Re: [PATCH 6.12.y] HID: core: Mitigate potential OOB by removing bogus memset()

[Wenshan Lan]

On 6/3/2026 3:04 PM, Benjamin Tissoires wrote:
> On Jun 03 2026, Wenshan Lan wrote:
> > From: Lee Jones <lee@xxxxxxxxxx>
> >
> > [ Upstream commit 0a3fe972a7cb1404f693d6f1711f32bc1d244b1c ]
> >
> > The memset() in hid_report_raw_event() has the good intention of
> > clearing out bogus data by zeroing the area from the end of the incoming
> > data string to the assumed end of the buffer.  However, as we have
> > previously seen, doing so can easily result in OOB reads and writes in
> > the subsequent thread of execution.
> >
> > The current suggestion from one of the HID maintainers is to remove the
> > memset() and simply return if the incoming event buffer size is not
> > large enough to fill the associated report.
> >
> > Suggested-by Benjamin Tissoires <bentiss@xxxxxxxxxx>
> >
> > Signed-off-by: Lee Jones <lee@xxxxxxxxxx>
> > [bentiss: changed the return value]
> > Signed-off-by: Benjamin Tissoires <bentiss@xxxxxxxxxx>
> > [ Replace hid_warn_ratelimited() with hid_warn() in v6.12. ]
> > Signed-off-by: Wenshan Lan <jetlan9@xxxxxxx>
> > ---
> This commit is known for breaking devices. You can't backport this
> without the following 3 fixes:
> 4d3a2a466b8d ("HID: core: Fix size_t specifier in hid_report_raw_event()")
> 206342541fc8 ("HID: core: introduce hid_safe_input_report()")
> 2c85c61d1332 ("HID: pass the buffer size to hid_report_raw_event")
>
> Note that this is the same for your 6.6, 6.1 and 5.15 patches.

Thanks for your suggestion, I will send a V2 later.

Wenshan

> Cheers,
> Benjamin
>
> >   drivers/hid/hid-core.c | 7 ++++---
> >   1 file changed, 4 insertions(+), 3 deletions(-)
> >
> > diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c
> > index 294a25330ed0..6d61bf20ec3f 100644
> > --- a/drivers/hid/hid-core.c
> > +++ b/drivers/hid/hid-core.c
> > @@ -2029,9 +2029,10 @@ int hid_report_raw_event(struct hid_device *hid, enum hid_report_type type, u8 *
> >   		rsize = max_buffer_size;
> >   
> >   	if (csize < rsize) {
> > -		dbg_hid("report %d is too short, (%d < %d)\n", report->id,
> > -				csize, rsize);
> > -		memset(cdata + csize, 0, rsize - csize);
> > +		hid_warn(hid, "Event data for report %d was too short (%d vs %d)\n",
> > +			 report->id, rsize, csize);
> > +		ret = -EINVAL;
> > +		goto out;
> >   	}
> >   
> >   	if ((hid->claimed & HID_CLAIMED_HIDDEV) && hid->hiddev_report_event)
> > --
> > 2.43.0