Re: [PATCH v2] HID: ft260: validate i2c input report length

Next message: Kurt Borja: "[PATCH v4] platform/x86: alienware-wmi-base: Transition to new WMI API"
Previous message: Jonathan Cameron: "Re: [PATCH v0 10/14] iio: magnetometer: ak8975: switch to using managed resources"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Jiri Kosina

Date: Tue Apr 28 2026 - 12:37:50 EST

On Sat, 11 Apr 2026, Michael Zaidman wrote:

> Add two checks to ft260_raw_event() to prevent out-of-bounds reads
> from malicious or malfunctioning devices:
>
> First, reject reports shorter than the 2-byte header (report ID +
> length fields). Without this, even accessing xfer->length on a
> 1-byte report is an OOB read.
>
> Second, validate xfer->length against the actual data capacity of
> the received HID report. Each I2C data report ID (0xD0 through
> 0xDE) defines a different report size in the HID descriptor, so the
> available payload varies per report. A corrupted length field could
> cause memcpy to read beyond the report buffer.
>
> Reported-by: Sebastián Josué Alba Vives <sebasjosue84@xxxxxxxxx>
> Signed-off-by: Michael Zaidman <michael.zaidman@xxxxxxxxx>
> ---
> Changes in v2:
> - Add minimum report size check before accessing header fields to
> prevent OOB read on truncated reports (size < 2)
>
> Tested on FT260 with I2C-attached EEPROM (24c02) behind PCA9548
> mux switches. Verified reads of various sizes (1-4 bytes using
> report ID 0xD0, and larger reads using higher report IDs) with
> debug tracing enabled, confirming xfer->length is correctly
> validated against the HID report size for each report ID.

Applied to hid.git#for-7.1/upstream-fixes, thanks Michael.

--
Jiri Kosina
SUSE Labs