[PATCH] Bluetooth: HIDP: reject oversized report descriptor

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

* [PATCH] Bluetooth: HIDP: reject oversized report descriptor
@ 2026-02-25  1:35 Eric-Terminal
  2026-02-27 15:04 ` Luiz Augusto von Dentz
  0 siblings, 1 reply; 6+ messages in thread
From: Eric-Terminal @ 2026-02-25  1:35 UTC (permalink / raw)
  To: marcel, johan.hedberg, luiz.dentz
  Cc: linux-bluetooth, linux-kernel, ericterminal

From: Yufan Chen <ericterminal@gmail.com>

hidp_setup_hid() duplicates the report descriptor from userspace
based on req->rd_size. hidp_session_dev_init() only checked
rd_size > 0, so oversized values were accepted and propagated
to memdup_user().

Reject values larger than HID_MAX_DESCRIPTOR_SIZE and return
-EINVAL before entering the HID setup path.

Signed-off-by: Yufan Chen <ericterminal@gmail.com>
---
 net/bluetooth/hidp/core.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/net/bluetooth/hidp/core.c b/net/bluetooth/hidp/core.c
index 6fe815241..ce68b3c27 100644
--- a/net/bluetooth/hidp/core.c
+++ b/net/bluetooth/hidp/core.c
@@ -815,6 +815,9 @@ static int hidp_session_dev_init(struct hidp_session *session,
 {
 	int ret;
 
+	if (req->rd_size > HID_MAX_DESCRIPTOR_SIZE)
+		return -EINVAL;
+
 	if (req->rd_size > 0) {
 		ret = hidp_setup_hid(session, req);
 		if (ret && ret != -ENODEV)
-- 
2.53.0


^ permalink raw reply related	[flat|nested] 6+ messages in thread

* Re: [PATCH] Bluetooth: HIDP: reject oversized report descriptor
  2026-02-25  1:35 [PATCH] Bluetooth: HIDP: reject oversized report descriptor Eric-Terminal
@ 2026-02-27 15:04 ` Luiz Augusto von Dentz
  2026-02-28 17:26   ` [PATCH v2] Bluetooth: HIDP: cap report descriptor size in HID setup Eric-Terminal
  0 siblings, 1 reply; 6+ messages in thread
From: Luiz Augusto von Dentz @ 2026-02-27 15:04 UTC (permalink / raw)
  To: Eric-Terminal; +Cc: marcel, johan.hedberg, linux-bluetooth, linux-kernel

Hi Yafan,

On Tue, Feb 24, 2026 at 8:35 PM Eric-Terminal <ericterminal@gmail.com> wrote:
>
> From: Yufan Chen <ericterminal@gmail.com>
>
> hidp_setup_hid() duplicates the report descriptor from userspace
> based on req->rd_size. hidp_session_dev_init() only checked
> rd_size > 0, so oversized values were accepted and propagated
> to memdup_user().
>
> Reject values larger than HID_MAX_DESCRIPTOR_SIZE and return
> -EINVAL before entering the HID setup path.

Well this has the potential to break compatibility if a device
misbehaves. So is this causing a real problem or is it just defensive
coding? In case of the later, we may just truncate or something, if
that is not already truncated somewhere else.

> Signed-off-by: Yufan Chen <ericterminal@gmail.com>
> ---
>  net/bluetooth/hidp/core.c | 3 +++
>  1 file changed, 3 insertions(+)
>
> diff --git a/net/bluetooth/hidp/core.c b/net/bluetooth/hidp/core.c
> index 6fe815241..ce68b3c27 100644
> --- a/net/bluetooth/hidp/core.c
> +++ b/net/bluetooth/hidp/core.c
> @@ -815,6 +815,9 @@ static int hidp_session_dev_init(struct hidp_session *session,
>  {
>         int ret;
>
> +       if (req->rd_size > HID_MAX_DESCRIPTOR_SIZE)
> +               return -EINVAL;
> +
>         if (req->rd_size > 0) {
>                 ret = hidp_setup_hid(session, req);
>                 if (ret && ret != -ENODEV)
> --
> 2.53.0
>


