From nobody Mon May 25 06:41:05 2026 Received: from mail-pl1-f179.google.com (mail-pl1-f179.google.com [209.85.214.179]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id D999E24E4C4 for ; Sun, 17 May 2026 13:52:21 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.179 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779025943; cv=none; b=r13XT8rw6OF6M0mN3T9u+3hR0ypIgr//VSEXczv6C3DVIj4wTvw8CvqX1PwVpCfigCSlJ5DKhJ7DGAMlqyJDV8JHEZb648apcrAbGEppB/nrycMKh9o9+5DgU5OJ8V9mfmo2mDXI9xCxGfT65EdOFr+OiY0q7G+uk25A5rXBmL8= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779025943; c=relaxed/simple; bh=yvRThhtFRzgNLNcZCuDT8RcuBgO7/FLtuzpeOVLUW9M=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=KDfnqv2ZlBi8TvaVp/7ixWd0mj4JsuFZQ0whn5zYsWv46x+cetrXmxzC0+b4KFpvXtZ3I8Dh5q1XDr9HN5BCNh6RfGxktx9S0zldmTAfDgEQcY8DWJ0Bh5+6Gs64xAZII9JfNpN/P3mlAQlGH+5aNnO8qa3CnHLBHWl/06T+U9c= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=BhiAP5RV; arc=none smtp.client-ip=209.85.214.179 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="BhiAP5RV" Received: by mail-pl1-f179.google.com with SMTP id d9443c01a7336-2bcd3ac3307so7649595ad.0 for ; Sun, 17 May 2026 06:52:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1779025941; x=1779630741; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=1t7vRy14fAIhG2Wr4kGou1JDcvmH5z+z8GUCNDyefuA=; b=BhiAP5RVnssOdyMMW3sT74bM4e4o+oiqPzeOm6hNPJMKOjVaQ4Fxj3J4dbg0qZNr7Z XM3cr5Rd37AO7AB70CkJUXU9Qa0UP4aWPc5TOIla705YFg0e54dknqTAV/ojSz0hEWG+ j69n7ezzw56OaZLwflSliHCsqaQUyijnNvdc6I2FHeursV2P6qCMYMjWUGpeUb8rQE10 dBEd+NFPDd6Uxmho0c+hDCTkFXaDO+cYQYOi8lNLWKs7A/bJhbtW0pReIC0BUA7b4QFc dJgwFK7faDWBtejq2360C2PGL74DlEVyYHvbzo0aFBGRqA362KrMRBB/ozVT/PzZdZl3 oaeQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1779025941; x=1779630741; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=1t7vRy14fAIhG2Wr4kGou1JDcvmH5z+z8GUCNDyefuA=; b=ShwB7n/nH9UCWZ/lW7WbpzHxU0gsEdaxAmp6X6KCUBaRPutXP2E3zD/YDfwtfAV97D cZLI6HPln6qvEKSTNnwpqd+YWdi1pDwJqVq0k9bm9Mab5DoNxkQ6bAieLTFizOD+zX5P 0vT7eHY7gmY0lhTcCfBXD6P3oqAxrq8Ply5SORZMalHDdauRVbFoPgVsPRI2867TyUpX kfTaFzhGq4wWAMBfhAD0TQioTMYtTQigYIg8/lkDQX0EZm0XflUgJedflK8oDXlctotj k+dR2WmqFHvChFnPMLl70QqiP5K/yKlBPHyOoa3R8P5vFxb/GnztHsha6gde4XjzmIrH 4uZg== X-Forwarded-Encrypted: i=1; AFNElJ/7KuKNvc08E3OYheiKy3extTW9gsIPmRmoNW80z1atq4mM1b4jQG4HeRXT/Qk2EsVhOk+GC/OfI2hYeeU=@vger.kernel.org X-Gm-Message-State: AOJu0YzzyEhcjTwYHPkB5m/grdhJ6I6yv3I+usuhEaC9SPrSXYjtiQLG oqXPIuySgzegyQcrDLyRD7pQI5+glHkA+funD2ACYUU2wGylTK2CvITu X-Gm-Gg: Acq92OFk2Rys/F9TJjA2QG2vtBxThgMcO6ZmTO0tq+GDqvaA2nJI4Di6L74q+KYnef+ ngFCPQIZRZrYNtYIwEyGeE869tCNS5bbsw5K6HdbjwqyWnld5iNGTHsK41jGWja3WNzKIsO5Iqh xjWMsa8G2P0DaaAbWYUERjLGEBfEBbXUWILxJck78IW/PRX+lOQHjVUVGrmzqShcWtJjfVvo08B Jl294G9dgXkHLxhRcBZBWIe1tcEQm7JlXxWLcscm0NSShLw9i+fywTGvGOTPkzT14zmAGkD58dU