[PATCH 2/4] HID: wacom: validate report length for DTU handler

Next message: Jinmo Yang: "[PATCH 4/4] HID: wacom: validate report length for 24HDT and 27QHDT handlers"
Previous message: Jinmo Yang: "[PATCH 1/4] HID: wacom: validate report length for PL and PTU handlers"
In reply to: Jinmo Yang: "[PATCH 1/4] HID: wacom: validate report length for PL and PTU handlers"
Next in thread: Jinmo Yang: "[PATCH 4/4] HID: wacom: validate report length for 24HDT and 27QHDT handlers"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Jinmo Yang

Date: Sun May 17 2026 - 09:53:36 EST

wacom_dtu_irq() accesses fixed offsets up to data[7] in the raw HID
report buffer without validating the buffer length. This sub-function
is called from wacom_wac_irq() which receives the length parameter but
does not pass it to the handler.

A malicious USB device can declare a small HID report in its descriptor
and send a matching short report that passes the HID core size check
(csize >= rsize), but the driver assumes a full-size hardware report
layout, leading to slab-out-of-bounds reads.

Add a minimum length check in wacom_wac_irq() before dispatching to
wacom_dtu_irq().

Fixes: c8f2edc56acf ("Input: wacom - add support for DTU2231 and DTU1631")
Cc: stable@xxxxxxxxxxxxxxx
Signed-off-by: Jinmo Yang <jinmo44.yang@xxxxxxxxx>
---
drivers/hid/wacom_wac.c | 2 ++
1 file changed, 2 insertions(+)

diff --git a/drivers/hid/wacom_wac.c b/drivers/hid/wacom_wac.c
index 6d06842b6..873d58a6d 100644
--- a/drivers/hid/wacom_wac.c
+++ b/drivers/hid/wacom_wac.c
@@ -3472,6 +3472,8 @@ void wacom_wac_irq(struct wacom_wac *wacom_wac, size_t len)
break;

case DTU:
+ if (len < 8)
+ return;
sync = wacom_dtu_irq(wacom_wac);
break;

--
2.53.0