Re: [PATCH] HID: wacom: fix out-of-bounds read in wacom_intuos_bt_irq

Next message: Vladimir Oltean: "Re: [PATCH] x86/entry/vdso: fix path to gettimeofday.c"
Previous message: Denis Benato: "[PATCH 0/2] platform/x86: asus-armoury: add more ppt data"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Jiri Kosina

Date: Mon Mar 09 2026 - 14:37:17 EST

On Tue, 3 Mar 2026, Benoît Sevens wrote:

> The wacom_intuos_bt_irq() function processes Bluetooth HID reports
> without sufficient bounds checking. A maliciously crafted short report
> can trigger an out-of-bounds read when copying data into the wacom
> structure.
>
> Specifically, report 0x03 requires at least 22 bytes to safely read
> the processed data and battery status, while report 0x04 (which
> falls through to 0x03) requires 32 bytes.
>
> Add explicit length checks for these report IDs and log a warning if
> a short report is received.
>
> Signed-off-by: Benoît Sevens <bsevens@xxxxxxxxxx>

Applied to hid.git#for-7.0/upstream-fixes, thanks.

--
Jiri Kosina
SUSE Labs