[PATCH 1/2] HID: core: Mitigate potential OOB by removing bogus memset()

Next message: Sean Christopherson: "Re: [PATCH 3/3] KVM: x86: Check for injected exceptions before queuing a debug exception"
Previous message: Catalin Marinas: "Re: [PATCH] arm64: runtime-const: save one instruction when ARM64_VA_BITS &lt;= 48"
Next in thread: Lee Jones: "[PATCH 2/2] HID: multitouch: Check to ensure report responses match the request"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Lee Jones

Date: Fri Feb 27 2026 - 11:35:38 EST

The memset() in hid_report_raw_event() has the good intention of
clearing out bogus data by zeroing the area from the end of the incoming
data string to the assumed end of the buffer. However, as we have
recently seen, the size of the report buffer isn't always correct which
can culminate in OOB writes.

The current suggestion from one of the HID maintainers is to remove the
attempt completely. The subsequent handling should be able to simply
use the data size provided to prevent any potential overruns.

Suggested-by Benjamin Tissoires <bentiss@xxxxxxxxxx>
Signed-off-by: Lee Jones <lee@xxxxxxxxxx>
---
drivers/hid/hid-core.c | 6 ------
1 file changed, 6 deletions(-)

diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c
index a5b3a8ca2fcb..1d51042e4b1f 100644
--- a/drivers/hid/hid-core.c
+++ b/drivers/hid/hid-core.c
@@ -2056,12 +2056,6 @@ int hid_report_raw_event(struct hid_device *hid, enum hid_report_type type, u8 *
else if (rsize > max_buffer_size)
rsize = max_buffer_size;

- if (csize < rsize) {
- dbg_hid("report %d is too short, (%d < %d)\n", report->id,
- csize, rsize);
- memset(cdata + csize, 0, rsize - csize);
- }
-
if ((hid->claimed & HID_CLAIMED_HIDDEV) && hid->hiddev_report_event)
hid->hiddev_report_event(hid, report);
if (hid->claimed & HID_CLAIMED_HIDRAW) {
--
2.53.0.473.g4a7958ca14-goog