Re: [PATCH v3 1/4] HID: pass the buffer size to hid_report_raw_event

Next message: Paul Menzel: "Re: [Intel-wired-lan] [PATCH iwl-net] ice: fix missing priority callbacks for U.FL DPLL pins"
Previous message: Sarthak Sharma: "Re: [PATCH v3 35/54] selftests/mm: hugepage_dio: add setup of HugeTLB pages"
In reply to: Johan Hovold: "Re: [PATCH v3 1/4] HID: pass the buffer size to hid_report_raw_event"
Next in thread: Benjamin Tissoires: "[PATCH v3 2/4] HID: core: introduce hid_safe_input_report()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Greg Kroah-Hartman

Date: Mon May 04 2026 - 08:21:57 EST

On Mon, May 04, 2026 at 10:47:22AM +0200, Benjamin Tissoires wrote:
> commit 0a3fe972a7cb ("HID: core: Mitigate potential OOB by removing
> bogus memset()") enforced the provided data to be at least the size of
> the declared buffer in the report descriptor to prevent a buffer
> overflow. However, we can try to be smarter by providing both the buffer
> size and the data size, meaning that hid_report_raw_event() can make
> better decision whether we should plaining reject the buffer (buffer
> overflow attempt) or if we can safely memset it to 0 and pass it to the
> rest of the stack.
>
> Fixes: 0a3fe972a7cb ("HID: core: Mitigate potential OOB by removing bogus memset()")
> Cc: stable@xxxxxxxxxxxxxxx
> Signed-off-by: Benjamin Tissoires <bentiss@xxxxxxxxxx>

Reviewed-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>