[PATCH 2/4] HID: bpf: prevent buffer overflow in hid_hw_request

Next message: Benjamin Tissoires: "[PATCH 1/4] selftests/hid: fix compilation when bpf_wq and hid_device are not exported"
Previous message: Benjamin Tissoires: "[PATCH 0/4] HID: bpf fixes for 7.0/7.1"
In reply to: Benjamin Tissoires: "[PATCH 0/4] HID: bpf fixes for 7.0/7.1"
Next in thread: Jiri Kosina: "Re: [PATCH 2/4] HID: bpf: prevent buffer overflow in hid_hw_request"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Benjamin Tissoires

Date: Fri Mar 13 2026 - 03:41:12 EST

right now the returned value is considered to be always valid. However,
when playing with HID-BPF, the return value can be arbitrary big,
because it's the return value of dispatch_hid_bpf_raw_requests(), which
calls the struct_ops and we have no guarantees that the value makes
sense.

Cc: stable@xxxxxxxxxxxxxxx
Signed-off-by: Benjamin Tissoires <bentiss@xxxxxxxxxx>
---
drivers/hid/bpf/hid_bpf_dispatch.c | 2 ++
1 file changed, 2 insertions(+)

diff --git a/drivers/hid/bpf/hid_bpf_dispatch.c b/drivers/hid/bpf/hid_bpf_dispatch.c
index f3d15994ca1e..50c7b45c59e3 100644
--- a/drivers/hid/bpf/hid_bpf_dispatch.c
+++ b/drivers/hid/bpf/hid_bpf_dispatch.c
@@ -444,6 +444,8 @@ hid_bpf_hw_request(struct hid_bpf_ctx *ctx, __u8 *buf, size_t buf__sz,
(u64)(long)ctx,
true); /* prevent infinite recursions */

+ if (ret > size)
+ ret = size;
if (ret > 0)
memcpy(buf, dma_data, ret);

--
2.52.0