From: Sebastian Josue Alba Vives <sebasjosue84@gmail.com>
To: jikos@kernel.org, bentiss@kernel.org
Cc: linux-input@vger.kernel.org, linux-kernel@vger.kernel.org,
stable@vger.kernel.org,
Sebastian Josue Alba Vives <sebasjosue84@gmail.com>
Subject: [PATCH] HID: cp2112: validate report size in raw_event handler
Date: Tue, 24 Mar 2026 00:43:32 -0600 [thread overview]
Message-ID: <20260324064332.346342-1-sebasjosue84@gmail.com> (raw)
cp2112_raw_event() casts the raw data buffer to a
cp2112_xfer_status_report struct and accesses data at offsets up to
data[3+61] without validating the size parameter. Since
__hid_input_report() invokes the driver's raw_event callback before
hid_report_raw_event() performs its own report-size validation, a
device sending a truncated HID report can cause out-of-bounds heap
reads in the kernel.
Specifically, in the CP2112_DATA_READ_RESPONSE case, data[2] is used
as a length (capped at 61 bytes) for a memcpy from data[3] into
dev->read_data. This data is subsequently accessible from userspace
through the I2C read interface. A malicious USB device could
therefore leak up to 61 bytes of kernel heap memory.
CP2112 devices use 64-byte HID reports. Add a check at the top of
the handler to reject any report shorter than expected.
Cc: stable@vger.kernel.org
Signed-off-by: Sebastian Josue Alba Vives <sebasjosue84@gmail.com>
---
drivers/hid/hid-cp2112.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/drivers/hid/hid-cp2112.c b/drivers/hid/hid-cp2112.c
index 803b883ae..b86631163 100644
--- a/drivers/hid/hid-cp2112.c
+++ b/drivers/hid/hid-cp2112.c
@@ -1387,6 +1387,10 @@ static int cp2112_raw_event(struct hid_device *hdev, struct hid_report *report,
struct cp2112_device *dev = hid_get_drvdata(hdev);
struct cp2112_xfer_status_report *xfer = (void *)data;
+ /* CP2112 always sends 64-byte reports */
+ if (size < 64)
+ return 0;
+
switch (data[0]) {
case CP2112_TRANSFER_STATUS_RESPONSE:
hid_dbg(hdev, "xfer status: %02x %02x %04x %04x\n",
--
2.43.0
reply other threads:[~2026-03-24 6:43 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260324064332.346342-1-sebasjosue84@gmail.com \
--to=sebasjosue84@gmail.com \
--cc=bentiss@kernel.org \
--cc=jikos@kernel.org \
--cc=linux-input@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox