From: Benjamin Tissoires <bentiss@kernel.org>
To: Wenshan Lan <jetlan9@163.com>
Cc: gregkh@linuxfoundation.org, sashal@kernel.org,
stable@vger.kernel.org, linux-kernel@vger.kernel.org,
Lee Jones <lee@kernel.org>
Subject: Re: [PATCH 6.12.y] HID: core: Mitigate potential OOB by removing bogus memset()
Date: Wed, 3 Jun 2026 09:04:29 +0200 [thread overview]
Message-ID: <ah_RiLcNbfyfDHko@beelink> (raw)
In-Reply-To: <20260603054344.80160-1-jetlan9@163.com>
On Jun 03 2026, Wenshan Lan wrote:
> From: Lee Jones <lee@kernel.org>
>
> [ Upstream commit 0a3fe972a7cb1404f693d6f1711f32bc1d244b1c ]
>
> The memset() in hid_report_raw_event() has the good intention of
> clearing out bogus data by zeroing the area from the end of the incoming
> data string to the assumed end of the buffer. However, as we have
> previously seen, doing so can easily result in OOB reads and writes in
> the subsequent thread of execution.
>
> The current suggestion from one of the HID maintainers is to remove the
> memset() and simply return if the incoming event buffer size is not
> large enough to fill the associated report.
>
> Suggested-by Benjamin Tissoires <bentiss@kernel.org>
>
> Signed-off-by: Lee Jones <lee@kernel.org>
> [bentiss: changed the return value]
> Signed-off-by: Benjamin Tissoires <bentiss@kernel.org>
> [ Replace hid_warn_ratelimited() with hid_warn() in v6.12. ]
> Signed-off-by: Wenshan Lan <jetlan9@163.com>
> ---
This commit is known for breaking devices. You can't backport this
without the following 3 fixes:
4d3a2a466b8d ("HID: core: Fix size_t specifier in hid_report_raw_event()")
206342541fc8 ("HID: core: introduce hid_safe_input_report()")
2c85c61d1332 ("HID: pass the buffer size to hid_report_raw_event")
Note that this is the same for your 6.6, 6.1 and 5.15 patches.
Cheers,
Benjamin
> drivers/hid/hid-core.c | 7 ++++---
> 1 file changed, 4 insertions(+), 3 deletions(-)
>
> diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c
> index 294a25330ed0..6d61bf20ec3f 100644
> --- a/drivers/hid/hid-core.c
> +++ b/drivers/hid/hid-core.c
> @@ -2029,9 +2029,10 @@ int hid_report_raw_event(struct hid_device *hid, enum hid_report_type type, u8 *
> rsize = max_buffer_size;
>
> if (csize < rsize) {
> - dbg_hid("report %d is too short, (%d < %d)\n", report->id,
> - csize, rsize);
> - memset(cdata + csize, 0, rsize - csize);
> + hid_warn(hid, "Event data for report %d was too short (%d vs %d)\n",
> + report->id, rsize, csize);
> + ret = -EINVAL;
> + goto out;
> }
>
> if ((hid->claimed & HID_CLAIMED_HIDDEV) && hid->hiddev_report_event)
> --
> 2.43.0
>
>
next prev parent reply other threads:[~2026-06-03 7:04 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-03 5:43 [PATCH 6.12.y] HID: core: Mitigate potential OOB by removing bogus memset() Wenshan Lan
2026-06-03 7:04 ` Benjamin Tissoires [this message]
2026-06-03 11:57 ` Wenshan Lan
2026-06-03 12:16 ` Lee Jones
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ah_RiLcNbfyfDHko@beelink \
--to=bentiss@kernel.org \
--cc=gregkh@linuxfoundation.org \
--cc=jetlan9@163.com \
--cc=lee@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox