From nobody Sun Apr  5 16:28:29 2026
Received: from mail-vk1-f177.google.com (mail-vk1-f177.google.com
 [209.85.221.177])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 1160B3EFD3D
	for <linux-kernel@vger.kernel.org>; Tue, 24 Mar 2026 17:35:33 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.221.177
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1774373735; cv=none;
 b=adqwtI96V0mzGcV92U1OR8F88sXLyvVh7qB+qRFtANeV9Y+Ki+rrU6odCGPo4XbR+9msFnuV3wBH+85WxRtVBcf6TOeZd0stXe6VKY+Nzn7A24C+RWjf8LOh3sCP9eOQAyGWSKdeBcptx/vXlprk7tiyWbvEYrMnVr/VumSxmjA=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1774373735; c=relaxed/simple;
	bh=ovVs3AWOZjlyKru7AE1DWVSZIN+/WI9oHTLy46VoejQ=;
	h=From:To:Cc:Subject:Date:Message-ID:MIME-Version;
 b=V3lWbynps1wuA3ccHJnXCl2FvNSDVUbwihwKB1vvi8isgbwUYiZzuqYblMpMrmXEY6A8qhn/5I80TfsDDoVa2c+vg2vwbD68Qbrmx+CCFhJ7nfuL+wkAzjq8xSdEm4iJjKIoTJw6JLX6ZnQwh9sPpYewBUuFun0Ktboi0mVZ1Q8=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=oxkX9Zi9; arc=none smtp.client-ip=209.85.221.177
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="oxkX9Zi9"
Received: by mail-vk1-f177.google.com with SMTP id
 71dfb90a1353d-56ce07a54e8so985273e0c.2
        for <linux-kernel@vger.kernel.org>;
 Tue, 24 Mar 2026 10:35:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20251104; t=1774373733; x=1774978533;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:from:to:cc:subject:date:message-id:reply-to;
        bh=KyYn06XDchtaJ0qC9SwQHF6RATVlz66/knGROoEPpBE=;
        b=oxkX9Zi9HxEiKfCtqdjJhPdCph1anegLeatQSlYHx4pTYvB1m+aTJqxB0kCZsOtEVY
         cFIGDEluvoklptcI1FMS2TaeMDPevGpxYDAToj7UjA0czz4jcLkyJ23ZfJNgJQNvo0wc
         D/Glaeg4XDyXu75Vl/y3tzVqQC6QiVuShvS6bTaKD3P/Yq6r1p8XUAFQmyLe+Ndf3yYX
         jeT5R2F7Zu0ZrrTQC6u1/jb6vuUUmnZqyWU52sFiJNtHC32DHdE7UhQHeg27RN+E7M3h
         5dBMwaJtrhiUALSstvMF6ifbC/wb/nINIK6PHHjts2Martw7e1bRhjq5jQOsKqq6E7N1
         ifgA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1774373733; x=1774978533;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date
         :message-id:reply-to;
        bh=KyYn06XDchtaJ0qC9SwQHF6RATVlz66/knGROoEPpBE=;
        b=f7EmRcz+JzPWSs1QmnozKWx7FtQ4pXOW8h/w2i6V2LG204MA/X/q3mN5imfCbTEC6R
         D5Too29X71QTFgh0PChCpnypC0T612W/eHnVnJJU3PjjP0HFh3N1ydwe0gPuvM4k3upz
         37sFY1r/+R5i9iOt06y/8c/bwTfpjDNcDiLHzXTguKLrpduHPY5Y9JaQJe+VCNn5tjTR
         BinjPGgGA8x23BHhafpfyRgqgGPKinv/qhcr3Qciv/zTtEE76ETtrrMkzKbkjDx8JutY
         w761s16bxhbA2iaEzLOOHDyu9tHEBN48mO+B5g7UAHVSQVWeneQnahozqR9dPYi5UcmN
         FkeA==
X-Forwarded-Encrypted: i=1;
 AJvYcCVgovXv5a8GvsZRdBNUSHMsHMXb7Oq+GOfmfK+u8S8mTLMkj9OrcQGMnWg/RySRQhd7LOTrgFIagj/NeQI=@vger.kernel.org
X-Gm-Message-State: AOJu0Ywb2S6SAeBTi5gMpa8T//HPt8gu8QLhFBDmI+zVhTzoUbSaGUX/
	l2iiZigyvjxqFdjSqBkxhsbBcCViBCq+rkdOMbRnDhoBUTE5DIIq2936
X-Gm-Gg: ATEYQzx/kq4TqFK/Ipawb+ySRZ8X6lPZ2FSl4cUrnYYPgpc8v5AoeDNZ9rK5nUU0VjV
	9o2+q8gt2mtwrRMfDouE5gb5NQ/FcJVtqCLxGy9gC294CEJK30IuZdAGJnNAyhVM+Mk8cBeet4r
	NlcT7kBf/y/AeHufJQ0H8vGDhkcuwQuIl976gHw8DVpZQJif8PhuLJonMVcAmPBUhF+Z6oxIl2m
	LKrtiqMqK7NJQqIt9sgSrQmqUBJICVfzyseOKd1eVqfmLF6HGEXbT3zrDogeFTPdRQIf+jC/bLC
	u9MUB/PSXZLNVdc1KvkY/dKHuNysfyMPHCJ7+XN4CKxKOXRukRkDEJ6YsGC3PM8yxme2wfw2Gp6
	oikWpqDAKajaMg8lQU38lNP7ydKDlp2Ir7TugDL9lmfXCsorXPy+EFhYhJVqA4293XyTCZUggPe
	0+b2SPx34wNebCE3elkUuiukh6
X-Received: by 2002:a05:6122:e1ae:b0:56b:5893:d042 with SMTP id
 71dfb90a1353d-56d2207aecamr479688e0c.12.1774373733002;
        Tue, 24 Mar 2026 10:35:33 -0700 (PDT)
Received: from localhost.localdomain ([2a09:bac6:d6dd:aa::11:17b])
        by smtp.gmail.com with ESMTPSA id
 71dfb90a1353d-56cdd9f7c6fsm16844594e0c.0.2026.03.24.10.35.31
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 24 Mar 2026 10:35:32 -0700 (PDT)
From: Sebastian Josue Alba Vives <sebasjosue84@gmail.com>
To: michael.zaidman@gmail.com,
	jikos@kernel.org,
	bentiss@kernel.org
Cc: linux-i2c@vger.kernel.org,
	linux-input@vger.kernel.org,
	linux-kernel@vger.kernel.org,
	stable@vger.kernel.org,
	Sebastian Josue Alba Vives <sebasjosue84@gmail.com>
Subject: [PATCH] HID: ft260: validate report size in raw_event handler
Date: Tue, 24 Mar 2026 11:35:27 -0600
Message-ID: <20260324173527.11321-1-sebasjosue84@gmail.com>
X-Mailer: git-send-email 2.43.0
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

ft260_raw_event() casts the raw data buffer to a
ft260_i2c_input_report struct and accesses its fields without
validating the size parameter. Since __hid_input_report() invokes
the driver's raw_event callback before hid_report_raw_event()
performs its own report-size validation, a device sending a
truncated HID report can cause out-of-bounds heap reads in the
kernel.

In the I2C response path, xfer->length (data[1]) is used as the
length for a memcpy into dev->read_buf. While xfer->length is
checked against dev->read_len, there is no check that size is large
enough to actually contain xfer->length bytes of data starting at
offset 2. A malicious USB device could therefore cause an OOB read
from the kernel heap, with the result accessible from userspace via
the I2C read interface.

FT260 devices use 64-byte HID reports. Add a check at the top of
the handler to reject any report shorter than expected, and log a
warning to aid debugging.

Cc: stable@vger.kernel.org
Signed-off-by: Sebastian Josue Alba Vives <sebasjosue84@gmail.com>
---
 drivers/hid/hid-ft260.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/drivers/hid/hid-ft260.c b/drivers/hid/hid-ft260.c
index 333341e80..7ca323992 100644
--- a/drivers/hid/hid-ft260.c
+++ b/drivers/hid/hid-ft260.c
@@ -1068,6 +1068,12 @@ static int ft260_raw_event(struct hid_device *hdev, =
struct hid_report *report,
 	struct ft260_device *dev =3D hid_get_drvdata(hdev);
 	struct ft260_i2c_input_report *xfer =3D (void *)data;
=20
+	/* FT260 always sends 64-byte reports */
+	if (size < 64) {
+		hid_warn(hdev, "report too short: %d < 64\n", size);
+		return 0;
+	}
+
 	if (xfer->report >=3D FT260_I2C_REPORT_MIN &&
 	    xfer->report <=3D FT260_I2C_REPORT_MAX) {
 		ft260_dbg("i2c resp: rep %#02x len %d\n", xfer->report,
--=20
2.43.0