Re: [PATCH] HID: pxrc: fix slab-out-of-bounds read/write in pxrc_raw_event()

Next message: Jonathan Cameron: "Re: [PATCH v4] staging: iio: addac: adt7316: document SPI interface switching sequence"
Previous message: Jeff Layton: "[PATCH 2/4] nfs: remove nfs_compat_user_ino64() and deprecate enable_ino64"
In reply to: Jinmo Yang: "[PATCH] HID: pxrc: fix slab-out-of-bounds read/write in pxrc_raw_event()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Jiri Kosina

Date: Tue May 12 2026 - 12:14:34 EST

On Fri, 8 May 2026, Jinmo Yang wrote:

> pxrc_raw_event() accesses data[7] without verifying that the buffer is
> large enough. A device that sends a report shorter than 8 bytes causes
> an out-of-bounds read (priv->dial = data[7]) and an out-of-bounds write
> (data[7] = priv->dial) on the report buffer, corrupting adjacent slab
> memory.
>
> This can be triggered from userspace via /dev/uhid by creating a virtual
> device with VID 0x1781 / PID 0x0898 and sending a short UHID_INPUT2
> report.
>
> Add a size check at the top of pxrc_raw_event() to bail out when the
> report buffer is shorter than 8 bytes.
>
> Fixes: a2dccedac664 ("HID: pxrc: new driver for PhoenixRC Flight Controller Adapter")

Where is this tag coming from?

No such hash exists in Linus' tree, and the commit that actually added the
driver has a different shortlog.
Is this some LLM halucination?

--
Jiri Kosina
SUSE Labs