Re: [PATCH] HID: playstation: Clamp num_touch_reports

Next message: Michael Bommarito: "Re: [PATCH net 0/2] ipv4: harden against ihl &lt; 5 IP_HDRINCL packets"
Previous message: kernel test robot: "[tip:master] BUILD SUCCESS 70e7aca9f7ff4d1bee94c5b04973c3dbca1dba00"
In reply to: Jiri Kosina: "Re: [PATCH] HID: playstation: Clamp num_touch_reports"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: T.J. Mercier

Date: Tue May 12 2026 - 19:05:06 EST

On Tue, May 12, 2026 at 8:55 AM Jiri Kosina <jikos@xxxxxxxxxx> wrote:
>
> On Fri, 17 Apr 2026, T.J. Mercier wrote:
>
> > A device would never lie about the number of touch reports would it?
> >
> > If it does the loop in dualshock4_parse_report will read off the end of
> > the touch_reports array, up to about 2 KiB for the maximum number of 256
> > loop iteraions. The data that is read is emitted via evdev if the
> > DS4_TOUCH_POINT_INACTIVE bit happens to be set. Protect against this by
> > clamping the num_touch_reports value provided by the device to the
> > maximum size of the touch_reports array.
> >
> > Fixes: 752038248808 ("HID: playstation: add DualShock4 touchpad support.")
> > Cc: stable@xxxxxxxxxxxxxxx
> > Reported-by: Xingyu Jin <xingyuj@xxxxxxxxxx>
> > Signed-off-by: T.J. Mercier <tjmercier@xxxxxxxxxx>
>
> Applied, thanks.
>
> --
> Jiri Kosina
> SUSE Labs

Hi Jiri,

Thanks for applying this. However now I see that a different fix from
Benoît Sevens from around the same time has landed:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=82a4fc46330910b4c1d9b189561439d468e3ff11

That fix was not yet present at
3cd8b194bf3428dfa53120fee47e827a7c495815 which I used as my base.

His patch prints and returns an error in this situation while mine
silently avoids the OOB read.

So I think it probably makes sense to keep Benoît's patch, and drop
mine since his code means mine will never be reached.

Thanks,
T.J.