From: "Günther Noack" <gnoack@google.com>
To: Greg KH <gregkh@linuxfoundation.org>
Cc: "Filipe Laíns" <lains@riseup.net>,
"Bastien Nocera" <hadess@hadess.net>,
"Jiri Kosina" <jikos@kernel.org>,
"Benjamin Tissoires" <bentiss@kernel.org>,
stable@vger.kernel.org, linux-input@vger.kernel.org,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH] HID: logitech-hidpp: Check maxfield in hidpp_get_report_length()
Date: Fri, 9 Jan 2026 13:41:13 +0100 [thread overview]
Message-ID: <aWD3aXy9OzH_u73S@google.com> (raw)
In-Reply-To: <2026010956-anteater-pungent-d5b6@gregkh>
On Fri, Jan 09, 2026 at 12:14:43PM +0100, Greg KH wrote:
> On Fri, Jan 09, 2026 at 11:59:12AM +0100, Günther Noack wrote:
> > Do not crash when a report has no fields.
> >
> > Fake USB gadgets can send their own HID report descriptors and can define report
> > structures without valid fields. This can be used to crash the kernel over USB.
> >
> > Cc: stable@vger.kernel.org
> > Signed-off-by: Günther Noack <gnoack@google.com>
> > ---
> > drivers/hid/hid-logitech-hidpp.c | 3 +++
> > 1 file changed, 3 insertions(+)
> >
> > diff --git a/drivers/hid/hid-logitech-hidpp.c b/drivers/hid/hid-logitech-hidpp.c
> > index 9ced0e4d46ae..919ba9f50292 100644
> > --- a/drivers/hid/hid-logitech-hidpp.c
> > +++ b/drivers/hid/hid-logitech-hidpp.c
> > @@ -4316,6 +4316,9 @@ static int hidpp_get_report_length(struct hid_device *hdev, int id)
> > if (!report)
> > return 0;
> >
> > + if (!report->maxfield)
> > + return 0;
>
> Combine this with the if() above this?
OK, done. I sent a V2:
https://lore.kernel.org/all/20260109122557.3166556-3-gnoack@google.com/
> And if we are going to be handling "malicious" USB devices, be careful,
> you are just moving the target lower down, you also need to audit ALL
> data coming from the device, not just the descriptors. I'm all for
> this, just realize that this is a change in how Linux treats devices
> (and all other operating systems as well.)
Thanks. Yes, I realize that the later communication with the device is also a
potential way to trigger bugs.
> For now, we strongly recommend not allowing "untrusted" devices to bind
> to your system if this is a threat model you care about.
>
> Not to reject this, or your other patch like this, just letting you
> know.
Acknowledged, thanks.
-Günther
prev parent reply other threads:[~2026-01-09 12:41 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-01-09 10:59 [PATCH] HID: logitech-hidpp: Check maxfield in hidpp_get_report_length() Günther Noack
2026-01-09 11:14 ` Greg KH
2026-01-09 12:41 ` Günther Noack [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aWD3aXy9OzH_u73S@google.com \
--to=gnoack@google.com \
--cc=bentiss@kernel.org \
--cc=gregkh@linuxfoundation.org \
--cc=hadess@hadess.net \
--cc=jikos@kernel.org \
--cc=lains@riseup.net \
--cc=linux-input@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox