From nobody Mon Apr 6 09:11:33 2026 Received: from mail-ua1-f49.google.com (mail-ua1-f49.google.com [209.85.222.49]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 05DFD3D3339 for ; Mon, 30 Mar 2026 13:29:08 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.222.49 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774877350; cv=none; b=Lo4XShTI12Rtmzk89guf1Niix62Cq5LDBlL7k8ssruzlZk4ORIKX2UmDvAJLkKWd69qSssZTvkK9Ws+i/qJycfreQhhZcrkEhPF2LgzI07frM7vf2bcdIAwLczQotvt1dtJt5Bl7s8weMfSC8CSTef0Rjagd9552ljGbKmKrI6g= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774877350; c=relaxed/simple; bh=Dyg46i6NCc1WhVwi8ovx5dhpXtlJuvYJqgKq6QPv0Pc=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=gouZnnt8og+rEv2xeFrL1b4bgxAfQDnJWnnQZRrh8taAeCEDvo12I1Rq7E++xNuEtsm8qX8Qct8QlPotrYdVwjbIKf8C8fb8wloiU8/8Q6c2uSUUAPl2CrKhCQkSwq180ea+sVvKEkK8iUDlPHhJR2bc18S2txee7LLOi6JQ7N4= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=jqbNdRQ+; arc=none smtp.client-ip=209.85.222.49 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="jqbNdRQ+" Received: by mail-ua1-f49.google.com with SMTP id a1e0cc1a2514c-944168e8c5fso2159882241.2 for ; Mon, 30 Mar 2026 06:29:08 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1774877348; x=1775482148; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=c/LwkGsCAcMgkIjG5Z0vM08NnZ6ybKA3EObcdXRbB+Q=; b=jqbNdRQ+brfx8X8DvI6PE3vMIUb5l0vjDG5eGm7z9VB31K9+0dw2kOvqkXMxxciWUu 5xCKJLkYBtkQLKCV1ZWkpnafj7krIZurd89+ZrMjLNHyyo3QBbr4ytXnS3tCvbgmkk4E PXaPIcD5et4kHOwLBkhZvXBeS3a460PeiwFbrNKrg8+pEr2g6qB8lASVBsasl8A1kiTT SYagBPM28fAzgTOD9nQgaJ2IhXMoREOVMWRy3dPnMQvMXfSx/2izOSZCscxqZ9ej3XUJ VuEzcwWb97tVdAHU9VQvNrzP87eim3ORmSfPaYNtN3ZEmWjLmKIVcpOQAy8dgBhpsWq1 8eKA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1774877348; x=1775482148; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=c/LwkGsCAcMgkIjG5Z0vM08NnZ6ybKA3EObcdXRbB+Q=; b=nWcct6QgIBIgn+r1ZRZELdIeFiC6OcB5aS5mEBTe7U8pcTJPLuktI2tPm+cy/Wi3Qx Xjg+LjqLzCon8fPtakz68SARBbq0FlUDEt/J4lXBZcPWS5dxwV2jw6Zf7cre4rgCKvkO lvt6Jzk9x6i+D3hXiNdR8Jxbaw0sbRbXJugDZgxPQui0TptVVHTtYIiYzA0XIzo80ukj /9rHECagL5Dj9bo+hC22C1pUAIUNib1+QyGcu7EbNrBCS0w3hc5afLiCUv0HlU5JVO4p Ah32ZryL7gYc8PlBnNVtOvEJJvJHFfIRb2YMB8Ohn/nl6+TGDoG0P4wYb70dp5Z+aGxY J4GA== X-Forwarded-Encrypted: i=1; AJvYcCXtslnnRCYz7Ab329suV003b23IOBBfsyT+sMbM2dZGB0vlevQDj3wboFuGu75kX8IXDH14lnNh0I/ZwhM=@vger.kernel.org X-Gm-Message-State: AOJu0YzE5TjxCCqQsIhMxrXTkRgNldavvNhOHxOmX1nlb1oIT+gHtloS OU6mU8UHJwOQuabRukuBkBX4GTJFX8vlHe0SB/JLpBHJZY1U91Pz8ihK X-Gm-Gg: ATEYQzyHnLgvfhB3vC6+G16cAiQCkG8FWQcwIzkiSCA+oi2DEsz9qmBSbwO/y6uP2HK 5D6FxUhpNzT0MVMIupWEi4CvgpVyggJyrNp+xuc7kRdEbV6eYWxKOOo95Ya9WLgXLycXZ4hrMnj ZPSUkUq4m2Gsc/Ly0+YnQ9Jv+FQyp8J21tQ7+W0tS2PbzJbO4ezUiAkKrY9OldT0C5jcocE87uP WkpetgyRE9wy01kc1b3jHggwwAkxS94eWbf05fpjlpmq23tuzJsLVPxvQ0RMlPpxInfltSpPQZL 