Re: [PATCH 1/1] HID: uhid: Fix out-of-bounds write caused by raw events mismanagement

[Benjamin Tissoires <bentiss@kernel.org>]

On Feb 26 2026, Lee Jones wrote:
> On Thu, 26 Feb 2026, Benjamin Tissoires wrote:
> 
> > On Feb 26 2026, Lee Jones wrote:
> > > On Tue, 24 Feb 2026, Jiri Kosina wrote:
> > > 
> > > > On Tue, 24 Feb 2026, Benjamin Tissoires wrote:
> > > > 
> > > > > Long story short: that patch is too intrusive as it makes assumption on
> > > > > the behavior of the device. We need to understand where/if the bug was
> > > > > spotted and fix the caller of hid_hw_raw_request, not the uhid
> > > > > implementation.
> > > > 
> > > > Thanks a lot for the analysis, Benjamin!
> > > > 
> > > > I asked about that here:
> > > > 
> > > > 	https://lore.kernel.org/all/172q4775-616s-p7s4-7n80-p8579n0r3516@xreary.bet/
> > > > 
> > > > So let's wait for Lee to clarify. Until that, the patch stays out of the 
> > > > branch.
> > > 
> > > Thanks to both of you for looking into this.  I appreciate your efforts.
> > > 
> > > This is very much real world.
> > > 
> > > Is there a way to add an errata for the PS3 controller?
> > > 
> > 
> > Unfortunatelly no. uhid merely emulates what a device can do, and HID is
> > a convention. So if we were to have a special case to PS3 controllers,
> > we would then start having to maintain an endless list of quirks when
> > the issue is *not* in uhid, but in the processing of the device after
> > (maybe in hid-core?).
> 
> Actually I think the issue is in UHID.  At least the way I read it.

And I disagree :)

> 
> Are there legitimate use-cases for devices overwriting the Report ID
> contained in the first index of the data buffer?  From my very limited
> knowledge of the subsystem, this sounds like an oversight.
> 

Legitimate, probably no, but we are talking about physical devices
here. uhid is a mere replacement of a transport layer, and there is
nothing that prevents a device to reply with a buffer starting with 1
when requested about feature 2 (because it's firmware and they just
don't care).

This happens a lot with proprietary features on devices, when there is
no spec, so ODM provide their own driver and they can do whatever they
want.

If uhid or any transport layer solely takes the decision that a reply to
a request is wrong, we have no chance of fixing it after the fact. This
is what happens with the PS3 controller: an undocumented feature is
used, but that's what the Playstation does, so we need to tag along.

I hope it makes more sense now.

FTR, Lee shared the logs of the issue privately, and I already told him
where we should fix the issue.

Cheers,
Benjamin