-- 
Luiz Augusto von Dentz

^ permalink raw reply	[flat|nested] 6+ messages in thread

* [PATCH v2] Bluetooth: HIDP: cap report descriptor size in HID setup
  2026-02-27 15:04 ` Luiz Augusto von Dentz
@ 2026-02-28 17:26   ` Eric-Terminal
  2026-03-01  9:19     ` Bastien Nocera
  0 siblings, 1 reply; 6+ messages in thread
From: Eric-Terminal @ 2026-02-28 17:26 UTC (permalink / raw)
  To: marcel, johan.hedberg, luiz.dentz
  Cc: linux-bluetooth, linux-kernel, Yufan Chen

From: Yufan Chen <ericterminal@gmail.com>

hidp_setup_hid() duplicates the report descriptor from userspace based on
req->rd_size. Large values can trigger oversized copies.

Do not reject the connection when rd_size exceeds
HID_MAX_DESCRIPTOR_SIZE. Instead, cap rd_size in hidp_setup_hid()
and use the capped value for memdup_user() and session->rd_size.

This keeps compatibility with existing userspace behavior while
bounding memory usage in the HID setup path.

Signed-off-by: Yufan Chen <ericterminal@gmail.com>
---
 net/bluetooth/hidp/core.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/net/bluetooth/hidp/core.c b/net/bluetooth/hidp/core.c
index 6fe815241..31aeffa39 100644
--- a/net/bluetooth/hidp/core.c
+++ b/net/bluetooth/hidp/core.c
@@ -755,13 +755,16 @@ static int hidp_setup_hid(struct hidp_session *session,
 				const struct hidp_connadd_req *req)
 {
 	struct hid_device *hid;
+	unsigned int rd_size;
 	int err;
 
-	session->rd_data = memdup_user(req->rd_data, req->rd_size);
+	rd_size = min_t(unsigned int, req->rd_size, HID_MAX_DESCRIPTOR_SIZE);
+
+	session->rd_data = memdup_user(req->rd_data, rd_size);
 	if (IS_ERR(session->rd_data))
 		return PTR_ERR(session->rd_data);
 
-	session->rd_size = req->rd_size;
+	session->rd_size = rd_size;
 
 	hid = hid_allocate_device();
 	if (IS_ERR(hid)) {
-- 
2.47.3


^ permalink raw reply related	[flat|nested] 6+ messages in thread

* Re: [PATCH v2] Bluetooth: HIDP: cap report descriptor size in HID setup
  2026-02-28 17:26   ` [PATCH v2] Bluetooth: HIDP: cap report descriptor size in HID setup Eric-Terminal
@ 2026-03-01  9:19     ` Bastien Nocera
  2026-03-11 10:18       ` Benjamin Tissoires
  0 siblings, 1 reply; 6+ messages in thread
From: Bastien Nocera @ 2026-03-01  9:19 UTC (permalink / raw)
  To: Eric-Terminal, marcel, johan.hedberg, luiz.dentz
  Cc: linux-bluetooth, linux-kernel, linux-input

On Sun, 2026-03-01 at 01:26 +0800, Eric-Terminal wrote:
> From: Yufan Chen <ericterminal@gmail.com>
> 
> hidp_setup_hid() duplicates the report descriptor from userspace
> based on
> req->rd_size. Large values can trigger oversized copies.
> 
> Do not reject the connection when rd_size exceeds
> HID_MAX_DESCRIPTOR_SIZE. Instead, cap rd_size in hidp_setup_hid()
> and use the capped value for memdup_user() and session->rd_size.
> 
> This keeps compatibility with existing userspace behavior while
> bounding memory usage in the HID setup path.

Cross-sending this to linux-input@ for review, they would know the best
way to deal with oversized HID descriptors.

> 
> Signed-off-by: Yufan Chen <ericterminal@gmail.com>
> ---
>  net/bluetooth/hidp/core.c | 7 +++++--
>  1 file changed, 5 insertions(+), 2 deletions(-)
> 
> diff --git a/net/bluetooth/hidp/core.c b/net/bluetooth/hidp/core.c
> index 6fe815241..31aeffa39 100644
> --- a/net/bluetooth/hidp/core.c
> +++ b/net/bluetooth/hidp/core.c
> @@ -755,13 +755,16 @@ static int hidp_setup_hid(struct hidp_session
> *session,
>  				const struct hidp_connadd_req *req)
>  {
>  	struct hid_device *hid;
> +	unsigned int rd_size;
>  	int err;
>  
> -	session->rd_data = memdup_user(req->rd_data, req->rd_size);
> +	rd_size = min_t(unsigned int, req->rd_size,
> HID_MAX_DESCRIPTOR_SIZE);
> +
> +	session->rd_data = memdup_user(req->rd_data, rd_size);
>  	if (IS_ERR(session->rd_data))
>  		return PTR_ERR(session->rd_data);
>  
> -	session->rd_size = req->rd_size;
> +	session->rd_size = rd_size;
>  
>  	hid = hid_allocate_device();
>  	if (IS_ERR(hid)) {

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH v2] Bluetooth: HIDP: cap report descriptor size in HID setup
  2026-03-01  9:19     ` Bastien Nocera
@ 2026-03-11 10:18       ` Benjamin Tissoires
  2026-03-22 15:37         ` Eric_Terminal
  0 siblings, 1 reply; 6+ messages in thread
From: Benjamin Tissoires @ 2026-03-11 10:18 UTC (permalink / raw)
  To: Bastien Nocera
  Cc: Eric-Terminal, marcel, johan.hedberg, luiz.dentz, linux-bluetooth,
	linux-kernel, linux-input

On Mar 01 2026, Bastien Nocera wrote:
> On Sun, 2026-03-01 at 01:26 +0800, Eric-Terminal wrote:
> > From: Yufan Chen <ericterminal@gmail.com>
> > 
> > hidp_setup_hid() duplicates the report descriptor from userspace
> > based on
> > req->rd_size. Large values can trigger oversized copies.
> > 
> > Do not reject the connection when rd_size exceeds
> > HID_MAX_DESCRIPTOR_SIZE. Instead, cap rd_size in hidp_setup_hid()
> > and use the capped value for memdup_user() and session->rd_size.
> > 
> > This keeps compatibility with existing userspace behavior while
> > bounding memory usage in the HID setup path.
> 
> Cross-sending this to linux-input@ for review, they would know the best
> way to deal with oversized HID descriptors.

AFAICT the hid-core code would be fine with it (it would parse it), but
there will be some issues (hidraw will not be able to export the entire
rdesc, so is the sysfs).

For reference, usbhid just returns -EINVAL for oversize report
descriptors.

Anyway, if the report descriptor is truncated, like in this patch, the
hid core parse will fail if the data is not correct, so I thing this
should be safe.

Cheers,
Benjamin

> 
> > 
> > Signed-off-by: Yufan Chen <ericterminal@gmail.com>
> > ---
> >  net/bluetooth/hidp/core.c | 7 +++++--
> >  1 file changed, 5 insertions(+), 2 deletions(-)
> > 
> > diff --git a/net/bluetooth/hidp/core.c b/net/bluetooth/hidp/core.c
> > index 6fe815241..31aeffa39 100644
> > --- a/net/bluetooth/hidp/core.c
> > +++ b/net/bluetooth/hidp/core.c
> > @@ -755,13 +755,16 @@ static int hidp_setup_hid(struct hidp_session
> > *session,
> >  				const struct hidp_connadd_req *req)
> >  {
> >  	struct hid_device *hid;
> > +	unsigned int rd_size;
> >  	int err;
> >  
> > -	session->rd_data = memdup_user(req->rd_data, req->rd_size);
> > +	rd_size = min_t(unsigned int, req->rd_size,
> > HID_MAX_DESCRIPTOR_SIZE);
> > +
> > +	session->rd_data = memdup_user(req->rd_data, rd_size);
> >  	if (IS_ERR(session->rd_data))
> >  		return PTR_ERR(session->rd_data);
> >  
> > -	session->rd_size = req->rd_size;
> > +	session->rd_size = rd_size;
> >  
> >  	hid = hid_allocate_device();
> >  	if (IS_ERR(hid)) {
> 

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH v2] Bluetooth: HIDP: cap report descriptor size in HID setup
  2026-03-11 10:18       ` Benjamin Tissoires
@ 2026-03-22 15:37         ` Eric_Terminal
  0 siblings, 0 replies; 6+ messages in thread
From: Eric_Terminal @ 2026-03-22 15:37 UTC (permalink / raw)
  To: Benjamin Tissoires
  Cc: Bastien Nocera, marcel, johan.hedberg, luiz.dentz,
	linux-bluetooth, linux-kernel, linux-input

Hi all,

Just a gentle ping on this patch.

Since Benjamin reviewed it from the input side and concluded it should
be safe, I was wondering if there are any further comments from the
Bluetooth side, or if anything else is needed from me for this to be
merged?

Thanks,
Yufan

On Wed, Mar 11, 2026 at 6:19 PM Benjamin Tissoires <bentiss@kernel.org> wrote:
>
> On Mar 01 2026, Bastien Nocera wrote:
> > On Sun, 2026-03-01 at 01:26 +0800, Eric-Terminal wrote:
> > > From: Yufan Chen <ericterminal@gmail.com>
> > >
> > > hidp_setup_hid() duplicates the report descriptor from userspace
> > > based on
> > > req->rd_size. Large values can trigger oversized copies.
> > >
> > > Do not reject the connection when rd_size exceeds
> > > HID_MAX_DESCRIPTOR_SIZE. Instead, cap rd_size in hidp_setup_hid()
> > > and use the capped value for memdup_user() and session->rd_size.
> > >
> > > This keeps compatibility with existing userspace behavior while
> > > bounding memory usage in the HID setup path.
> >
> > Cross-sending this to linux-input@ for review, they would know the best
> > way to deal with oversized HID descriptors.
>
> AFAICT the hid-core code would be fine with it (it would parse it), but
> there will be some issues (hidraw will not be able to export the entire
> rdesc, so is the sysfs).
>
> For reference, usbhid just returns -EINVAL for oversize report
> descriptors.
>
> Anyway, if the report descriptor is truncated, like in this patch, the
> hid core parse will fail if the data is not correct, so I thing this
> should be safe.
>
> Cheers,
> Benjamin
>
> >
> > >
> > > Signed-off-by: Yufan Chen <ericterminal@gmail.com>
> > > ---
> > >  net/bluetooth/hidp/core.c | 7 +++++--
> > >  1 file changed, 5 insertions(+), 2 deletions(-)
> > >
> > > diff --git a/net/bluetooth/hidp/core.c b/net/bluetooth/hidp/core.c
> > > index 6fe815241..31aeffa39 100644
> > > --- a/net/bluetooth/hidp/core.c
> > > +++ b/net/bluetooth/hidp/core.c
> > > @@ -755,13 +755,16 @@ static int hidp_setup_hid(struct hidp_session
> > > *session,
> > >                             const struct hidp_connadd_req *req)
> > >  {
> > >     struct hid_device *hid;
> > > +   unsigned int rd_size;
> > >     int err;
> > >
> > > -   session->rd_data = memdup_user(req->rd_data, req->rd_size);
> > > +   rd_size = min_t(unsigned int, req->rd_size,
> > > HID_MAX_DESCRIPTOR_SIZE);
> > > +
> > > +   session->rd_data = memdup_user(req->rd_data, rd_size);
> > >     if (IS_ERR(session->rd_data))
> > >             return PTR_ERR(session->rd_data);
> > >
> > > -   session->rd_size = req->rd_size;
> > > +   session->rd_size = rd_size;
> > >
> > >     hid = hid_allocate_device();
> > >     if (IS_ERR(hid)) {
> >

^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, other threads:[~2026-03-22 15:38 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-02-25  1:35 [PATCH] Bluetooth: HIDP: reject oversized report descriptor Eric-Terminal
2026-02-27 15:04 ` Luiz Augusto von Dentz
2026-02-28 17:26   ` [PATCH v2] Bluetooth: HIDP: cap report descriptor size in HID setup Eric-Terminal
2026-03-01  9:19     ` Bastien Nocera
2026-03-11 10:18       ` Benjamin Tissoires
2026-03-22 15:37         ` Eric_Terminal

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox