1. Patchew
  2. linux
  3. View series

[PATCH] HID: lenovo: Fix buffer over-read in X12 Tab raw_event handler

Kean posted 1 patch 1 month ago 
drivers/hid/hid-lenovo.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
[PATCH] HID: lenovo: Fix buffer over-read in X12 Tab raw_event handler
Posted by Kean 1 month ago 
In lenovo_raw_event(), the X12 Tab keyboard handler reads a 4-byte
little-endian value via *(__le32 *)data but only guards the access
with a size >= 3 check.  If a 3-byte report with ID 0x03 is received,
the code reads one byte beyond the end of the buffer.

Change the size check to >= 4 to match the actual access width.

Signed-off-by: Kean <rh_king@163.com>
---
 drivers/hid/hid-lenovo.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/hid/hid-lenovo.c b/drivers/hid/hid-lenovo.c
index a6b73e03c16b..4686ecb6cfa8 100644
--- a/drivers/hid/hid-lenovo.c
+++ b/drivers/hid/hid-lenovo.c
@@ -793,7 +793,7 @@ static int lenovo_raw_event(struct hid_device *hdev,
 	 */
 	if (unlikely((hdev->product == USB_DEVICE_ID_LENOVO_X12_TAB
 			|| hdev->product == USB_DEVICE_ID_LENOVO_X12_TAB2)
-			&& size >= 3 && report->id == 0x03))
+			&& size >= 4 && report->id == 0x03))
 		return lenovo_raw_event_TP_X12_tab(hdev, le32_to_cpu(*(__le32 *)data));
 
 	return 0;
-- 
2.53.0
Re: [PATCH] HID: lenovo: Fix buffer over-read in X12 Tab raw_event handler
Posted by Mark Pearson 1 month ago 
On Mon, May 11, 2026, at 9:28 AM, Kean wrote:
> In lenovo_raw_event(), the X12 Tab keyboard handler reads a 4-byte
> little-endian value via *(__le32 *)data but only guards the access
> with a size >= 3 check.  If a 3-byte report with ID 0x03 is received,
> the code reads one byte beyond the end of the buffer.
>
> Change the size check to >= 4 to match the actual access width.
>
> Signed-off-by: Kean <rh_king@163.com>
> ---
>  drivers/hid/hid-lenovo.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/hid/hid-lenovo.c b/drivers/hid/hid-lenovo.c
> index a6b73e03c16b..4686ecb6cfa8 100644
> --- a/drivers/hid/hid-lenovo.c
> +++ b/drivers/hid/hid-lenovo.c
> @@ -793,7 +793,7 @@ static int lenovo_raw_event(struct hid_device *hdev,
>  	 */
>  	if (unlikely((hdev->product == USB_DEVICE_ID_LENOVO_X12_TAB
>  			|| hdev->product == USB_DEVICE_ID_LENOVO_X12_TAB2)
> -			&& size >= 3 && report->id == 0x03))
> +			&& size >= 4 && report->id == 0x03))
>  		return lenovo_raw_event_TP_X12_tab(hdev, le32_to_cpu(*(__le32 *)data));
> 
>  	return 0;
> -- 
> 2.53.0

Looks good to me. Thanks!
Reviewed-by: Mark Pearson <mpearson-lenovo@squebb.ca>

Mark

Patchew 2.1-devel-ea86937

© 2016 - 2026 Red Hat, Inc.