Re: [PATCH 1/1] HID: core: Fix OOB read in hid_get_report for numbered reports

From: Jiri Kosina

Date: Mon Jun 29 2026 - 05:11:56 EST


On Tue, 16 Jun 2026, Lee Jones wrote:

> When a caller passes a size of 0 to hid_report_raw_event() for a
> numbered report, the function originally called hid_get_report() before
> performing any size validation.
>
> Inside hid_get_report(), if the report is numbered (report_enum->numbered
> is true), it unconditionally dereferences data[0] to extract the report ID.
> With a size of 0, this results in an out-of-bounds read or kernel panic.
>
> Fix this by moving the numbered report size validation check before the
> call to hid_get_report(), ensuring that size is at least 1 before
> dereferencing the data pointer.
>
> Fixes: 2c85c61d1332 ("HID: pass the buffer size to hid_report_raw_event")
> Signed-off-by: Lee Jones <lee@xxxxxxxxxx>

Applied, thanks.

--
Jiri Kosina
SUSE Labs