[RFC v3 2/2] HID: core: Check to ensure report responses match the request

Next message: Mark Brown: "Re: [PATCH] ASoC: soc-core: fix use-after-free in snd_soc_unbind_card()"
Previous message: Keith Busch: "Re: [PATCH v2] nvme-auth: Don't propose NVME_AUTH_DHGROUP_NULL with SC_C"
In reply to: Lee Jones: "[RFC v3 1/2] HID: core: Mitigate potential OOB by removing bogus memset()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Lee Jones

Date: Mon Mar 09 2026 - 11:08:02 EST

It is possible for a malicious (or clumsy) device to respond to a
specific report's feature request using a completely different report
ID. This can cause confusion in the HID core resulting in nasty
side-effects such as OOB writes.

Add a check to ensure that the report ID in the response, matches the
one that was requested.

Signed-off-by: Lee Jones <lee@xxxxxxxxxx>
---
v2 -> v3: Cover more bases by moving the check up a layer from MT to HID Core

RFC query: Is this always okay?
Should the report number always match the request?
Are there legitimate times where the two would differ?

drivers/hid/hid-core.c | 13 +++++++++++--
1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c
index da9231ca42bc..da4078554331 100644
--- a/drivers/hid/hid-core.c
+++ b/drivers/hid/hid-core.c
@@ -2490,8 +2490,17 @@ int __hid_hw_raw_request(struct hid_device *hdev,
if (ret)
return ret;

- return hdev->ll_driver->raw_request(hdev, reportnum, buf, len,
- rtype, reqtype);
+ ret = hdev->ll_driver->raw_request(hdev, reportnum, buf, len,
+ rtype, reqtype);
+ if (ret)
+ return ret;
+
+ if (reportnum != buf[0]) {
+ hid_err(hdev, "Returned feature report did not match the request\n");
+ return -EINVAL;
+ }
+
+ return 0;
}

/**
--
2.53.0.473.g4a7958ca14-goog