HID: bpf fixes for 7.0/7.1

[PATCH 2/4] HID: bpf: prevent buffer overflow in hid_hw_request

Posted by Benjamin Tissoires 3 weeks, 4 days ago

right now the returned value is considered to be always valid. However,
when playing with HID-BPF, the return value can be arbitrary big,
because it's the return value of dispatch_hid_bpf_raw_requests(), which
calls the struct_ops and we have no guarantees that the value makes
sense.

Cc: stable@vger.kernel.org
Signed-off-by: Benjamin Tissoires <bentiss@kernel.org>
---
 drivers/hid/bpf/hid_bpf_dispatch.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/hid/bpf/hid_bpf_dispatch.c b/drivers/hid/bpf/hid_bpf_dispatch.c
index f3d15994ca1e..50c7b45c59e3 100644
--- a/drivers/hid/bpf/hid_bpf_dispatch.c
+++ b/drivers/hid/bpf/hid_bpf_dispatch.c
@@ -444,6 +444,8 @@ hid_bpf_hw_request(struct hid_bpf_ctx *ctx, __u8 *buf, size_t buf__sz,
 					      (u64)(long)ctx,
 					      true); /* prevent infinite recursions */
 
+	if (ret > size)
+		ret = size;
 	if (ret > 0)
 		memcpy(buf, dma_data, ret);
 

-- 
2.52.0

Re: [PATCH 2/4] HID: bpf: prevent buffer overflow in hid_hw_request

Posted by Jiri Kosina 3 weeks, 3 days ago

On Fri, 13 Mar 2026, Benjamin Tissoires wrote:

> right now the returned value is considered to be always valid. However,
> when playing with HID-BPF, the return value can be arbitrary big,
> because it's the return value of dispatch_hid_bpf_raw_requests(), which
> calls the struct_ops and we have no guarantees that the value makes
> sense.
> 
> Cc: stable@vger.kernel.org
> Signed-off-by: Benjamin Tissoires <bentiss@kernel.org>

Acked-by: Jiri Kosina <jkosina@suse.com>

-- 
Jiri Kosina
SUSE Labs

[PATCH 1/4] selftests/hid: fix compilation when bpf_wq and hid_device are not exported
[PATCH 2/4] HID: bpf: prevent buffer overflow in hid_hw_request
[PATCH 3/4] HID: fix LEDs when report is unnumbered
[PATCH 4/4] HID: do not bypass HID-BPF when setting LEDs