[PATCH] HID: i2c-hid: fix potential buffer overflow in i2c_hid_get_report()

Next message: kernel test robot: "Re: [PATCH v4 2/7] mux: Add helper functions for getting optional and selected mux-state"
Previous message: Yohei Kojima: "Re: [PATCH net v2 1/2] net: netdevsim: fix inconsistent carrier state after link/unlink"
Next in thread: Benjamin Tissoires: "Re: [PATCH] HID: i2c-hid: fix potential buffer overflow in i2c_hid_get_report()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Kwok Kin Ming

Date: Wed Dec 31 2025 - 13:19:31 EST

`i2c_hid_xfer` is used to read `recv_len + sizeof(__le16)` bytes of data
into `ihid->rawbuf`.

The former can come from the userspace in the hidraw driver and is only
bounded by HID_MAX_BUFFER_SIZE(16384) by default (unless we also set
`max_buffer_size` field of `struct hid_ll_driver` which we do not).

The latter has size determined at runtime by the maximum size of
different report types you could receive on any particular device and
can be a much smaller value.

Fix this by truncating `recv_len` to `ihid->bufsize - sizeof(__le16)`.

The impact is low since access to hidraw devices requires root.

Signed-off-by: Kwok Kin Ming <kenkinming2002@xxxxxxxxx>
---
drivers/hid/i2c-hid/i2c-hid-core.c | 1 +
1 file changed, 1 insertion(+)

diff --git a/drivers/hid/i2c-hid/i2c-hid-core.c b/drivers/hid/i2c-hid/i2c-hid-core.c
index 63f46a2e5..5a183af3d 100644
--- a/drivers/hid/i2c-hid/i2c-hid-core.c
+++ b/drivers/hid/i2c-hid/i2c-hid-core.c
@@ -286,6 +286,7 @@ static int i2c_hid_get_report(struct i2c_hid *ihid,
* In addition to report data device will supply data length
* in the first 2 bytes of the response, so adjust .
*/
+ recv_len = min(recv_len, ihid->bufsize - sizeof(__le16));
error = i2c_hid_xfer(ihid, ihid->cmdbuf, length,
ihid->rawbuf, recv_len + sizeof(__le16));
if (error) {
--
2.52.0