[PATCH 1/1] HID: uhid: Fix out-of-bounds write caused by raw events mismanagement

Next message: Ben Horgan: "Re: [RFC PATCH 13/19] x86/resctrl: Add PLZA state tracking and context switch handling"
Previous message: Michal Hocko: "Re: [PATCH 0/4] Introduce QPW for per-cpu operations"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Lee Jones

Date: Wed Feb 11 2026 - 11:40:53 EST

Since the report ID is located within the data buffer, overwriting it
would mean that any subsequent matching could cause a disparity in
assumed allocated buffer size. This in turn could trivially result in
an out-of-bounds condition. To mitigate this issue, let's refuse to
overwrite a given report's data area if the ID in get_report_reply
doesn't match.

Cc: stable@xxxxxxxxxxxxxxx
Fixes: fcfcf0deb89ec ("HID: uhid: implement feature requests")
Signed-off-by: Lee Jones <lee@xxxxxxxxxx>
---
drivers/hid/uhid.c | 4 ++++
1 file changed, 4 insertions(+)

diff --git a/drivers/hid/uhid.c b/drivers/hid/uhid.c
index 21a70420151e..a0ee4e86656f 100644
--- a/drivers/hid/uhid.c
+++ b/drivers/hid/uhid.c
@@ -262,6 +262,10 @@ static int uhid_hid_get_report(struct hid_device *hid, unsigned char rnum,
req = &uhid->report_buf.u.get_report_reply;
if (req->err) {
ret = -EIO;
+ } else if (rnum != req->data[0]) {
+ hid_err(hid, "Report ID mismatch - refusing to overwrite the data buffer\n");
+ ret = -EINVAL;
+ goto unlock;
} else {
ret = min3(count, (size_t)req->size, (size_t)UHID_DATA_MAX);
memcpy(buf, req->data, ret);
--
2.53.0.273.g2a3d683680-goog