Re: [PATCH 1/1] HID: uhid: Fix out-of-bounds write caused by raw events mismanagement

Next message: Jiri Kosina: "Re: [PATCH] HID: magicmouse: fix battery reporting for Apple Magic Trackpad 2"
Previous message: Jiri Kosina: "Re: [PATCH] HID: quirks: really enable the intended work around for appledisplay"
Next in thread: Benjamin Tissoires: "Re: [PATCH 1/1] HID: uhid: Fix out-of-bounds write caused by raw events mismanagement"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Jiri Kosina

Date: Sat Feb 21 2026 - 04:49:32 EST

On Wed, 11 Feb 2026, Lee Jones wrote:

> Since the report ID is located within the data buffer, overwriting it
> would mean that any subsequent matching could cause a disparity in
> assumed allocated buffer size. This in turn could trivially result in
> an out-of-bounds condition. To mitigate this issue, let's refuse to
> overwrite a given report's data area if the ID in get_report_reply
> doesn't match.

Applied to hid.git#for-7.0/upstream-fixes, thanks.

--
Jiri Kosina
SUSE Labs