Re: [PATCH v2] Bluetooth: HIDP: cap report descriptor size in HID setup

Next message: Yao Zi: "Re: [PATCH] x86/cpu/centaur: Disable X86_FEATURE_FSGSBASE on Zhaoxin C4600"
Previous message: Ingo Molnar: "[RFC GIT PULL] timer subsystem fix/improvement"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Bastien Nocera

Date: Sun Mar 01 2026 - 04:19:42 EST

On Sun, 2026-03-01 at 01:26 +0800, Eric-Terminal wrote:
> From: Yufan Chen <ericterminal@xxxxxxxxx>
>
> hidp_setup_hid() duplicates the report descriptor from userspace
> based on
> req->rd_size. Large values can trigger oversized copies.
>
> Do not reject the connection when rd_size exceeds
> HID_MAX_DESCRIPTOR_SIZE. Instead, cap rd_size in hidp_setup_hid()
> and use the capped value for memdup_user() and session->rd_size.
>
> This keeps compatibility with existing userspace behavior while
> bounding memory usage in the HID setup path.

Cross-sending this to linux-input@ for review, they would know the best
way to deal with oversized HID descriptors.

>
> Signed-off-by: Yufan Chen <ericterminal@xxxxxxxxx>
> ---
> net/bluetooth/hidp/core.c | 7 +++++--
> 1 file changed, 5 insertions(+), 2 deletions(-)
>
> diff --git a/net/bluetooth/hidp/core.c b/net/bluetooth/hidp/core.c
> index 6fe815241..31aeffa39 100644
> --- a/net/bluetooth/hidp/core.c
> +++ b/net/bluetooth/hidp/core.c
> @@ -755,13 +755,16 @@ static int hidp_setup_hid(struct hidp_session
> *session,
> const struct hidp_connadd_req *req)
> {
> struct hid_device *hid;
> + unsigned int rd_size;
> int err;
>
> - session->rd_data = memdup_user(req->rd_data, req->rd_size);
> + rd_size = min_t(unsigned int, req->rd_size,
> HID_MAX_DESCRIPTOR_SIZE);
> +
> + session->rd_data = memdup_user(req->rd_data, rd_size);
> if (IS_ERR(session->rd_data))
> return PTR_ERR(session->rd_data);
>
> - session->rd_size = req->rd_size;
> + session->rd_size = rd_size;
>
> hid = hid_allocate_device();
> if (IS_ERR(hid)) {