[PATCH] Bluetooth: HIDP: fix missing length checks in hidp_input

Linux bluetooth development
 help / color / mirror / Atom feed

* [PATCH] Bluetooth: HIDP: fix missing length checks in hidp_input_report()
@ 2026-05-17 23:48 Muhammad Bilal
  2026-05-18  2:56 ` bluez.test.bot
  2026-05-18  5:18 ` [PATCH] " Greg KH
  0 siblings, 2 replies; 3+ messages in thread
From: Muhammad Bilal @ 2026-05-17 23:48 UTC (permalink / raw)
  To: linux-bluetooth
  Cc: linux-kernel, marcel, luiz.dentz, johan.hedberg, stable,
	Muhammad Bilal

hidp_input_report() reads keyboard and mouse payload data from an skb
without first verifying that skb->len contains enough data.

hidp_recv_intr_frame() pulls the 1-byte HIDP header before dispatching
to hidp_input_report(). If a paired device sends a truncated packet,
the handler reads beyond the valid skb data, resulting in
an out-of-bounds read of skb data.
The OOB bytes may be interpreted as phantom key presses or
spurious mouse movement.

Add a check that skb->len is non-zero before the type switch, and
per-report-type minimum length checks before accessing the payload.

Signed-off-by: Muhammad Bilal <meatuni001@gmail.com>
---
 net/bluetooth/hidp/core.c | 19 ++++++++++++++++---
 1 file changed, 16 insertions(+), 3 deletions(-)

diff --git a/net/bluetooth/hidp/core.c b/net/bluetooth/hidp/core.c
index 976f91eeb..03838a6ff 100644
--- a/net/bluetooth/hidp/core.c
+++ b/net/bluetooth/hidp/core.c
@@ -179,12 +179,22 @@ static void hidp_input_report(struct hidp_session *session, struct sk_buff *skb)
 {
 	struct input_dev *dev = session->input;
 	unsigned char *keys = session->keys;
-	unsigned char *udata = skb->data + 1;
-	signed char *sdata = skb->data + 1;
-	int i, size = skb->len - 1;
+	unsigned char *udata;
+	signed char *sdata;
+	int i, size;
+
+	if (!skb->len)
+		return;
+
+	udata = skb->data + 1;
+	sdata = skb->data + 1;
+	size = skb->len - 1;
 
 	switch (skb->data[0]) {
 	case 0x01:	/* Keyboard report */
+		if (size < 8)
+			break;
+
 		for (i = 0; i < 8; i++)
 			input_report_key(dev, hidp_keycode[i + 224], (udata[0] >> i) & 1);
 
@@ -213,6 +223,9 @@ static void hidp_input_report(struct hidp_session *session, struct sk_buff *skb)
 		break;
 
 	case 0x02:	/* Mouse report */
+		if (size < 3)
+			break;
+
 		input_report_key(dev, BTN_LEFT,   sdata[0] & 0x01);
 		input_report_key(dev, BTN_RIGHT,  sdata[0] & 0x02);
 		input_report_key(dev, BTN_MIDDLE, sdata[0] & 0x04);
-- 
2.54.0


^ permalink raw reply related	[flat|nested] 3+ messages in thread

* RE: Bluetooth: HIDP: fix missing length checks in hidp_input_report()
  2026-05-17 23:48 [PATCH] Bluetooth: HIDP: fix missing length checks in hidp_input_report() Muhammad Bilal
@ 2026-05-18  2:56 ` bluez.test.bot
  2026-05-18  5:18 ` [PATCH] " Greg KH
  1 sibling, 0 replies; 3+ messages in thread
From: bluez.test.bot @ 2026-05-18  2:56 UTC (permalink / raw)
  To: linux-bluetooth, meatuni001

[-- Attachment #1: Type: text/plain, Size: 1482 bytes --]

This is automated email and please do not reply to this email!