ZD+jsnws1FX313vgq78Ff20ijbTxHBROH+JAG7EXKW+4mQyPC2OCrOPUXxuBaYc/lFaaVZirUSe Et/bcHsOwpV6un03db2HILvUaMIgBr8TnkcCGcG6hxewGzLtxcAEczG97/3BGzljd3N0PuatmD0 lcl6JqdcdK+Ab+cJZ34BTWF+goKl794OgNOmNVFhmrvOvkQIT5 X-Received: by 2002:a17:902:b60a:b0:2bc:b366:4731 with SMTP id d9443c01a7336-2bd7e9b8086mr84503465ad.31.1779025941162; Sun, 17 May 2026 06:52:21 -0700 (PDT) Received: from jmoon ([118.220.156.4]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-2bd5bd5fc47sm113873385ad.10.2026.05.17.06.52.19 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 17 May 2026 06:52:20 -0700 (PDT) From: Jinmo Yang To: linux-input@vger.kernel.org Cc: jikos@kernel.org, benjamin.tissoires@redhat.com, linux-kernel@vger.kernel.org, stable@vger.kernel.org, Jinmo Yang Subject: [PATCH 1/4] HID: wacom: validate report length for PL and PTU handlers Date: Sun, 17 May 2026 22:52:12 +0900 Message-ID: <20260517135215.2220117-2-jinmo44.yang@gmail.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260517135215.2220117-1-jinmo44.yang@gmail.com> References: <20260517135215.2220117-1-jinmo44.yang@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" wacom_pl_irq() and wacom_ptu_irq() access fixed offsets up to data[7] in the raw HID report buffer without validating the buffer length. These sub-functions are called from wacom_wac_irq() which receives the length parameter but does not pass it to the handlers. A malicious USB device can declare a small HID report in its descriptor and send a matching short report that passes the HID core size check (csize >=3D rsize), but the driver assumes a full-size hardware report layout, leading to slab-out-of-bounds reads. Add minimum length checks in wacom_wac_irq() before dispatching to wacom_pl_irq() and wacom_ptu_irq(). Fixes: 4104d13fe019 ("Input: move USB tablets under drivers/input/tablet") Cc: stable@vger.kernel.org Signed-off-by: Jinmo Yang --- drivers/hid/wacom_wac.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/drivers/hid/wacom_wac.c b/drivers/hid/wacom_wac.c index da1f0ea85..6d06842b6 100644 --- a/drivers/hid/wacom_wac.c +++ b/drivers/hid/wacom_wac.c @@ -3453,6 +3453,8 @@ void wacom_wac_irq(struct wacom_wac *wacom_wac, size_= t len) break; =20 case PL: + if (len < 8) + return; sync =3D wacom_pl_irq(wacom_wac); break; =20 @@ -3464,6 +3466,8 @@ void wacom_wac_irq(struct wacom_wac *wacom_wac, size_= t len) break; =20 case PTU: + if (len < 8) + return; sync =3D wacom_ptu_irq(wacom_wac); break; =20 --=20 2.53.0 From nobody Mon May 25 06:41:05 2026 Received: from mail-pl1-f171.google.com (mail-pl1-f171.google.com [209.85.214.171]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 870A827E049 for ; Sun, 17 May 2026 13:52:23 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.171 