From: sashiko-bot@kernel.org
To: "Jinmo Yang" <jinmo44.yang@gmail.com>
Cc: dmitry.torokhov@gmail.com, linux-input@vger.kernel.org
Subject: Re: [PATCH 2/4] HID: wacom: validate report length for DTU handler
Date: Sun, 17 May 2026 14:47:32 +0000 [thread overview]
Message-ID: <20260517144733.4E080C2BCB0@smtp.kernel.org> (raw)
In-Reply-To: <20260517135215.2220117-3-jinmo44.yang@gmail.com>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
- [High] Incomplete fix for slab-out-of-bounds read vulnerability. The patch correctly validates the buffer length for the DTU device handler, but leaves numerous other device handlers in the same function completely unpatched and vulnerable to the identical attack vector.
--
commit 873407ec5964c67c8e302293e3be453a56be7e51
Author: Jinmo Yang <jinmo44.yang@gmail.com>
HID: wacom: validate report length for DTU handler
wacom_dtu_irq() accesses fixed offsets up to data[7] in the raw HID
report buffer without validating the buffer length. This commit adds
a minimum length check in wacom_wac_irq() before dispatching to
wacom_dtu_irq() to prevent slab-out-of-bounds reads.
> diff --git a/drivers/hid/wacom_wac.c b/drivers/hid/wacom_wac.c
> index 6d06842b64080..873d58a6d5a3b 100644
> --- a/drivers/hid/wacom_wac.c
> +++ b/drivers/hid/wacom_wac.c
> @@ -3472,6 +3472,8 @@ void wacom_wac_irq(struct wacom_wac *wacom_wac, size_t len)
> break;
>
> case DTU:
> + if (len < 8)
> + return;
> sync = wacom_dtu_irq(wacom_wac);
> break;
Could this same regression occur in the other device handlers called
from wacom_wac_irq()?
For example, cases like PENPARTNER, GRAPHIRE, and INTUOS also dispatch
to their respective handlers without checking len:
switch (wacom_wac->features.type) {
case PENPARTNER:
sync = wacom_penpartner_irq(wacom_wac);
break;
[ ... ]
case GRAPHIRE:
[ ... ]
sync = wacom_graphire_irq(wacom_wac);
break;
[ ... ]
case INTUOS:
[ ... ]
sync = wacom_intuos_irq(wacom_wac);
break;
Since these sub-handlers do not receive the len parameter, an attacker
spoofing the VID/PID of a PENPARTNER or INTUOS device might be able to
send a short report and trigger a similar out-of-bounds read regression.
Should length validations be added for the remaining device types to
ensure all handlers are protected?
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260517135215.2220117-1-jinmo44.yang@gmail.com?part=2
next prev parent reply other threads:[~2026-05-17 14:47 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-17 13:52 [PATCH 0/4] HID: wacom: add report length validation in irq handlers Jinmo Yang
2026-05-17 13:52 ` [PATCH 1/4] HID: wacom: validate report length for PL and PTU handlers Jinmo Yang
2026-05-17 14:22 ` sashiko-bot
2026-05-17 13:52 ` [PATCH 2/4] HID: wacom: validate report length for DTU handler Jinmo Yang
2026-05-17 14:47 ` sashiko-bot [this message]
2026-05-17 13:52 ` [PATCH 3/4] HID: wacom: validate report length for DTUS handler Jinmo Yang
2026-05-17 15:19 ` sashiko-bot
2026-05-17 13:52 ` [PATCH 4/4] HID: wacom: validate report length for 24HDT and 27QHDT handlers Jinmo Yang
2026-05-17 15:45 ` sashiko-bot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260517144733.4E080C2BCB0@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=dmitry.torokhov@gmail.com \
--cc=jinmo44.yang@gmail.com \
--cc=linux-input@vger.kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox