[PATCH] HID: cp2112: validate report size in raw_event handler

[PATCH] HID: cp2112: validate report size in raw_event handler

[Sebastian Josue Alba Vives]

cp2112_raw_event() casts the raw data buffer to a
cp2112_xfer_status_report struct and accesses data at offsets up to
data[3+61] without validating the size parameter. Since
__hid_input_report() invokes the driver's raw_event callback before
hid_report_raw_event() performs its own report-size validation, a
device sending a truncated HID report can cause out-of-bounds heap
reads in the kernel.

Specifically, in the CP2112_DATA_READ_RESPONSE case, data[2] is used
as a length (capped at 61 bytes) for a memcpy from data[3] into
dev->read_data. This data is subsequently accessible from userspace
through the I2C read interface. A malicious USB device could
therefore leak up to 61 bytes of kernel heap memory.

CP2112 devices use 64-byte HID reports. Add a check at the top of
the handler to reject any report shorter than expected.

Cc: stable@vger.kernel.org
Signed-off-by: Sebastian Josue Alba Vives <sebasjosue84@gmail.com>
---
 drivers/hid/hid-cp2112.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/drivers/hid/hid-cp2112.c b/drivers/hid/hid-cp2112.c
index 803b883ae..b86631163 100644
--- a/drivers/hid/hid-cp2112.c
+++ b/drivers/hid/hid-cp2112.c
@@ -1387,6 +1387,10 @@ static int cp2112_raw_event(struct hid_device *hdev, struct hid_report *report,
 	struct cp2112_device *dev = hid_get_drvdata(hdev);
 	struct cp2112_xfer_status_report *xfer = (void *)data;
 
+	/* CP2112 always sends 64-byte reports */
+	if (size < 64)
+		return 0;
+
 	switch (data[0]) {
 	case CP2112_TRANSFER_STATUS_RESPONSE:
 		hid_dbg(hdev, "xfer status: %02x %02x %04x %04x\n",
-- 
2.43.0