Re: [RFC v3 2/2] HID: core: Check to ensure report responses match the request

Next message: Biju Das: "RE: [PATCH 1/2] drm: renesas: rzg2l_mipi_dsi: Use fsleep() for 1ms delay in D-PHY init"
Previous message: Emanuele Rocca: "[PATCH] coredump: add core_pattern specifier for si_code"
In reply to: Lee Jones: "Re: [RFC v3 2/2] HID: core: Check to ensure report responses match the request"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Benjamin Tissoires

Date: Tue Mar 17 2026 - 11:06:58 EST

On Mar 17 2026, Lee Jones wrote:
> On Mon, 16 Mar 2026, Benjamin Tissoires wrote:
>
> > On Mar 09 2026, Lee Jones wrote:
> > > It is possible for a malicious (or clumsy) device to respond to a
> > > specific report's feature request using a completely different report
> > > ID. This can cause confusion in the HID core resulting in nasty
> > > side-effects such as OOB writes.
> > >
> > > Add a check to ensure that the report ID in the response, matches the
> > > one that was requested.
> > >
> > > Signed-off-by: Lee Jones <lee@xxxxxxxxxx>
> > > ---
> > > v2 -> v3: Cover more bases by moving the check up a layer from MT to HID Core
> > >
> > > RFC query: Is this always okay?
> > > Should the report number always match the request?
> > > Are there legitimate times where the two would differ?
> >
> > Technically, there is no reasons for a HID_SET_REPORT request to change
> > the incoming buffer. So that test might break it.
> >
> > I prefered fixing the calling sites (hid-multitouch and others), because
> > here we are making decisions on the device behaviour which is not ours
> > to make. More specifically, such a test will prevent us to fix a bogus
> > device by plainly rejecting the call after the facts.
>
> Okay, so this one is a NACK? No changes, do not resend?
>

Yes, NACK on this one. I've merged the hid-multitouch one which wasn't
using the API correctly, please send a followup for the other similar
cases.

Cheers,
Benjamin