From nobody Thu Apr 9 18:03:26 2026 Received: from mail-ed1-f73.google.com (mail-ed1-f73.google.com [209.85.208.73]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id F089835F603 for ; Tue, 3 Mar 2026 13:58:38 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.208.73 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1772546320; cv=none; b=sIv1X7cJCOuL9ZesK/4n72rdlLzVZAORsUT8jAEBCJKwbroeu91E20aX0dP0oBIIE3j5Zf6pAHQkiLXTZidvozDga/JR1EMRmP82rD1CsZIOW0CJ712BS0WdEjziHWL2HTwX5pJsFBW2GPzaGro8RGLa0ocn1SAYDZEYQAFxo9w= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1772546320; c=relaxed/simple; bh=JgPY28IqOyO4a/z4K1x3H8dmp9PcfrJXoPXNd05wdyk=; h=Date:Mime-Version:Message-ID:Subject:From:To:Cc:Content-Type; b=GuiXURpLNIpIrIW/JCrR3+w2NxGQmfjQ1Gn62FlwOLEHiJvoutuOPLbkutZLoQ5wqMcO0+Z/lVuQ8dyyCeIiDtKgIlNrjih3yYt1nPejnOGj/6gzsWMsQDE+flqoc0t3vMKabrMyco1eO0YYq07Xu20hMlLH/Ab61fsMN4D6X2c= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--bsevens.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=NCyatcZs; arc=none smtp.client-ip=209.85.208.73 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--bsevens.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="NCyatcZs" Received: by mail-ed1-f73.google.com with SMTP id 4fb4d7f45d1cf-65f744d0635so6958063a12.0 for ; Tue, 03 Mar 2026 05:58:38 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1772546317; x=1773151117; darn=vger.kernel.org; h=content-transfer-encoding:cc:to:from:subject:message-id :mime-version:date:from:to:cc:subject:date:message-id:reply-to; bh=sBQkY0P462iGzNoybAIeEY89Pa87GfWOJS/rxXvzzC8=; b=NCyatcZsNIAOlu6rZDLqW3Rp8FafdX6hGM7VzIoUQCa4AfjBKIAeiMxwCFqxNA8Nh1 11gJtEBcmOxUUdS8aMCvuVDZfnEFU/XmXXCdkI8/P/Gmc4kNko36MkS89KKottWj706L ASGo3qRN+Ogb5tdkhoTiUusaYWx12h7gkdj38+3CJQFUPSu+JoPCsdGbni+aNTJqbf3L JcLdPEsYGyB9ekQGHHrPIgW6VnPYmItYfjq9n/I6ehOcgrcjpzDD7XlbhJPqRGP4pp4B eN/FsRsmJU3d0vxa1/hVk1RLqohfQU5uvBfkLzTKiFHVzQ1h9cstI7ympn7IyKPeLSUa VfhQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1772546317; x=1773151117; h=content-transfer-encoding:cc:to:from:subject:message-id :mime-version:date:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=sBQkY0P462iGzNoybAIeEY89Pa87GfWOJS/rxXvzzC8=; b=kiukGvWYFU7ZOcIjp0orayaQPkqo0jMBqORAWT1IWgBpwj36uFdhMhcBelCb4WOpm4 QuzX8gw4m3MKxaU9Wkdn0k1TvvfAVDjl4Ja7dYKK1SoZTKP0e36U2UTwybaug0ZZpP4d 1I+w+b1brj6/EsLmCTVJ6B2nsBVQo63NeB3OSWNy5mSOwQnsHiNhhGKMSj2M838imUrK ht4uJuV1pFsdceCwfbfl1NWKpQNt36/q/Q2Dy8At/HA4Nl7ZYysjTZwi+uvU9Io8Y4QL WiAk8M67NbFngfzHP6dQDiCnrUqW9deBFW4Pp3X0D0vYUt35vRgxH30ttEdBW4o1lY6d xmdw== X-Forwarded-Encrypted: i=1; AJvYcCVenrYJomhrIcvVjJ8C5sHDzJvBMMCyN+AuyY+xNBslo6QL1qtxSAILFBpz0xBUWTvFzMMAOIcYisKDEyo=@vger.kernel.org X-Gm-Message-State: AOJu0Yyr1TSsoaLPWIGEk6j7TXSEIjg+fcwvmqjOBiNTsMkmvgTQPD6p Axpo6BM41iQWzBUttCu6ChjP7R5S0vPp6HzJPoXjTFDl8XfHX+NhS4Fjm2Rx7nNAs7kD5deMFyz tTi/+Bps4Lg== X-Received: from edev17-n1.prod.google.com ([2002:a05:6402:a2d1:10b0:658:6265:19e4]) (user=bsevens job=prod-delivery.src-stubby-dispatcher) by 2002:a05:6402:518b:b0:65c:5a7b:bd99 with SMTP id 4fb4d7f45d1cf-65fde4cd4aamr9382146a12.31.1772546317172; Tue, 03 Mar 2026 05:58:37 -0800 (PST) Date: Tue, 3 Mar 2026 13:58:28 +0000 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 X-Mailer: git-send-email 2.53.0.473.g4a7958ca14-goog Message-ID: <20260303135828.2374069-1-bsevens@google.com> Subject: [PATCH] HID: wacom: fix out-of-bounds read in wacom_intuos_bt_irq From: "=?UTF-8?q?Beno=C3=AEt=20Sevens?=" To: Ping Cheng , Jason Gerecke , Jiri Kosina , Benjamin Tissoires Cc: linux-input@vger.kernel.org, linux-kernel@vger.kernel.org, "=?UTF-8?q?Beno=C3=AEt=20Sevens?=" Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" The wacom_intuos_bt_irq() function processes Bluetooth HID reports without sufficient bounds checking. A maliciously crafted short report can trigger an out-of-bounds read when copying data into the wacom structure. Specifically, report 0x03 requires at least 22 bytes to safely read the processed data and battery status, while report 0x04 (which falls through to 0x03) requires 32 bytes. Add explicit length checks for these report IDs and log a warning if a short report is received. Signed-off-by: Beno=C3=AEt Sevens Reviewed-by: Jason Gerecke --- drivers/hid/wacom_wac.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/drivers/hid/wacom_wac.c b/drivers/hid/wacom_wac.c index 9b2c710f8da1..da1f0ea85625 100644 --- a/drivers/hid/wacom_wac.c +++ b/drivers/hid/wacom_wac.c @@ -1208,10 +1208,20 @@ static int wacom_intuos_bt_irq(struct wacom_wac *wa= com, size_t len) =20 switch (data[0]) { case 0x04: + if (len < 32) { + dev_warn(wacom->pen_input->dev.parent, + "Report 0x04 too short: %zu bytes\n", len); + break; + } wacom_intuos_bt_process_data(wacom, data + i); i +=3D 10; fallthrough; case 0x03: + if (i =3D=3D 1 && len < 22) { + dev_warn(wacom->pen_input->dev.parent, + "Report 0x03 too short: %zu bytes\n", len); + break; + } wacom_intuos_bt_process_data(wacom, data + i); i +=3D 10; wacom_intuos_bt_process_data(wacom, data + i); --=20 2.53.0.473.g4a7958ca14-goog