup path.
> >
> > Cross-sending this to linux-input@ for review, they would know the best
> > way to deal with oversized HID descriptors.
>
> AFAICT the hid-core code would be fine with it (it would parse it), but
> there will be some issues (hidraw will not be able to export the entire
> rdesc, so is the sysfs).
>
> For reference, usbhid just returns -EINVAL for oversize report
> descriptors.
>
> Anyway, if the report descriptor is truncated, like in this patch, the
> hid core parse will fail if the data is not correct, so I thing this
> should be safe.
>
> Cheers,
> Benjamin
>
> >
> > >
> > > Signed-off-by: Yufan Chen <ericterminal@gmail.com>
> > > ---
> > >  net/bluetooth/hidp/core.c | 7 +++++--
> > >  1 file changed, 5 insertions(+), 2 deletions(-)
> > >
> > > diff --git a/net/bluetooth/hidp/core.c b/net/bluetooth/hidp/core.c
> > > index 6fe815241..31aeffa39 100644
> > > --- a/net/bluetooth/hidp/core.c
> > > +++ b/net/bluetooth/hidp/core.c
> > > @@ -755,13 +755,16 @@ static int hidp_setup_hid(struct hidp_session
> > > *session,
> > >                             const struct hidp_connadd_req *req)
> > >  {
> > >     struct hid_device *hid;
> > > +   unsigned int rd_size;
> > >     int err;
> > >
> > > -   session->rd_data = memdup_user(req->rd_data, req->rd_size);
> > > +   rd_size = min_t(unsigned int, req->rd_size,
> > > HID_MAX_DESCRIPTOR_SIZE);
> > > +
> > > +   session->rd_data = memdup_user(req->rd_data, rd_size);
> > >     if (IS_ERR(session->rd_data))
> > >             return PTR_ERR(session->rd_data);
> > >
> > > -   session->rd_size = req->rd_size;
> > > +   session->rd_size = rd_size;
> > >
> > >     hid = hid_allocate_device();
> > >     if (IS_ERR(hid)) {
> >