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779025944; cv=none; b=tX6RKJKel1iIFvwlO7FB8QOnvbll7hIvNZwd+RvInrs2MA4HYIgVumPRpJDaShv7CyDVq0i1zorp+vsR+R0ytmZjr/+G77eiI0x9ZlA30HzAcqkZtC/a4hB1XvfTIvGWfLDFJ6Q2MKgEk7msiXn4vvvrqLup3t9j6ZdH0+m4kCY= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779025944; c=relaxed/simple; bh=9OSQaBLb6900xltJAuoF9h1NtHtsGHcKQhKm5xgD8FY=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=U+za2cSjIPh5pNFRCSoQ7zHblkS66IedfGmtvnf499LIhi+RaWqGC78p173Zi7ZGjtRtQBddOWPxWUz3MPXLh54ONLMn9+OmGx5SP8dqlTzlpxmk6EmatP9lAJSfNvJmGcQXmuhqlwB+c15z73ABx7vTeQhtM+mXdPlCNAZZBSE= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=g3JaCQUP; arc=none smtp.client-ip=209.85.214.171 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="g3JaCQUP" Received: by mail-pl1-f171.google.com with SMTP id d9443c01a7336-2baca4df358so6989665ad.2 for ; Sun, 17 May 2026 06:52:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1779025943; x=1779630743; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=j+H1HXfC+KayiHQioTXzdTqJjQu2X0tkOK+rOlXJhQQ=; b=g3JaCQUP+OuMOAGhWJkaEqZXsNt+VXIFiJfEvETUfhLWJca8C0FCmeyaxF/C3krAHu jiOY30k+Gz4wSvK3DqaHi5uAh7/8yJ4KZm1r0d3j6mJszwILtP36/sd+qr3+bBmf3Cdf QGaZCCFUQxOR5HrWsGDG6CjN51QdCWUthg3rU8sbhDlYcla2Fx2gaFY9+PVfAO+Ry4nJ R96yLzkvJ+GAbW1LOzUv6exOaXsaUoVFwKcBqt81ELlMmNeXlNz0GbZ+SMeGXyLrk5IH OcUDZZkZI6rov30hacpjb2sAzTM/nRiONWVgn2Lixbk+WXnCxNtCD2BxafA7ylA/IY+M Li+Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1779025943; x=1779630743; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=j+H1HXfC+KayiHQioTXzdTqJjQu2X0tkOK+rOlXJhQQ=; b=ZfP5p2vxuooIdm16wz8SAyclUKpjE0VvKbpguZTfuER4mAnrykSXVjiscGExcHRXAr TbiqqwYfXkQZUvvZXn+IAT9bg9AvqDWFzSe3yHbiVcM/f7059/tF8/miv2JPioCcBYTQ 0cPp+OK56YF+NL+EKMdTjuUhko8hIUGvxiJMLBFXBr+PySCbtgwGt28rUB8nnBGCTvx+ hcxtG1e/vG5rrK+0w8yNpti074ntG4P7zOEF42z5DGEHeOe5npPlVmNWfGcCDzYJBIlM Y33o0V1+dW7D548f8mOr5dTdDWy26YC+sUDwKnR+qdOMOqZdQj73HZ4+0kjoQxyHBqpJ 0+Ig== X-Forwarded-Encrypted: i=1; AFNElJ9/ZaC3tap24zLqzEY5kANSocTqbS6nJN9uNBjFCS9S1n442KDRiDLxyi8DH8ZYz67gvt2jTCj+DNhEbqg=@vger.kernel.org X-Gm-Message-State: AOJu0YwWGXtVghXEAXljjktu4pH4DNMC00px4mjBaZSWy5ZPdA2/95qn DXFioG4EMS/l7NeM7wM1BOISrVytYWpgeP2Zx7hRv1amKuvH/rzi0BUe X-Gm-Gg: Acq92OGJzqMqCND0SpPL/zuuRlgK+Sgqcrjn57bFCldeNZnG6BcsQRWDS+izBw5Ebuz TMJ7W12GauBt2en2wWUYZq0z0Qhmp8ODJLuyCVHRbOI89PRL6P8UA++F8LdwVHhWj52jHDwWde1 j/9v6u5778piMn7y36EDIh0W4WiG323G/n1qjZM5DvqaJkPLllNVR/iydtFdPxpiEe94PoGf2+A PDea0hZ276tuVJH2cAkqdWQ1cyTPucfnDAezxXo1TWUtxJwMVj1BFWnN+cV9XAZY09uPf40R3lC H+ZBh/H7Wt5BWnD86i51oX1frYGownv4+dJJBdB/OGAKypn0WicdVs602PL1wxkIAgZHJSDbj1c MzWVzyYftkG0rdDeSQWS/h1CnAgVsnvUgm5RJtD9pGi1/o92Ed3vQ5qi43sBV9e8uSvkmO3kuv0 47q5iTRuOhsiSXlAk9JZUjoyndwIfrZRqaxxFYOikNjeMT1Xiw X-Received: by 2002:a17:903:3c6b:b0:2ae:825b:49a5 with SMTP id d9443c01a7336-2bd7e415675mr118577905ad.0.1779025942850; Sun, 17 May 2026 06:52:22 -0700 (PDT) Received: from jmoon ([118.220.156.4]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-2bd5bd5fc47sm113873385ad.10.2026.05.17.06.52.21 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 17 May 2026 06:52:22 -0700 (PDT) From: Jinmo Yang To: linux-input@vger.kernel.org Cc: jikos@kernel.org, benjamin.tissoires@redhat.com, linux-kernel@vger.kernel.org, stable@vger.kernel.org, Jinmo Yang Subject: [PATCH 2/4] HID: wacom: validate report length for DTU handler Date: Sun, 17 May 2026 22:52:13 +0900 Message-ID: <20260517135215.2220117-3-jinmo44.yang@gmail.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260517135215.2220117-1-jinmo44.yang@gmail.com> References: <20260517135215.2220117-1-jinmo44.yang@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" wacom_dtu_irq() accesses fixed offsets up to data[7] in the raw HID report buffer without validating the buffer length. This sub-function is called from wacom_wac_irq() which receives the length parameter but does not pass it to the handler. A malicious USB device can declare a small HID report in its descriptor and send a matching short report that passes the HID core size check (csize >=3D rsize), but the driver assumes a full-size hardware report layout, leading to slab-out-of-bounds reads. Add a minimum length check in wacom_wac_irq() before dispatching to wacom_dtu_irq(). Fixes: c8f2edc56acf ("Input: wacom - add support for DTU2231 and DTU1631") Cc: stable@vger.kernel.org Signed-off-by: Jinmo Yang --- drivers/hid/wacom_wac.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/hid/wacom_wac.c b/drivers/hid/wacom_wac.c index 6d06842b6..873d58a6d 100644 --- a/drivers/hid/wacom_wac.c +++ b/drivers/hid/wacom_wac.c @@ -3472,6 +3472,8 @@ void wacom_wac_irq(struct wacom_wac *wacom_wac, size_= t len) break; =20 case DTU: + if (len < 8) + return; sync =3D wacom_dtu_irq(wacom_wac); break; =20 --=20 2.53.0 From nobody Mon May 25 06:41:05 2026 Received: from mail-pl1-f170.google.com (mail-pl1-f170.google.com [209.85.214.170]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 47A7F260580 for ; Sun, 17 May 2026 13:52:25 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.170 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779025948; cv=none; b=GLgJaju39ixl0BMLqbaSKuzSr+8EU7JWSnTTfWH9x0GrtW2vdQNn2ZOetioHBzXtR1avFfUodLiFvbERxasYYScRsKgt4QBTI46llLW1m0D9eyu2Ac3pDNCuffNDFVW/JGwaJXR4h22WHqGGZLmIbv9qCmu8xOh0OXZZmTdyeng= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779025948; c=relaxed/simple; bh=DQk88FRBKoFkhbRSS0uCRp3L/0NcM92hszhkFvzYeoo=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=SVR/o/wfmNWI6lpW415qoH0Bhz8brv4Sefl0QN0qFOtPdgjCULwRiqYjJFfCJiGTxqP5LvtFcrAretNFtL3aBRt5B8JacyMtyaW1Pt2UOep0lX+lmpzjOK5yt4q2wWHXnp3uhZVWhJ9Kvh69ovG0ELdULLwN7rssCzxVtEyT8eY= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=MG9i7Dgs; arc=none smtp.client-ip=209.85.214.170 