[PATCH 4/4] HID: wacom: validate report length for 24HDT and 27QHDT handlers

Next message: Jonathan Cameron: "Re: [PATCH v13 02/12] iio: kstrtox: add local _parse_integer_limit_init() helper"
Previous message: Jinmo Yang: "[PATCH 2/4] HID: wacom: validate report length for DTU handler"
In reply to: Jinmo Yang: "[PATCH 2/4] HID: wacom: validate report length for DTU handler"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Jinmo Yang

Date: Sun May 17 2026 - 09:54:36 EST

wacom_24hdt_irq() accesses data[61] for WACOM_24HDT and data[63] for
WACOM_27QHDT in the raw HID report buffer without validating the buffer
length. This sub-function is called from wacom_wac_irq() which receives
the length parameter but does not pass it to the handler.

A malicious USB device can declare a small HID report in its descriptor
and send a matching short report that passes the HID core size check
(csize >= rsize), but the driver assumes a full-size hardware report
layout, leading to slab-out-of-bounds reads.

Add minimum length checks in wacom_wac_irq() before dispatching to
wacom_24hdt_irq() for both device types.

Fixes: b1e4279e4ef5 ("Input: wacom - add touch sensor support for Cintiq 24HD touch")
Cc: stable@xxxxxxxxxxxxxxx
Signed-off-by: Jinmo Yang <jinmo44.yang@xxxxxxxxx>
---
drivers/hid/wacom_wac.c | 7 +++++++
1 file changed, 7 insertions(+)

diff --git a/drivers/hid/wacom_wac.c b/drivers/hid/wacom_wac.c
index 269e8318f..2fd1c4e80 100644
--- a/drivers/hid/wacom_wac.c
+++ b/drivers/hid/wacom_wac.c
@@ -3509,7 +3509,14 @@ void wacom_wac_irq(struct wacom_wac *wacom_wac, size_t len)
break;

case WACOM_24HDT:
+ if (len < 62)
+ return;
+ sync = wacom_24hdt_irq(wacom_wac);
+ break;
+
case WACOM_27QHDT:
+ if (len < 64)
+ return;
sync = wacom_24hdt_irq(wacom_wac);
break;

--
2.53.0