[PATCH 2/2] HID: multitouch: Check to ensure report responses match the request

Next message: Andy Shevchenko: "Re: [PATCH] iio: imu: adis16550: fix swapped gyro/accel filter functions"
Previous message: Borislav Petkov: "Re: [PATCH -v2] x86/split_lock: Restructure the unwieldy switch-case in sld_state_show()"
In reply to: Lee Jones: "[PATCH 1/2] HID: core: Mitigate potential OOB by removing bogus memset()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Lee Jones

Date: Fri Feb 27 2026 - 11:33:49 EST

It is possible for a malicious (or clumsy) device to respond to a
specific report's feature request using a completely different report
ID. This can cause confusion in the HID core resulting in nasty
side-effects such as OOB writes.

Add a check to ensure that the report ID in the response, matches the
one that was requested. If it doesn't, omit reporting the raw event and
return early.

Signed-off-by: Lee Jones <lee@xxxxxxxxxx>
---
drivers/hid/hid-multitouch.c | 7 +++++++
1 file changed, 7 insertions(+)

diff --git a/drivers/hid/hid-multitouch.c b/drivers/hid/hid-multitouch.c
index b1c3ef129058..834c1a334887 100644
--- a/drivers/hid/hid-multitouch.c
+++ b/drivers/hid/hid-multitouch.c
@@ -499,12 +499,19 @@ static void mt_get_feature(struct hid_device *hdev, struct hid_report *report)
dev_warn(&hdev->dev, "failed to fetch feature %d\n",
report->id);
} else {
+ /* The report ID in the request and the response should match */
+ if (report->id != buf[0]) {
+ hid_err(hdev, "Returned feature report did not match the request\n");
+ goto free;
+ }
+
ret = hid_report_raw_event(hdev, HID_FEATURE_REPORT, buf,
size, 0);
if (ret)
dev_warn(&hdev->dev, "failed to report feature\n");
}

+free:
kfree(buf);
}

--
2.53.0.473.g4a7958ca14-goog