Dear submitter,

Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=1096211

---Test result---

Test Summary:
CheckPatch                    PASS      0.61 seconds
GitLint                       PASS      0.25 seconds
SubjectPrefix                 PASS      0.09 seconds
BuildKernel                   PASS      25.57 seconds
CheckAllWarning               PASS      27.88 seconds
CheckSparse                   PASS      26.78 seconds
BuildKernel32                 PASS      24.79 seconds
TestRunnerSetup               PASS      530.22 seconds
TestRunner_l2cap-tester       PASS      378.32 seconds
TestRunner_iso-tester         PASS      596.24 seconds
TestRunner_bnep-tester        PASS      18.62 seconds
TestRunner_mgmt-tester        PASS      2023.70 seconds
TestRunner_rfcomm-tester      PASS      63.42 seconds
TestRunner_sco-tester         PASS      141.24 seconds
TestRunner_ioctl-tester       PASS      133.47 seconds
TestRunner_mesh-tester        PASS      59.92 seconds
TestRunner_smp-tester         PASS      17.98 seconds
TestRunner_userchan-tester    PASS      19.13 seconds
TestRunner_6lowpan-tester     PASS      51.17 seconds
IncrementalBuild              PASS      23.75 seconds



https://github.com/bluez/bluetooth-next/pull/206

---
Regards,
Linux Bluetooth


^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [PATCH] Bluetooth: HIDP: fix missing length checks in hidp_input_report()
  2026-05-17 23:48 [PATCH] Bluetooth: HIDP: fix missing length checks in hidp_input_report() Muhammad Bilal
  2026-05-18  2:56 ` bluez.test.bot
@ 2026-05-18  5:18 ` Greg KH
  1 sibling, 0 replies; 3+ messages in thread
From: Greg KH @ 2026-05-18  5:18 UTC (permalink / raw)
  To: Muhammad Bilal
  Cc: linux-bluetooth, linux-kernel, marcel, luiz.dentz, johan.hedberg,
	stable

On Sun, May 17, 2026 at 07:48:05PM -0400, Muhammad Bilal wrote:
> hidp_input_report() reads keyboard and mouse payload data from an skb
> without first verifying that skb->len contains enough data.
> 
> hidp_recv_intr_frame() pulls the 1-byte HIDP header before dispatching
> to hidp_input_report(). If a paired device sends a truncated packet,
> the handler reads beyond the valid skb data, resulting in
> an out-of-bounds read of skb data.
> The OOB bytes may be interpreted as phantom key presses or
> spurious mouse movement.
> 
> Add a check that skb->len is non-zero before the type switch, and
> per-report-type minimum length checks before accessing the payload.
> 
> Signed-off-by: Muhammad Bilal <meatuni001@gmail.com>
> ---
>  net/bluetooth/hidp/core.c | 19 ++++++++++++++++---
>  1 file changed, 16 insertions(+), 3 deletions(-)
> 
> diff --git a/net/bluetooth/hidp/core.c b/net/bluetooth/hidp/core.c
> index 976f91eeb..03838a6ff 100644
> --- a/net/bluetooth/hidp/core.c
> +++ b/net/bluetooth/hidp/core.c
> @@ -179,12 +179,22 @@ static void hidp_input_report(struct hidp_session *session, struct sk_buff *skb)
>  {
>  	struct input_dev *dev = session->input;
>  	unsigned char *keys = session->keys;
> -	unsigned char *udata = skb->data + 1;
> -	signed char *sdata = skb->data + 1;
> -	int i, size = skb->len - 1;
> +	unsigned char *udata;
> +	signed char *sdata;
> +	int i, size;
> +
> +	if (!skb->len)
> +		return;
> +
> +	udata = skb->data + 1;
> +	sdata = skb->data + 1;
> +	size = skb->len - 1;
>  
>  	switch (skb->data[0]) {
>  	case 0x01:	/* Keyboard report */
> +		if (size < 8)
> +			break;
> +
>  		for (i = 0; i < 8; i++)
>  			input_report_key(dev, hidp_keycode[i + 224], (udata[0] >> i) & 1);
>  
> @@ -213,6 +223,9 @@ static void hidp_input_report(struct hidp_session *session, struct sk_buff *skb)
>  		break;
>  
>  	case 0x02:	/* Mouse report */
> +		if (size < 3)
> +			break;
> +
>  		input_report_key(dev, BTN_LEFT,   sdata[0] & 0x01);
>  		input_report_key(dev, BTN_RIGHT,  sdata[0] & 0x02);
>  		input_report_key(dev, BTN_MIDDLE, sdata[0] & 0x04);
> -- 
> 2.54.0
> 
> 

<formletter>

This is not the correct way to submit patches for inclusion in the
stable kernel tree.  Please read:
    https://www.kernel.org/doc/html/latest/process/stable-kernel-rules.html
for how to do this properly.

</formletter>

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2026-05-18  5:18 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-05-17 23:48 [PATCH] Bluetooth: HIDP: fix missing length checks in hidp_input_report() Muhammad Bilal
2026-05-18  2:56 ` bluez.test.bot
2026-05-18  5:18 ` [PATCH] " Greg KH

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox