Re: [PATCH 1/1] HID: uhid: Fix out-of-bounds write caused by raw events mismanagement

Next message: Andrew Lunn: "Re: [PATCH 2/2] net:ethernet:enic: map ethtool link modes by VIC type"
Previous message: Panagiotis Foliadis: "[PATCH] ALSA: hda/realtek: Add quirk for Acer Aspire V3-572G"
In reply to: Benjamin Tissoires: "Re: [PATCH 1/1] HID: uhid: Fix out-of-bounds write caused by raw events mismanagement"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Jiri Kosina

Date: Sat Feb 21 2026 - 14:46:52 EST

On Sat, 21 Feb 2026, Benjamin Tissoires wrote:

> > Since the report ID is located within the data buffer, overwriting it
> > would mean that any subsequent matching could cause a disparity in
> > assumed allocated buffer size. This in turn could trivially result in
> > an out-of-bounds condition. To mitigate this issue, let's refuse to
> > overwrite a given report's data area if the ID in get_report_reply
> > doesn't match.
>
> That's a strong assumption and a breakage of the userspace FWIW. The CI
> is now full of errors:
> https://gitlab.freedesktop.org/bentiss/hid/-/commits/for-7.0/upstream-fixes
>
> It is pretty common to allocate the buffer and not initialize it in
> get_report operations.
>
> It was a bad API choice to have rnum and data[0] for all HID requests
> (internally, externally), but we should stick to it. The CI breakage in
> itself is not a big issue TBH, but if it breaks here, it will probably
> break existing users.

Lee,

was this found via code inspection, fuzzing, or is there some real-world
report behind it?

Thanks,

--
Jiri Kosina
SUSE Labs