* Re: [PATCH v2] Bluetooth: HIDP: cap report descriptor size in HID setup [not found] ` <20260228172657.53040-1-ericterminal@gmail.com> @ 2026-03-01 9:19 ` Bastien Nocera 2026-03-11 10:18 ` Benjamin Tissoires 0 siblings, 1 reply; 3+ messages in thread From: Bastien Nocera @ 2026-03-01 9:19 UTC (permalink / raw) To: Eric-Terminal, marcel, johan.hedberg, luiz.dentz Cc: linux-bluetooth, linux-kernel, linux-input On Sun, 2026-03-01 at 01:26 +0800, Eric-Terminal wrote: > From: Yufan Chen <ericterminal@gmail.com> > > hidp_setup_hid() duplicates the report descriptor from userspace > based on > req->rd_size. Large values can trigger oversized copies. > > Do not reject the connection when rd_size exceeds > HID_MAX_DESCRIPTOR_SIZE. Instead, cap rd_size in hidp_setup_hid() > and use the capped value for memdup_user() and session->rd_size. > > This keeps compatibility with existing userspace behavior while > bounding memory usage in the HID setup path. Cross-sending this to linux-input@ for review, they would know the best way to deal with oversized HID descriptors. > > Signed-off-by: Yufan Chen <ericterminal@gmail.com> > --- > net/bluetooth/hidp/core.c | 7 +++++-- > 1 file changed, 5 insertions(+), 2 deletions(-) > > diff --git a/net/bluetooth/hidp/core.c b/net/bluetooth/hidp/core.c > index 6fe815241..31aeffa39 100644 > --- a/net/bluetooth/hidp/core.c > +++ b/net/bluetooth/hidp/core.c > @@ -755,13 +755,16 @@ static int hidp_setup_hid(struct hidp_session > *session, > const struct hidp_connadd_req *req) > { > struct hid_device *hid; > + unsigned int rd_size; > int err; > > - session->rd_data = memdup_user(req->rd_data, req->rd_size); > + rd_size = min_t(unsigned int, req->rd_size, > HID_MAX_DESCRIPTOR_SIZE); > + > + session->rd_data = memdup_user(req->rd_data, rd_size); > if (IS_ERR(session->rd_data)) > return PTR_ERR(session->rd_data); > > - session->rd_size = req->rd_size; > + session->rd_size = rd_size; > > hid = hid_allocate_device(); > if (IS_ERR(hid)) { ^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH v2] Bluetooth: HIDP: cap report descriptor size in HID setup 2026-03-01 9:19 ` [PATCH v2] Bluetooth: HIDP: cap report descriptor size in HID setup Bastien Nocera @ 2026-03-11 10:18 ` Benjamin Tissoires 2026-03-22 15:37 ` Eric_Terminal 0 siblings, 1 reply; 3+ messages in thread From: Benjamin Tissoires @ 2026-03-11 10:18 UTC (permalink / raw) To: Bastien Nocera Cc: Eric-Terminal, marcel, johan.hedberg, luiz.dentz, linux-bluetooth, linux-kernel, linux-input On Mar 01 2026, Bastien Nocera wrote: > On Sun, 2026-03-01 at 01:26 +0800, Eric-Terminal wrote: > > From: Yufan Chen <ericterminal@gmail.com> > > > > hidp_setup_hid() duplicates the report descriptor from userspace > > based on > > req->rd_size. Large values can trigger oversized copies. > > > > Do not reject the connection when rd_size exceeds > > HID_MAX_DESCRIPTOR_SIZE. Instead, cap rd_size in hidp_setup_hid() > > and use the capped value for memdup_user() and session->rd_size. > > > > This keeps compatibility with existing userspace behavior while > > bounding memory usage in the HID setup path. > > Cross-sending this to linux-input@ for review, they would know the best > way to deal with oversized HID descriptors. AFAICT the hid-core code would be fine with it (it would parse it), but there will be some issues (hidraw will not be able to export the entire rdesc, so is the sysfs). For reference, usbhid just returns -EINVAL for oversize report descriptors. Anyway, if the report descriptor is truncated, like in this patch, the hid core parse will fail if the data is not correct, so I thing this should be safe. Cheers, Benjamin > > > > > Signed-off-by: Yufan Chen <ericterminal@gmail.com> > > --- > > net/bluetooth/hidp/core.c | 7 +++++-- > > 1 file changed, 5 insertions(+), 2 deletions(-) > > > > diff --git a/net/bluetooth/hidp/core.c b/net/bluetooth/hidp/core.c > > index 6fe815241..31aeffa39 100644 > > --- a/net/bluetooth/hidp/core.c > > +++ b/net/bluetooth/hidp/core.c > > @@ -755,13 +755,16 @@ static int hidp_setup_hid(struct hidp_session > > *session, > > const struct hidp_connadd_req *req) > > { > > struct hid_device *hid; > > + unsigned int rd_size; > > int err; > > > > - session->rd_data = memdup_user(req->rd_data, req->rd_size); > > + rd_size = min_t(unsigned int, req->rd_size, > > HID_MAX_DESCRIPTOR_SIZE); > > + > > + session->rd_data = memdup_user(req->rd_data, rd_size); > > if (IS_ERR(session->rd_data)) > > return PTR_ERR(session->rd_data); > > > > - session->rd_size = req->rd_size; > > + session->rd_size = rd_size; > > > > hid = hid_allocate_device(); > > if (IS_ERR(hid)) { > ^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH v2] Bluetooth: HIDP: cap report descriptor size in HID setup 2026-03-11 10:18 ` Benjamin Tissoires @ 2026-03-22 15:37 ` Eric_Terminal 0 siblings, 0 replies; 3+ messages in thread From: Eric_Terminal @ 2026-03-22 15:37 UTC (permalink / raw) To: Benjamin Tissoires Cc: Bastien Nocera, marcel, johan.hedberg, luiz.dentz, linux-bluetooth, linux-kernel, linux-input Hi all, Just a gentle ping on this patch. Since Benjamin reviewed it from the input side and concluded it should be safe, I was wondering if there are any further comments from the Bluetooth side, or if anything else is needed from me for this to be merged? Thanks, Yufan On Wed, Mar 11, 2026 at 6:19 PM Benjamin Tissoires <bentiss@kernel.org> wrote: > > On Mar 01 2026, Bastien Nocera wrote: > > On Sun, 2026-03-01 at 01:26 +0800, Eric-Terminal wrote: > > > From: Yufan Chen <ericterminal@gmail.com> > > > > > > hidp_setup_hid() duplicates the report descriptor from userspace > > > based on > > > req->rd_size. Large values can trigger oversized copies. > > > > > > Do not reject the connection when rd_size exceeds > > > HID_MAX_DESCRIPTOR_SIZE. Instead, cap rd_size in hidp_setup_hid() > > > and use the capped value for memdup_user() and session->rd_size. > > > > > > This keeps compatibility with existing userspace behavior while > > > bounding memory usage in the HID setup path. > > > > Cross-sending this to linux-input@ for review, they would know the best > > way to deal with oversized HID descriptors. > > AFAICT the hid-core code would be fine with it (it would parse it), but > there will be some issues (hidraw will not be able to export the entire > rdesc, so is the sysfs). > > For reference, usbhid just returns -EINVAL for oversize report > descriptors. > > Anyway, if the report descriptor is truncated, like in this patch, the > hid core parse will fail if the data is not correct, so I thing this > should be safe. > > Cheers, > Benjamin > > > > > > > > > Signed-off-by: Yufan Chen <ericterminal@gmail.com> > > > --- > > > net/bluetooth/hidp/core.c | 7 +++++-- > > > 1 file changed, 5 insertions(+), 2 deletions(-) > > > > > > diff --git a/net/bluetooth/hidp/core.c b/net/bluetooth/hidp/core.c > > > index 6fe815241..31aeffa39 100644 > > > --- a/net/bluetooth/hidp/core.c > > > +++ b/net/bluetooth/hidp/core.c > > > @@ -755,13 +755,16 @@ static int hidp_setup_hid(struct hidp_session > > > *session, > > > const struct hidp_connadd_req *req) > > > { > > > struct hid_device *hid; > > > + unsigned int rd_size; > > > int err; > > > > > > - session->rd_data = memdup_user(req->rd_data, req->rd_size); > > > + rd_size = min_t(unsigned int, req->rd_size, > > > HID_MAX_DESCRIPTOR_SIZE); > > > + > > > + session->rd_data = memdup_user(req->rd_data, rd_size); > > > if (IS_ERR(session->rd_data)) > > > return PTR_ERR(session->rd_data); > > > > > > - session->rd_size = req->rd_size; > > > + session->rd_size = rd_size; > > > > > > hid = hid_allocate_device(); > > > if (IS_ERR(hid)) { > > ^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2026-03-22 15:38 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <CABBYNZ+9Z8Yd9mRhgz0N9kSSvLR-6euPf9CRA1Sop_D8zV8wqQ@mail.gmail.com>
[not found] ` <20260228172657.53040-1-ericterminal@gmail.com>
2026-03-01 9:19 ` [PATCH v2] Bluetooth: HIDP: cap report descriptor size in HID setup Bastien Nocera
2026-03-11 10:18 ` Benjamin Tissoires
2026-03-22 15:37 ` Eric_Terminal
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox