[PATCH v2] HID: ft260: validate i2c input report length

public inbox for linux-input@vger.kernel.org
 help / color / mirror / Atom feed

From: Michael Zaidman <michael.zaidman@gmail.com>
To: jikos@kernel.org, benjamin.tissoires@redhat.com
Cc: linux-input@vger.kernel.org, linux-kernel@vger.kernel.org,
	sebasjosue84@gmail.com,
	Michael Zaidman <michael.zaidman@gmail.com>
Subject: [PATCH v2] HID: ft260: validate i2c input report length
Date: Sat, 11 Apr 2026 09:24:37 +0300	[thread overview]
Message-ID: <20260411062437.279838-1-michael.zaidman@gmail.com> (raw)
In-Reply-To: <CAPnwWgPhb+owa69-pTADpqk=KMWH71EUT6cxwCeT5KGnBWk+Xg@mail.gmail.com>

Add two checks to ft260_raw_event() to prevent out-of-bounds reads
from malicious or malfunctioning devices:

First, reject reports shorter than the 2-byte header (report ID +
length fields). Without this, even accessing xfer->length on a
1-byte report is an OOB read.

Second, validate xfer->length against the actual data capacity of
the received HID report. Each I2C data report ID (0xD0 through
0xDE) defines a different report size in the HID descriptor, so the
available payload varies per report. A corrupted length field could
cause memcpy to read beyond the report buffer.

Reported-by: Sebastián Josué Alba Vives <sebasjosue84@gmail.com>
Signed-off-by: Michael Zaidman <michael.zaidman@gmail.com>
---
Changes in v2:
- Add minimum report size check before accessing header fields to
  prevent OOB read on truncated reports (size < 2)

Tested on FT260 with I2C-attached EEPROM (24c02) behind PCA9548
mux switches. Verified reads of various sizes (1-4 bytes using
report ID 0xD0, and larger reads using higher report IDs) with
debug tracing enabled, confirming xfer->length is correctly
validated against the HID report size for each report ID.
---
 drivers/hid/hid-ft260.c | 16 ++++++++++++++--
 1 file changed, 14 insertions(+), 2 deletions(-)

diff --git a/drivers/hid/hid-ft260.c b/drivers/hid/hid-ft260.c
index 333341e80b0e..70e2eedb465a 100644
--- a/drivers/hid/hid-ft260.c
+++ b/drivers/hid/hid-ft260.c
@@ -1068,10 +1068,22 @@ static int ft260_raw_event(struct hid_device *hdev, struct hid_report *report,
 	struct ft260_device *dev = hid_get_drvdata(hdev);
 	struct ft260_i2c_input_report *xfer = (void *)data;
 
+	if (size < offsetof(struct ft260_i2c_input_report, data)) {
+		hid_err(hdev, "short report %d\n", size);
+		return -1;
+	}
+
 	if (xfer->report >= FT260_I2C_REPORT_MIN &&
 	    xfer->report <= FT260_I2C_REPORT_MAX) {
-		ft260_dbg("i2c resp: rep %#02x len %d\n", xfer->report,
-			  xfer->length);
+		ft260_dbg("i2c resp: rep %#02x len %d size %d\n",
+			  xfer->report, xfer->length, size);
+
+		if (xfer->length > size -
+		    offsetof(struct ft260_i2c_input_report, data)) {
+			hid_err(hdev, "report %#02x: length %d exceeds HID report size\n",
+				xfer->report, xfer->length);
+			return -1;
+		}
 
 		if ((dev->read_buf == NULL) ||
 		    (xfer->length > dev->read_len - dev->read_idx)) {
-- 
2.25.1

     prev parent reply	other threads:[~2026-04-11  6:24 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-03-24 17:35 [PATCH] HID: ft260: validate report size in raw_event handler Sebastian Josue Alba Vives
2026-03-24 20:00 ` Michael Zaidman
2026-03-24 20:18 ` [PATCH v2] HID: ft260: validate report size and payload length in raw_event Sebastian Josue Alba Vives
2026-04-09 15:50   ` Jiri Kosina
2026-04-09 18:24     ` Michael Zaidman
2026-04-09 18:28       ` Jiri Kosina
2026-04-09 19:17         ` Michael Zaidman
2026-04-10  9:41       ` [PATCH] HID: ft260: validate i2c input report length Michael Zaidman
2026-04-11  6:24       ` Michael Zaidman [this message]

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:333341e80b0 dfblob:70e2eedb465 )
 OR (
bs:"[PATCH v2] HID: ft260: validate i2c input report length" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260411062437.279838-1-michael.zaidman@gmail.com \
    --to=michael.zaidman@gmail.com \
    --cc=benjamin.tissoires@redhat.com \
    --cc=jikos@kernel.org \
    --cc=linux-input@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=sebasjosue84@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox