[PATCH] HID: hid-goodix-spi: validate report size to prevent stack buffer overflow

Next message: Venkat Rao Bagalkote: "[mainline]selftests/bpf: task_local_data_race test crashes on PowerPC"
Previous message: Inki Dae: "Re: [PATCH] drm/exynos: fix size_t format string"
Next in thread: Dmitry Torokhov: "Re: [PATCH] HID: hid-goodix-spi: validate report size to prevent stack buffer overflow"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Tianchu Chen

Date: Fri May 29 2026 - 09:48:38 EST

From: Tianchu Chen <flynnnchen@xxxxxxxxxxx>

goodix_hid_set_raw_report() builds a protocol frame in a 128-byte stack
buffer (tmp_buf), writing an 11-12 byte header followed by the
caller-supplied report data. The HID core caps report size at
HID_MAX_BUFFER_SIZE (16384) by default, while the driver does not set
hid_ll_driver.max_buffer_size and performs no bounds checking before
copying the payload:

memcpy(tmp_buf + tx_len, buf, len);

A hidraw SET_REPORT ioctl with a report larger than ~116 bytes
overflows the stack buffer.

Add a size check after constructing the header, rejecting reports that
would exceed the buffer capacity.

Discovered by Atuin - Automated Vulnerability Discovery Engine.

Fixes: 75e16c8ce283 ("HID: hid-goodix: Add Goodix HID-over-SPI driver")
Cc: stable@xxxxxxxxxxxxxxx
Signed-off-by: Tianchu Chen <flynnnchen@xxxxxxxxxxx>
---
drivers/hid/hid-goodix-spi.c | 3 +++
1 file changed, 3 insertions(+)

diff --git a/drivers/hid/hid-goodix-spi.c b/drivers/hid/hid-goodix-spi.c
index 80c0288a3..288cb827e 100644
--- a/drivers/hid/hid-goodix-spi.c
+++ b/drivers/hid/hid-goodix-spi.c
@@ -520,6 +520,9 @@ static int goodix_hid_set_raw_report(struct hid_device *hid,
memcpy(tmp_buf + tx_len, args, args_len);
tx_len += args_len;

+ if (tx_len + len > sizeof(tmp_buf))
+ return -EINVAL;
+
memcpy(tmp_buf + tx_len, buf, len);
tx_len += len;

--
2.51.0