Re: [PATCH] HID: wacom: fix out-of-bounds read in wacom_intuos_bt_irq
From: Gerecke, Jason
Date: Fri Mar 06 2026 - 14:33:14 EST
On Mar 3 2026, Benoît Sevens wrote:
> The wacom_intuos_bt_irq() function processes Bluetooth HID reports
> without sufficient bounds checking. A maliciously crafted short report
> can trigger an out-of-bounds read when copying data into the wacom
> structure.
>
> Specifically, report 0x03 requires at least 22 bytes to safely read
> the processed data and battery status, while report 0x04 (which
> falls through to 0x03) requires 32 bytes.
>
> Add explicit length checks for these report IDs and log a warning if
> a short report is received.
>
> Signed-off-by: Benoît Sevens <bsevens@xxxxxxxxxx>
> ---
> drivers/hid/wacom_wac.c | 10 ++++++++++
> 1 file changed, 10 insertions(+)
>
> diff --git a/drivers/hid/wacom_wac.c b/drivers/hid/wacom_wac.c
> index 9b2c710f8da1..da1f0ea85625 100644
> --- a/drivers/hid/wacom_wac.c
> +++ b/drivers/hid/wacom_wac.c
> @@ -1208,10 +1208,20 @@ static int wacom_intuos_bt_irq(struct wacom_wac *wacom, size_t len)
>
> switch (data[0]) {
> case 0x04:
> + if (len < 32) {
> + dev_warn(wacom->pen_input->dev.parent,
> + "Report 0x04 too short: %zu bytes\n", len);
> + break;
> + }
> wacom_intuos_bt_process_data(wacom, data + i);
> i += 10;
> fallthrough;
> case 0x03:
> + if (i == 1 && len < 22) {
> + dev_warn(wacom->pen_input->dev.parent,
> + "Report 0x03 too short: %zu bytes\n", len);
> + break;
> + }
> wacom_intuos_bt_process_data(wacom, data + i);
> i += 10;
> wacom_intuos_bt_process_data(wacom, data + i);
> --
> 2.53.0.473.g4a7958ca14-goog
Seems reasonable enough...
Reviewed-by: Jason Gerecke <jason.gerecke@xxxxxxxxx>
Note: this file is chock-full of functions that blindly process the
buffer in a way that could lead to out-of-bounds reads. I don't mind
fixing these two specific cases as an improvement, but we should
consider working on the other cases as well.
For reference, the potential OOB issues were introduced by commit
5e013ad20689 ("HID: wacom: Remove static WACOM_PKGLEN_MAX limit").
Prior to that point, all processing was done from a local statically-
sized buffer. Short packets might have led to unintentional behavior
but not an OOB read. We now work directly from the pointer provided
by HID and (usually) do no bounds checking to make sure the lengths
are reasonable.