7Oj7lb1e/HftwhjuWjbdchiEDKQwNoBbkq7MR/wGHlUWtY8dMjSDcP3dmkHuhYPpdaTw7PWzVXu jrBSGkfnW8x045aKemMAiZmNaD8IP3cMPtKcquTwcKPgPJs6O6kz5Qny9WzK0cKl44+4WUV1xIB PuulQRrA0H2pXUMUl8d2y1VxNvgLU= X-Received: by 2002:a05:6102:2009:b0:605:1f22:10f1 with SMTP id ada2fe7eead31-6051f22122cmr1995118137.13.1774877347810; Mon, 30 Mar 2026 06:29:07 -0700 (PDT) Received: from localhost.localdomain ([2a09:bac1:76a0:1048::11:1d6]) by smtp.gmail.com with ESMTPSA id a1e0cc1a2514c-9539e2604e4sm6998229241.1.2026.03.30.06.29.06 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 30 Mar 2026 06:29:07 -0700 (PDT) From: Sebastian Josue Alba Vives To: jikos@kernel.org, bentiss@kernel.org Cc: linux-input@vger.kernel.org, linux-kernel@vger.kernel.org, stable@vger.kernel.org, Sebastian Josue Alba Vives Subject: [PATCH v2] HID: ft260: validate report size and payload length in raw_event Date: Mon, 30 Mar 2026 07:28:44 -0600 Message-ID: <20260330132844.827338-1-sebasjosue84@gmail.com> X-Mailer: git-send-email 2.43.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" ft260_raw_event() casts the raw data buffer to a ft260_i2c_input_report struct and accesses its fields without validating the size parameter. Since __hid_input_report() invokes the driver's raw_event callback before hid_report_raw_event() performs its own report-size validation, a device sending a truncated HID report can cause out-of-bounds heap reads. Additionally, even with a full-sized report, a corrupted xfer->length field can cause memcpy to read beyond the report buffer. The existing check only validates against the destination buffer size, not the source data available in the report. Add two checks: reject reports shorter than FT260_REPORT_MAX_LENGTH, and verify that xfer->length does not exceed the actual data available in the report. Log warnings to aid debugging. Cc: stable@vger.kernel.org Signed-off-by: Sebastian Josue Alba Vives --- drivers/hid/hid-ft260.c | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/drivers/hid/hid-ft260.c b/drivers/hid/hid-ft260.c index 333341e80..68008a423 100644 --- a/drivers/hid/hid-ft260.c +++ b/drivers/hid/hid-ft260.c @@ -1068,6 +1068,17 @@ static int ft260_raw_event(struct hid_device *hdev, = struct hid_report *report, struct ft260_device *dev =3D hid_get_drvdata(hdev); struct ft260_i2c_input_report *xfer =3D (void *)data; =20 + if (size < FT260_REPORT_MAX_LENGTH) { + hid_warn(hdev, "short report: %d\n", size); + return 0; + } + + if (xfer->length > size - offsetof(struct ft260_i2c_input_report, data)) { + hid_warn(hdev, "payload %d exceeds report size %d\n", + xfer->length, size); + return 0; + } + if (xfer->report >=3D FT260_I2C_REPORT_MIN && xfer->report <=3D FT260_I2C_REPORT_MAX) { ft260_dbg("i2c resp: rep %#02x len %d\n", xfer->report, --=20 2.43.0