Re: [PATCH 1/1] HID: uhid: Fix out-of-bounds write caused by raw events mismanagement

Next message: Lance Yang: "Re: [PATCH] khugepaged: convert redundant check to WARN_ON"
Previous message: Jiri Kosina: "Re: Missing signoff in the hid tree"
Next in thread: Benjamin Tissoires: "Re: [PATCH 1/1] HID: uhid: Fix out-of-bounds write caused by raw events mismanagement"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Jiri Kosina

Date: Tue Feb 24 2026 - 03:46:09 EST

On Sat, 21 Feb 2026, Jiri Kosina wrote:

> > > Since the report ID is located within the data buffer, overwriting it
> > > would mean that any subsequent matching could cause a disparity in
> > > assumed allocated buffer size. This in turn could trivially result in
> > > an out-of-bounds condition. To mitigate this issue, let's refuse to
> > > overwrite a given report's data area if the ID in get_report_reply
> > > doesn't match.
> >
> > That's a strong assumption and a breakage of the userspace FWIW. The CI
> > is now full of errors:
> > https://gitlab.freedesktop.org/bentiss/hid/-/commits/for-7.0/upstream-fixes
> >
> > It is pretty common to allocate the buffer and not initialize it in
> > get_report operations.
> >
> > It was a bad API choice to have rnum and data[0] for all HID requests
> > (internally, externally), but we should stick to it. The CI breakage in
> > itself is not a big issue TBH, but if it breaks here, it will probably
> > break existing users.
>
> Lee,
>
> was this found via code inspection, fuzzing, or is there some real-world
> report behind it?

For now I've dropped this from for-7.0/upstream-fixes until it's all
clarified.

Thanks,

--
Jiri Kosina
SUSE Labs