From: Markus Elfring <Markus.Elfring@web.de>
To: sashiko-reviews@lists.linux.dev, linux-input@vger.kernel.org,
linux-usb@vger.kernel.org,
Benjamin Tissoires <bentiss@kernel.org>,
Jiri Kosina <jikos@kernel.org>,
Mahad Ibrahim <mahad.ibrahim.dev@gmail.com>
Cc: Dmitry Torokhov <dmitry.torokhov@gmail.com>,
Woradorn Laodhanadhaworn <woradorn.laon@gmail.com>,
LKML <linux-kernel@vger.kernel.org>,
kernel-janitors@vger.kernel.org
Subject: Re: [PATCH] HID: usbhid: Use seq_buf_putc() in three functions
Date: Thu, 25 Jun 2026 11:55:37 +0200 [thread overview]
Message-ID: <b7ba4486-6c67-4557-9bf5-4ca4eca8d405@web.de> (raw)
In-Reply-To: <20260625093209.34B6B1F000E9@smtp.kernel.org>
> Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
> - [Medium] Replacing `seq_buf_puts()` with `seq_buf_putc()` introduces a NUL-termination bug when the manufacturer string is exactly 127 bytes long, leading to an out-of-bounds read.
These functions were used without error detection so far.
> --
>
> commit c41669030bdd8635988fc175a1caf4183a28344a
> Author: Markus Elfring <elfring@users.sourceforge.net>
>
> HID: usbhid: Use seq_buf_putc() in three functions
>
> This patch updates three probe functions to use seq_buf_putc() instead
> of seq_buf_puts() when inserting a single space character into sequence
> buffers.
>
>> diff --git a/drivers/hid/usbhid/hid-core.c b/drivers/hid/usbhid/hid-core.c
>> --- a/drivers/hid/usbhid/hid-core.c
>> +++ b/drivers/hid/usbhid/hid-core.c
>> @@ -1412,7 +1412,7 @@ static int usbhid_probe(struct usb_interface *intf, const struct usb_device_id *
>>
>> if (dev->product) {
>> if (dev->manufacturer)
>> - seq_buf_puts(&hid_name, " ");
>> + seq_buf_putc(&hid_name, ' ');
>
> [Severity: Medium]
> Does this change introduce a missing null termination bug in usbhid_probe()
> if the manufacturer string is exactly 127 bytes long?
>
> The previous code using seq_buf_puts() requires two bytes of available
> capacity (one for the space, one for the trailing null byte) and safely fails
> if there isn't enough room.
Can descriptions be extended for possible failure conditions?
https://elixir.bootlin.com/linux/v7.1.1/source/lib/seq_buf.c#L203-L221
> Looking at seq_buf_putc(), it only checks if there is room for one byte.
> If the sequence buffer is exactly 128 bytes long and already contains 127
> characters from dev->manufacturer plus the null terminator, seq_buf_putc()
> will overwrite the null terminator at index 127 with a space character.
>
> This leaves hid->name completely unterminated. When exposed to userspace via
> sysfs or input ioctls, this could lead to an out-of-bounds read into the
> adjacent hid->phys memory field.
>
>> seq_buf_puts(&hid_name, dev->product);
How likely is it that such product information will be appended as expected
at mentioned source code places?
Regards,
Markus
next prev parent reply other threads:[~2026-06-25 9:55 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-25 9:22 [PATCH] HID: usbhid: Use seq_buf_putc() in three functions Markus Elfring
2026-06-25 9:32 ` sashiko-bot
2026-06-25 9:55 ` Markus Elfring [this message]
2026-06-25 16:55 ` Markus Elfring
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=b7ba4486-6c67-4557-9bf5-4ca4eca8d405@web.de \
--to=markus.elfring@web.de \
--cc=bentiss@kernel.org \
--cc=dmitry.torokhov@gmail.com \
--cc=jikos@kernel.org \
--cc=kernel-janitors@vger.kernel.org \
--cc=linux-input@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-usb@vger.kernel.org \
--cc=mahad.ibrahim.dev@gmail.com \
--cc=sashiko-reviews@lists.linux.dev \
--cc=woradorn.laon@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox