* [PATCH] HID: pxrc: fix slab-out-of-bounds read/write in pxrc_raw_event()
@ 2026-05-08 13:33 Jinmo Yang
2026-05-12 16:10 ` Jiri Kosina
0 siblings, 1 reply; 2+ messages in thread
From: Jinmo Yang @ 2026-05-08 13:33 UTC (permalink / raw)
To: marcus.folkesson, jikos, benjamin.tissoires
Cc: linux-input, linux-kernel, stable, Jinmo Yang
pxrc_raw_event() accesses data[7] without verifying that the buffer is
large enough. A device that sends a report shorter than 8 bytes causes
an out-of-bounds read (priv->dial = data[7]) and an out-of-bounds write
(data[7] = priv->dial) on the report buffer, corrupting adjacent slab
memory.
This can be triggered from userspace via /dev/uhid by creating a virtual
device with VID 0x1781 / PID 0x0898 and sending a short UHID_INPUT2
report.
Add a size check at the top of pxrc_raw_event() to bail out when the
report buffer is shorter than 8 bytes.
Fixes: a2dccedac664 ("HID: pxrc: new driver for PhoenixRC Flight Controller Adapter")
Cc: stable@vger.kernel.org
Signed-off-by: Jinmo Yang <jinmo44.yang@gmail.com>
---
drivers/hid/hid-pxrc.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/hid/hid-pxrc.c b/drivers/hid/hid-pxrc.c
index 07e20ff6018e..f2524547c7a1 100644
--- a/drivers/hid/hid-pxrc.c
+++ b/drivers/hid/hid-pxrc.c
@@ -53,6 +53,9 @@ static int pxrc_raw_event(struct hid_device *hdev, struct hid_report *report,
u8 *data, int size)
{
struct pxrc_priv *priv = hid_get_drvdata(hdev);
+
+ if (size < 8)
+ return 0;
if (priv->alternate)
priv->slider = data[7];
--
2.47.0
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH] HID: pxrc: fix slab-out-of-bounds read/write in pxrc_raw_event()
2026-05-08 13:33 [PATCH] HID: pxrc: fix slab-out-of-bounds read/write in pxrc_raw_event() Jinmo Yang
@ 2026-05-12 16:10 ` Jiri Kosina
0 siblings, 0 replies; 2+ messages in thread
From: Jiri Kosina @ 2026-05-12 16:10 UTC (permalink / raw)
To: Jinmo Yang
Cc: marcus.folkesson, benjamin.tissoires, linux-input, linux-kernel,
stable
On Fri, 8 May 2026, Jinmo Yang wrote:
> pxrc_raw_event() accesses data[7] without verifying that the buffer is
> large enough. A device that sends a report shorter than 8 bytes causes
> an out-of-bounds read (priv->dial = data[7]) and an out-of-bounds write
> (data[7] = priv->dial) on the report buffer, corrupting adjacent slab
> memory.
>
> This can be triggered from userspace via /dev/uhid by creating a virtual
> device with VID 0x1781 / PID 0x0898 and sending a short UHID_INPUT2
> report.
>
> Add a size check at the top of pxrc_raw_event() to bail out when the
> report buffer is shorter than 8 bytes.
>
> Fixes: a2dccedac664 ("HID: pxrc: new driver for PhoenixRC Flight Controller Adapter")
Where is this tag coming from?
No such hash exists in Linus' tree, and the commit that actually added the
driver has a different shortlog.
Is this some LLM halucination?
--
Jiri Kosina
SUSE Labs
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2026-05-12 16:10 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-05-08 13:33 [PATCH] HID: pxrc: fix slab-out-of-bounds read/write in pxrc_raw_event() Jinmo Yang
2026-05-12 16:10 ` Jiri Kosina
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox