[PATCH 1/1] HID: core: Fix OOB read in hid_get_report for numbered reports

Next message: Tomi Valkeinen: "Re: [PATCH v5 06/10] media: rcar-csi2: Add .get_frame_desc op"
Previous message: Yun Zhou: "[PATCH v3] net: mvneta_bm: add suspend/resume support to prevent crash after resume"
Next in thread: Greg Kroah-Hartman: "Re: [PATCH 1/1] HID: core: Fix OOB read in hid_get_report for numbered reports"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Lee Jones

Date: Tue Jun 16 2026 - 07:30:13 EST

When a caller passes a size of 0 to hid_report_raw_event() for a
numbered report, the function originally called hid_get_report() before
performing any size validation.

Inside hid_get_report(), if the report is numbered (report_enum->numbered
is true), it unconditionally dereferences data[0] to extract the report ID.
With a size of 0, this results in an out-of-bounds read or kernel panic.

Fix this by moving the numbered report size validation check before the
call to hid_get_report(), ensuring that size is at least 1 before
dereferencing the data pointer.

Fixes: 2c85c61d1332 ("HID: pass the buffer size to hid_report_raw_event")
Signed-off-by: Lee Jones <lee@xxxxxxxxxx>
---
drivers/hid/hid-core.c | 7 +++++++
1 file changed, 7 insertions(+)

diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c
index 41a79e43c82b..cf123347a2af 100644
--- a/drivers/hid/hid-core.c
+++ b/drivers/hid/hid-core.c
@@ -2045,6 +2045,13 @@ int hid_report_raw_event(struct hid_device *hid, enum hid_report_type type, u8 *
u8 *cdata = data;
int ret = 0;

+ if (report_enum->numbered && (size < 1 || bufsize < 1)) {
+ hid_warn_ratelimited(hid,
+ "Event data for numbered report is too short (%d vs %zu)\n",
+ size, bufsize);
+ return -EINVAL;
+ }
+
report = hid_get_report(report_enum, data);
if (!report)
return 0;
--
2.54.0.1136.gdb2ca164c4-goog