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="MG9i7Dgs" Received: by mail-pl1-f170.google.com with SMTP id d9443c01a7336-2b9ea536877so6582805ad.1 for ; Sun, 17 May 2026 06:52:25 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1779025945; x=1779630745; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=VQuWt3uDzlCPMeJpucga5L6Dcu7cKi0WPlFjpk2QwOw=; b=MG9i7DgsjP2oE94PnkUEjycigaWcHjxeCDWeQpYQ//Tdj3/8/jYFJ6dqoJOjqHyrt1 Bh26IQKK2QoXteIKFB1b5TB3g856r2EojoHA/Z0XsfDKCQrXn5L2rQ9EHFPVBHHdO1BB QeMHK0Y/6KBqSzCtO7dTRM9j5SXnhvpwoDeD600TfkjWo72DiXWNSoICgHSgM+CmdWuw mAPGHq65INjYtwPNbT2XsD7CQ9ZYIDJRPFs8QuC8fYfxj7cYi/zD1vcGTKCYxcqXUSoA umrldlLZGh0Zu54q5XAZjFkJNwT9faqrXtVazL/eZRzzSTa/X1SvkKBLsDovnqdehEss KpuA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1779025945; x=1779630745; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=VQuWt3uDzlCPMeJpucga5L6Dcu7cKi0WPlFjpk2QwOw=; b=f+IXiQBrARXAvKnf/WCHFsQNzyHpNXt9mc1vvvBBUSwe0PnHWDKdnWc4rLZyMQuebq A+Yf6nMrvYLOIA7aORk50K3Cp/59jwPglOxqLMrnCZOqm7SMTxyNj7t/+6GyRvjDVorj HCnr6msQp7fO2R3i+KXGQE7ZVm1iE8cw16TWBNTQriL2ijBHwtooOU5j12v4NirZWSgk JKfNdQf4DkfyM82R6QC4tfqacCwrFRWa8S0ktfXC1CIkQVyO5Jj72nvYhT9Law4y7nFW nD8FtoyCA3zcDfrS23LmAt8fVIkdpfuBDCyliq1htFtd4vO1R1SlHiHHYHK0O9L3AscD mQWA== X-Forwarded-Encrypted: i=1; AFNElJ/gtcXWGkQvmkDyrLhUIJYdeCnTeMA0SySeS3LJIQXHqHQncZoHcvAa3RVFkbPGwi5lRERg0Kf7h+efHr0=@vger.kernel.org X-Gm-Message-State: AOJu0YysYF7962AIXWJ79929qt7SqVUmhU/m7Dg2v7g1YxYIwRYdUlNl 4AAr376bvZuuixqYeSUU+qirvhEfc/ONR2Ay/inlliyT4yZfQovXHZFq X-Gm-Gg: Acq92OFx08jGueo/SyMrDlc8TqBKZfl7jsqGg5YWvo19g4zMPywgcEq2gffVpXcJZPq 2dD8HCX7vZyb7pukspaSt731p+e47i9AibgssvrflpWT0BfVV+h/oXn1SgEVL5NexrEJKdiqEW3 Y31g4AALGYFJVZ68ITb98NJI+Zzmv6QzjFtZlKdXbBl0s0E4gJbdrRuKU3g3ocYFe7nXCFic72G 511yBEQMmQ8GZigV8apq1wDUZhZYichP9tGzcsfiI9I4W7Imt5tZBQ+FetGUFZq74Vez/jwnpYL 6ZrM3cKuUPRlom288d5N3T9BzhVYWHRGs1hmE+YNHH5S4caP7DuoYqj/2PyX8+95iA1/YegRDaf suQW+BEawSicvWWFl67YzwnRX3pxIgyfs6qHNd5ZPiE+H33LF1b97SvCpe2ypGWD+KBGg0iRa7R lP/8Zs0rxtpJ9AtkqX9O4MEZuqWEOa1tvyuRj516X62agpa9zG X-Received: by 2002:a17:903:2281:b0:2ba:7617:a755 with SMTP id d9443c01a7336-2bd5283b74cmr140145355ad.25.1779025944534; Sun, 17 May 2026 06:52:24 -0700 (PDT) Received: from jmoon ([118.220.156.4]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-2bd5bd5fc47sm113873385ad.10.2026.05.17.06.52.23 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 17 May 2026 06:52:24 -0700 (PDT) From: Jinmo Yang To: linux-input@vger.kernel.org Cc: jikos@kernel.org, benjamin.tissoires@redhat.com, linux-kernel@vger.kernel.org, stable@vger.kernel.org, Jinmo Yang Subject: [PATCH 3/4] HID: wacom: validate report length for DTUS handler Date: Sun, 17 May 2026 22:52:14 +0900 Message-ID: <20260517135215.2220117-4-jinmo44.yang@gmail.