Re: [PATCH 0/4] HID: wacom: add report length validation in irq handlers

Next message: P&#xE9;ter Ujfalusi: "Re: [PATCH] ASoC: SOF: topology: validate vendor array size before parsing"
Previous message: John Garry: "Re: [PATCH v1] scsi: Improve style of pnp_device_id array terminator"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Jiri Kosina

Date: Wed Jun 10 2026 - 12:19:27 EST

On Sun, 17 May 2026, Jinmo Yang wrote:

> Several wacom IRQ handler sub-functions access fixed offsets in the raw
> HID report buffer without validating the buffer length. wacom_wac_irq()
> receives the length from wacom_raw_event() but does not validate it
> before dispatching to the sub-functions, which do not receive the length
> parameter.
>
> A malicious USB device can declare a small HID report in its descriptor
> and send a matching short report that passes the HID core size check
> (csize >= rsize), but the driver assumes a full-size hardware report
> layout, leading to slab-out-of-bounds reads.
>
> Note: this is not mitigated by the recent HID core bounds checking
> series which validates actual_size >= declared_size. An attacker
> controls both the descriptor (declared size) and the sent data (actual
> size), so the core check passes. Driver-level validation against the
> expected hardware report layout is still necessary.
>
> Tested with KASAN on Linux 7.1-rc3 (slab-out-of-bounds confirmed) and
> verified kernel panic on a production device via uhid.
>
> Jinmo Yang (4):
> HID: wacom: validate report length for PL and PTU handlers
> HID: wacom: validate report length for DTU handler
> HID: wacom: validate report length for DTUS handler
> HID: wacom: validate report length for 24HDT and 27QHDT handlers
>
> drivers/hid/wacom_wac.c | 15 +++++++++++++++
> 1 file changed, 15 insertions(+)

CCing Ping and Jason for their review. Thanks in advance,

--
Jiri Kosina
SUSE Labs