Re: [PATCH] HID: hid-goodix-spi: validate report size to prevent stack buffer overflow

Next message: John Madieu: "[PATCH] ASoC: rsnd: adg: make rsnd_adg_clk_control() idempotent"
Previous message: Conor Dooley: "Re: [PATCH 7/8] dt-bindings: input: microchip,cap11xx: Add CAP1114 support"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Jiri Kosina

Date: Wed Jun 10 2026 - 12:54:20 EST

On Fri, 29 May 2026, Tianchu Chen wrote:

> From: Tianchu Chen <flynnnchen@xxxxxxxxxxx>
>
> goodix_hid_set_raw_report() builds a protocol frame in a 128-byte stack
> buffer (tmp_buf), writing an 11-12 byte header followed by the
> caller-supplied report data. The HID core caps report size at
> HID_MAX_BUFFER_SIZE (16384) by default, while the driver does not set
> hid_ll_driver.max_buffer_size and performs no bounds checking before
> copying the payload:
>
> memcpy(tmp_buf + tx_len, buf, len);
>
> A hidraw SET_REPORT ioctl with a report larger than ~116 bytes
> overflows the stack buffer.
>
> Add a size check after constructing the header, rejecting reports that
> would exceed the buffer capacity.
>
> Discovered by Atuin - Automated Vulnerability Discovery Engine.
>
> Fixes: 75e16c8ce283 ("HID: hid-goodix: Add Goodix HID-over-SPI driver")
> Cc: stable@xxxxxxxxxxxxxxx
> Signed-off-by: Tianchu Chen <flynnnchen@xxxxxxxxxxx>

Applied, thanks and sorry for the delay.

--
Jiri Kosina
SUSE Labs