* [PATCH] HID: pxrc: reject short input reports
@ 2026-06-28 16:28 Yousef Alhouseen
2026-06-28 16:41 ` sashiko-bot
0 siblings, 1 reply; 2+ messages in thread
From: Yousef Alhouseen @ 2026-06-28 16:28 UTC (permalink / raw)
To: Marcus Folkesson, Jiri Kosina, Benjamin Tissoires
Cc: linux-input, linux-kernel, stable, Yousef Alhouseen
pxrc_raw_event() unconditionally reads and writes data[7], although a
malformed USB device can submit a shorter input report. The raw-event
callback runs before the HID core expands short reports to the size from
the report descriptor, so this accesses beyond the received buffer.
Ignore reports that do not contain all eight controller axes.
Fixes: acc3e34613da ("HID: Add driver for PhoenixRC Flight Controller")
Cc: stable@vger.kernel.org
Signed-off-by: Yousef Alhouseen <alhouseenyousef@gmail.com>
---
drivers/hid/hid-pxrc.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/hid/hid-pxrc.c b/drivers/hid/hid-pxrc.c
index 71fe0c06ddcd..e3755d8b85c2 100644
--- a/drivers/hid/hid-pxrc.c
+++ b/drivers/hid/hid-pxrc.c
@@ -55,6 +55,9 @@ static int pxrc_raw_event(struct hid_device *hdev, struct hid_report *report,
{
struct pxrc_priv *priv = hid_get_drvdata(hdev);
+ if (size < 8)
+ return 0;
+
if (priv->alternate)
priv->slider = data[7];
else
--
2.54.0
^ permalink raw reply related [flat|nested] 2+ messages in thread* Re: [PATCH] HID: pxrc: reject short input reports
2026-06-28 16:28 [PATCH] HID: pxrc: reject short input reports Yousef Alhouseen
@ 2026-06-28 16:41 ` sashiko-bot
0 siblings, 0 replies; 2+ messages in thread
From: sashiko-bot @ 2026-06-28 16:41 UTC (permalink / raw)
To: Yousef Alhouseen; +Cc: dmitry.torokhov, linux-input
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
- [Medium] Incomplete fix / logic error: returning 0 for short reports does not drop the report.
--
commit 601e7ac29ed99f9b83b5ad4f7ade423528b08e79
Author: Yousef Alhouseen <alhouseenyousef@gmail.com>
HID: pxrc: reject short input reports
This commit fixes an out-of-bounds access in pxrc_raw_event() by checking
if the incoming input report is shorter than 8 bytes and returning early.
> diff --git a/drivers/hid/hid-pxrc.c b/drivers/hid/hid-pxrc.c
> index 71fe0c06ddcdf..e3755d8b85c22 100644
> --- a/drivers/hid/hid-pxrc.c
> +++ b/drivers/hid/hid-pxrc.c
> @@ -55,6 +55,9 @@ static int pxrc_raw_event(struct hid_device *hdev, struct hid_report *report,
> {
> struct pxrc_priv *priv = hid_get_drvdata(hdev);
>
> + if (size < 8)
> + return 0;
[Severity: Medium]
Does returning 0 here achieve the goal of ignoring the report?
When the driver receives a short report and pxrc_raw_event() returns 0,
it signals success to the HID core. Looking at __hid_input_report(),
if the raw_event callback returns >= 0, the core falls through to
hid_report_raw_event(). This will zero-pad the missing bytes and dispatch
the report, which can result in erratic zero-values for the missing axes
in userspace applications.
Should this return a negative error code (like -EINVAL) to ensure the
malformed report is completely dropped by the core instead of padded?
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260628162806.10675-1-alhouseenyousef@gmail.com?part=1
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2026-06-28 16:41 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-06-28 16:28 [PATCH] HID: pxrc: reject short input reports Yousef Alhouseen
2026-06-28 16:41 ` sashiko-bot
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox