* [PATCH v2 RESEND] HID: multitouch: fix slab out-of-bounds access in mt_report_fixup()
@ 2025-08-10 18:09 Qasim Ijaz
2025-08-12 12:53 ` Jiri Kosina
0 siblings, 1 reply; 5+ messages in thread
From: Qasim Ijaz @ 2025-08-10 18:09 UTC (permalink / raw)
To: jikos, bentiss, linux-input, linux-kernel; +Cc: stable, Jiri Slaby
A malicious HID device can trigger a slab out-of-bounds during
mt_report_fixup() by passing in report descriptor smaller than
607 bytes. mt_report_fixup() attempts to patch byte offset 607
of the descriptor with 0x25 by first checking if byte offset
607 is 0x15 however it lacks bounds checks to verify if the
descriptor is big enough before conducting this check. Fix
this bug by ensuring the descriptor size is at least 608
bytes before accessing it.
Below is the KASAN splat after the out of bounds access happens:
[ 13.671954] ==================================================================
[ 13.672667] BUG: KASAN: slab-out-of-bounds in mt_report_fixup+0x103/0x110
[ 13.673297] Read of size 1 at addr ffff888103df39df by task kworker/0:1/10
[ 13.673297]
[ 13.673297] CPU: 0 UID: 0 PID: 10 Comm: kworker/0:1 Not tainted 6.15.0-00005-gec5d573d83f4-dirty #3
[ 13.673297] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/04
[ 13.673297] Call Trace:
[ 13.673297] <TASK>
[ 13.673297] dump_stack_lvl+0x5f/0x80
[ 13.673297] print_report+0xd1/0x660
[ 13.673297] kasan_report+0xe5/0x120
[ 13.673297] __asan_report_load1_noabort+0x18/0x20
[ 13.673297] mt_report_fixup+0x103/0x110
[ 13.673297] hid_open_report+0x1ef/0x810
[ 13.673297] mt_probe+0x422/0x960
[ 13.673297] hid_device_probe+0x2e2/0x6f0
[ 13.673297] really_probe+0x1c6/0x6b0
[ 13.673297] __driver_probe_device+0x24f/0x310
[ 13.673297] driver_probe_device+0x4e/0x220
[ 13.673297] __device_attach_driver+0x169/0x320
[ 13.673297] bus_for_each_drv+0x11d/0x1b0
[ 13.673297] __device_attach+0x1b8/0x3e0
[ 13.673297] device_initial_probe+0x12/0x20
[ 13.673297] bus_probe_device+0x13d/0x180
[ 13.673297] device_add+0xe3a/0x1670
[ 13.673297] hid_add_device+0x31d/0xa40
[...]
Fixes: c8000deb6836 ("HID: multitouch: Add support for GT7868Q")
Cc: stable@vger.kernel.org
Signed-off-by: Qasim Ijaz <qasdev00@gmail.com>
Reviewed-by: Jiri Slaby <jirislaby@kernel.org>
---
v2:
- Simplify fix with a if-size check after discussion with Jiri Slaby
- Change explanation of bug to reflect inclusion of a if-size check
drivers/hid/hid-multitouch.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/drivers/hid/hid-multitouch.c b/drivers/hid/hid-multitouch.c
index 294516a8f541..22c6314a8843 100644
--- a/drivers/hid/hid-multitouch.c
+++ b/drivers/hid/hid-multitouch.c
@@ -1503,6 +1503,14 @@ static const __u8 *mt_report_fixup(struct hid_device *hdev, __u8 *rdesc,
if (hdev->vendor == I2C_VENDOR_ID_GOODIX &&
(hdev->product == I2C_DEVICE_ID_GOODIX_01E8 ||
hdev->product == I2C_DEVICE_ID_GOODIX_01E9)) {
+ if (*size < 608) {
+ dev_info(
+ &hdev->dev,
+ "GT7868Q fixup: report descriptor is only %u bytes, skipping\n",
+ *size);
+ return rdesc;
+ }
+
if (rdesc[607] == 0x15) {
rdesc[607] = 0x25;
dev_info(
--
2.39.5
^ permalink raw reply related [flat|nested] 5+ messages in thread* Re: [PATCH v2 RESEND] HID: multitouch: fix slab out-of-bounds access in mt_report_fixup()
2025-08-10 18:09 [PATCH v2 RESEND] HID: multitouch: fix slab out-of-bounds access in mt_report_fixup() Qasim Ijaz
@ 2025-08-12 12:53 ` Jiri Kosina
2025-08-12 14:22 ` Qasim Ijaz
0 siblings, 1 reply; 5+ messages in thread
From: Jiri Kosina @ 2025-08-12 12:53 UTC (permalink / raw)
To: Qasim Ijaz; +Cc: bentiss, linux-input, linux-kernel, stable, Jiri Slaby
On Sun, 10 Aug 2025, Qasim Ijaz wrote:
> A malicious HID device can trigger a slab out-of-bounds during
> mt_report_fixup() by passing in report descriptor smaller than
> 607 bytes. mt_report_fixup() attempts to patch byte offset 607
> of the descriptor with 0x25 by first checking if byte offset
> 607 is 0x15 however it lacks bounds checks to verify if the
> descriptor is big enough before conducting this check. Fix
> this bug by ensuring the descriptor size is at least 608
> bytes before accessing it.
>
> Below is the KASAN splat after the out of bounds access happens:
>
> [ 13.671954] ==================================================================
> [ 13.672667] BUG: KASAN: slab-out-of-bounds in mt_report_fixup+0x103/0x110
> [ 13.673297] Read of size 1 at addr ffff888103df39df by task kworker/0:1/10
> [ 13.673297]
> [ 13.673297] CPU: 0 UID: 0 PID: 10 Comm: kworker/0:1 Not tainted 6.15.0-00005-gec5d573d83f4-dirty #3
> [ 13.673297] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/04
> [ 13.673297] Call Trace:
> [ 13.673297] <TASK>
> [ 13.673297] dump_stack_lvl+0x5f/0x80
> [ 13.673297] print_report+0xd1/0x660
> [ 13.673297] kasan_report+0xe5/0x120
> [ 13.673297] __asan_report_load1_noabort+0x18/0x20
> [ 13.673297] mt_report_fixup+0x103/0x110
> [ 13.673297] hid_open_report+0x1ef/0x810
> [ 13.673297] mt_probe+0x422/0x960
> [ 13.673297] hid_device_probe+0x2e2/0x6f0
> [ 13.673297] really_probe+0x1c6/0x6b0
> [ 13.673297] __driver_probe_device+0x24f/0x310
> [ 13.673297] driver_probe_device+0x4e/0x220
> [ 13.673297] __device_attach_driver+0x169/0x320
> [ 13.673297] bus_for_each_drv+0x11d/0x1b0
> [ 13.673297] __device_attach+0x1b8/0x3e0
> [ 13.673297] device_initial_probe+0x12/0x20
> [ 13.673297] bus_probe_device+0x13d/0x180
> [ 13.673297] device_add+0xe3a/0x1670
> [ 13.673297] hid_add_device+0x31d/0xa40
> [...]
>
> Fixes: c8000deb6836 ("HID: multitouch: Add support for GT7868Q")
> Cc: stable@vger.kernel.org
> Signed-off-by: Qasim Ijaz <qasdev00@gmail.com>
> Reviewed-by: Jiri Slaby <jirislaby@kernel.org>
> ---
> v2:
> - Simplify fix with a if-size check after discussion with Jiri Slaby
> - Change explanation of bug to reflect inclusion of a if-size check
Applied to hid.git#for-6.17/upstream-fixes, thanks.
--
Jiri Kosina
SUSE Labs
^ permalink raw reply [flat|nested] 5+ messages in thread* Re: [PATCH v2 RESEND] HID: multitouch: fix slab out-of-bounds access in mt_report_fixup()
2025-08-12 12:53 ` Jiri Kosina
@ 2025-08-12 14:22 ` Qasim Ijaz
2025-08-12 14:25 ` Jiri Kosina
0 siblings, 1 reply; 5+ messages in thread
From: Qasim Ijaz @ 2025-08-12 14:22 UTC (permalink / raw)
To: Jiri Kosina; +Cc: bentiss, linux-input, linux-kernel, stable, Jiri Slaby
On Tue, Aug 12, 2025 at 02:53:50PM +0200, Jiri Kosina wrote:
> On Sun, 10 Aug 2025, Qasim Ijaz wrote:
>
> > A malicious HID device can trigger a slab out-of-bounds during
> > mt_report_fixup() by passing in report descriptor smaller than
> > 607 bytes. mt_report_fixup() attempts to patch byte offset 607
> > of the descriptor with 0x25 by first checking if byte offset
> > 607 is 0x15 however it lacks bounds checks to verify if the
> > descriptor is big enough before conducting this check. Fix
> > this bug by ensuring the descriptor size is at least 608
> > bytes before accessing it.
> >
> > Below is the KASAN splat after the out of bounds access happens:
> >
> > [ 13.671954] ==================================================================
> > [ 13.672667] BUG: KASAN: slab-out-of-bounds in mt_report_fixup+0x103/0x110
> > [ 13.673297] Read of size 1 at addr ffff888103df39df by task kworker/0:1/10
> > [ 13.673297]
> > [ 13.673297] CPU: 0 UID: 0 PID: 10 Comm: kworker/0:1 Not tainted 6.15.0-00005-gec5d573d83f4-dirty #3
> > [ 13.673297] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/04
> > [ 13.673297] Call Trace:
> > [ 13.673297] <TASK>
> > [ 13.673297] dump_stack_lvl+0x5f/0x80
> > [ 13.673297] print_report+0xd1/0x660
> > [ 13.673297] kasan_report+0xe5/0x120
> > [ 13.673297] __asan_report_load1_noabort+0x18/0x20
> > [ 13.673297] mt_report_fixup+0x103/0x110
> > [ 13.673297] hid_open_report+0x1ef/0x810
> > [ 13.673297] mt_probe+0x422/0x960
> > [ 13.673297] hid_device_probe+0x2e2/0x6f0
> > [ 13.673297] really_probe+0x1c6/0x6b0
> > [ 13.673297] __driver_probe_device+0x24f/0x310
> > [ 13.673297] driver_probe_device+0x4e/0x220
> > [ 13.673297] __device_attach_driver+0x169/0x320
> > [ 13.673297] bus_for_each_drv+0x11d/0x1b0
> > [ 13.673297] __device_attach+0x1b8/0x3e0
> > [ 13.673297] device_initial_probe+0x12/0x20
> > [ 13.673297] bus_probe_device+0x13d/0x180
> > [ 13.673297] device_add+0xe3a/0x1670
> > [ 13.673297] hid_add_device+0x31d/0xa40
> > [...]
> >
> > Fixes: c8000deb6836 ("HID: multitouch: Add support for GT7868Q")
> > Cc: stable@vger.kernel.org
> > Signed-off-by: Qasim Ijaz <qasdev00@gmail.com>
> > Reviewed-by: Jiri Slaby <jirislaby@kernel.org>
> > ---
> > v2:
> > - Simplify fix with a if-size check after discussion with Jiri Slaby
> > - Change explanation of bug to reflect inclusion of a if-size check
>
> Applied to hid.git#for-6.17/upstream-fixes, thanks.
>
Thanks Jiri. Would it also be possible to review this one:
<https://lore.kernel.org/all/20250810181041.44874-1-qasdev00@gmail.com/>,
I resent it but it probably got buried in your inbox.
Thanks,
Qasim
> --
> Jiri Kosina
> SUSE Labs
>
^ permalink raw reply [flat|nested] 5+ messages in thread* Re: [PATCH v2 RESEND] HID: multitouch: fix slab out-of-bounds access in mt_report_fixup()
2025-08-12 14:22 ` Qasim Ijaz
@ 2025-08-12 14:25 ` Jiri Kosina
0 siblings, 0 replies; 5+ messages in thread
From: Jiri Kosina @ 2025-08-12 14:25 UTC (permalink / raw)
To: Qasim Ijaz; +Cc: bentiss, linux-input, linux-kernel, stable, Jiri Slaby
On Tue, 12 Aug 2025, Qasim Ijaz wrote:
> Thanks Jiri. Would it also be possible to review this one:
> <https://lore.kernel.org/all/20250810181041.44874-1-qasdev00@gmail.com/>,
> I resent it but it probably got buried in your inbox.
That one is still in my queue to review, in didn't fall in between cracks.
Thanks,
--
Jiri Kosina
SUSE Labs
^ permalink raw reply [flat|nested] 5+ messages in thread
* [PATCH v2 RESEND] HID: multitouch: fix slab out-of-bounds access in mt_report_fixup()
@ 2025-08-01 9:36 Qasim Ijaz
0 siblings, 0 replies; 5+ messages in thread
From: Qasim Ijaz @ 2025-08-01 9:36 UTC (permalink / raw)
To: jikos, bentiss; +Cc: linux-input, linux-kernel, stable, Jiri Slaby
A malicious HID device can trigger a slab out-of-bounds during
mt_report_fixup() by passing in report descriptor smaller than
607 bytes. mt_report_fixup() attempts to patch byte offset 607
of the descriptor with 0x25 by first checking if byte offset
607 is 0x15 however it lacks bounds checks to verify if the
descriptor is big enough before conducting this check. Fix
this bug by ensuring the descriptor size is at least 608
bytes before accessing it.
Below is the KASAN splat after the out of bounds access happens:
[ 13.671954] ==================================================================
[ 13.672667] BUG: KASAN: slab-out-of-bounds in mt_report_fixup+0x103/0x110
[ 13.673297] Read of size 1 at addr ffff888103df39df by task kworker/0:1/10
[ 13.673297]
[ 13.673297] CPU: 0 UID: 0 PID: 10 Comm: kworker/0:1 Not tainted 6.15.0-00005-gec5d573d83f4-dirty #3
[ 13.673297] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/04
[ 13.673297] Call Trace:
[ 13.673297] <TASK>
[ 13.673297] dump_stack_lvl+0x5f/0x80
[ 13.673297] print_report+0xd1/0x660
[ 13.673297] kasan_report+0xe5/0x120
[ 13.673297] __asan_report_load1_noabort+0x18/0x20
[ 13.673297] mt_report_fixup+0x103/0x110
[ 13.673297] hid_open_report+0x1ef/0x810
[ 13.673297] mt_probe+0x422/0x960
[ 13.673297] hid_device_probe+0x2e2/0x6f0
[ 13.673297] really_probe+0x1c6/0x6b0
[ 13.673297] __driver_probe_device+0x24f/0x310
[ 13.673297] driver_probe_device+0x4e/0x220
[ 13.673297] __device_attach_driver+0x169/0x320
[ 13.673297] bus_for_each_drv+0x11d/0x1b0
[ 13.673297] __device_attach+0x1b8/0x3e0
[ 13.673297] device_initial_probe+0x12/0x20
[ 13.673297] bus_probe_device+0x13d/0x180
[ 13.673297] device_add+0xe3a/0x1670
[ 13.673297] hid_add_device+0x31d/0xa40
[...]
Fixes: c8000deb6836 ("HID: multitouch: Add support for GT7868Q")
Cc: stable@vger.kernel.org
Signed-off-by: Qasim Ijaz <qasdev00@gmail.com>
Reviewed-by: Jiri Slaby <jirislaby@kernel.org>
---
v2:
- Simplify fix with a if-size check after discussion with Jiri Slaby
- Change explanation of bug to reflect inclusion of a if-size check
drivers/hid/hid-multitouch.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/drivers/hid/hid-multitouch.c b/drivers/hid/hid-multitouch.c
index 294516a8f541..22c6314a8843 100644
--- a/drivers/hid/hid-multitouch.c
+++ b/drivers/hid/hid-multitouch.c
@@ -1503,6 +1503,14 @@ static const __u8 *mt_report_fixup(struct hid_device *hdev, __u8 *rdesc,
if (hdev->vendor == I2C_VENDOR_ID_GOODIX &&
(hdev->product == I2C_DEVICE_ID_GOODIX_01E8 ||
hdev->product == I2C_DEVICE_ID_GOODIX_01E9)) {
+ if (*size < 608) {
+ dev_info(
+ &hdev->dev,
+ "GT7868Q fixup: report descriptor is only %u bytes, skipping\n",
+ *size);
+ return rdesc;
+ }
+
if (rdesc[607] == 0x15) {
rdesc[607] = 0x25;
dev_info(
--
2.39.5
^ permalink raw reply related [flat|nested] 5+ messages in thread
end of thread, other threads:[~2025-08-12 14:25 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-08-10 18:09 [PATCH v2 RESEND] HID: multitouch: fix slab out-of-bounds access in mt_report_fixup() Qasim Ijaz
2025-08-12 12:53 ` Jiri Kosina
2025-08-12 14:22 ` Qasim Ijaz
2025-08-12 14:25 ` Jiri Kosina
-- strict thread matches above, loose matches on Subject: below --
2025-08-01 9:36 Qasim Ijaz
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).