Several wacom IRQ handler sub-functions access fixed offsets in the raw
HID report buffer without validating the buffer length. wacom_wac_irq()
receives the length from wacom_raw_event() but does not validate it
before dispatching to the sub-functions, which do not receive the length
parameter.

A malicious USB device can declare a small HID report in its descriptor
and send a matching short report that passes the HID core size check
(csize >= rsize), but the driver assumes a full-size hardware report
layout, leading to slab-out-of-bounds reads.

Note: this is not mitigated by the recent HID core bounds checking
series which validates actual_size >= declared_size. An attacker
controls both the descriptor (declared size) and the sent data (actual
size), so the core check passes. Driver-level validation against the
expected hardware report layout is still necessary.

Tested with KASAN on Linux 7.1-rc3 (slab-out-of-bounds confirmed) and
verified kernel panic on a production device via uhid.

Jinmo Yang (4):
  HID: wacom: validate report length for PL and PTU handlers
  HID: wacom: validate report length for DTU handler
  HID: wacom: validate report length for DTUS handler
  HID: wacom: validate report length for 24HDT and 27QHDT handlers

 drivers/hid/wacom_wac.c | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

-- 
2.53.0