Re: [PATCH] HID: lenovo: Fix buffer over-read in X12 Tab raw_event handler

Next message: Bjorn Andersson: "Re: [PATCH v3 4/4] pinctrl: qcom: eliza: Split QUP1_SE4 lanes"
Previous message: Sean Christopherson: "Re: [PATCH 4/7] KVM: x86/xen: Remove unnecessary irqsave from GPC lock usage in xen.c"
In reply to: Kean: "[PATCH] HID: lenovo: Fix buffer over-read in X12 Tab raw_event handler"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Mark Pearson

Date: Mon May 11 2026 - 14:13:34 EST

On Mon, May 11, 2026, at 9:28 AM, Kean wrote:
> In lenovo_raw_event(), the X12 Tab keyboard handler reads a 4-byte
> little-endian value via *(__le32 *)data but only guards the access
> with a size >= 3 check. If a 3-byte report with ID 0x03 is received,
> the code reads one byte beyond the end of the buffer.
>
> Change the size check to >= 4 to match the actual access width.
>
> Signed-off-by: Kean <rh_king@xxxxxxx>
> ---
> drivers/hid/hid-lenovo.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/hid/hid-lenovo.c b/drivers/hid/hid-lenovo.c
> index a6b73e03c16b..4686ecb6cfa8 100644
> --- a/drivers/hid/hid-lenovo.c
> +++ b/drivers/hid/hid-lenovo.c
> @@ -793,7 +793,7 @@ static int lenovo_raw_event(struct hid_device *hdev,
> */
> if (unlikely((hdev->product == USB_DEVICE_ID_LENOVO_X12_TAB
> || hdev->product == USB_DEVICE_ID_LENOVO_X12_TAB2)
> - && size >= 3 && report->id == 0x03))
> + && size >= 4 && report->id == 0x03))
> return lenovo_raw_event_TP_X12_tab(hdev, le32_to_cpu(*(__le32 *)data));
>
> return 0;
> --
> 2.53.0

Looks good to me. Thanks!
Reviewed-by: Mark Pearson <mpearson-lenovo@xxxxxxxxx>

Mark