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260517135215.2220117-1-jinmo44.yang@gmail.com> References: <20260517135215.2220117-1-jinmo44.yang@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" wacom_dtus_irq() accesses fixed offsets up to data[6] in the raw HID report buffer without validating the buffer length. This sub-function is called from wacom_wac_irq() which receives the length parameter but does not pass it to the handler. A malicious USB device can declare a small HID report in its descriptor and send a matching short report that passes the HID core size check (csize >=3D rsize), but the driver assumes a full-size hardware report layout, leading to slab-out-of-bounds reads. Add a minimum length check in wacom_wac_irq() before dispatching to wacom_dtus_irq(). Fixes: 497ab1f290a2 ("Input: wacom - add support for DTU-1031") Cc: stable@vger.kernel.org Signed-off-by: Jinmo Yang --- drivers/hid/wacom_wac.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/hid/wacom_wac.c b/drivers/hid/wacom_wac.c index 873d58a6d..269e8318f 100644 --- a/drivers/hid/wacom_wac.c +++ b/drivers/hid/wacom_wac.c @@ -3479,6 +3479,8 @@ void wacom_wac_irq(struct wacom_wac *wacom_wac, size_= t len) =20 case DTUS: case DTUSX: + if (len < 7) + return; sync =3D wacom_dtus_irq(wacom_wac); break; =20 --=20 2.53.0 From nobody Mon May 25 06:41:05 2026 Received: from mail-pl1-f174.google.com (mail-pl1-f174.google.com [209.85.214.174]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id DF7EA2512DE for ; Sun, 17 May 2026 13:52:26 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.174 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779025950; cv=none; b=j5Q4Juwuz7T92Rsi+PvSnIMA7jZE6mPffLWiGsVWSJKatWSa64d5LuaWSDDiLvU69q8pqNVKvynjrivfStgCVJSwtu69LSahmf2IQ4FjbxY5iRGGa6Fsz51Qd7t0tF/B6ykU6s9Qm+fB299pcfTeWglMwNDsfIkd9gGCsM5PtrY= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779025950; c=relaxed/simple; bh=7RVrmuiuxF/rWreRjusc9N9OoV45FUmambe+/N5PACw=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=BNTs/bNZVC8IKlDXkGEdzLaPFQOY4asvRZUP1Id1Gg97TQqBcqW4Dl/xgDyLpBOatBZqyUjKQE04dyIeIaqE+MYtiT56f1nkCYE922B1RcTTkAkSjOqE2c/WlhCkItusfH8YBpF3+7pIvu1RvHRJdSLaKqre+1EkxxbYtSc04MQ= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=KVxsAaNX; arc=none smtp.client-ip=209.85.214.174 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="KVxsAaNX" Received: by mail-pl1-f174.google.com with SMTP id d9443c01a7336-2bccb978bd9so14473565ad.0 for ; Sun, 17 May 2026 06:52:26 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1779025946; x=1779630746; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=QO75HleHGDZqT7J517EBpplpM7jMyRvzAuKel4/gPzs=; b=KVxsAaNXKVd8NIY5+lfvKHLi7uvQYiPmIE3KUaqiWZ21yIgRKIf7lAigo+j030sQDJ ufFWkoEYvHiCKan7aRCxV2xm66wrYvrdLtSAQQp8z9C1rjYg4PkTrr6S8/8gZt65/E4A 56v0hZ143Qsh8gGbrXz0qHiB68MKbBVHKCuvtk/zO/VazOe5rRfG8hIyehvaE/0noFGB 4w6Rz4HskipOY4q+N/VzKBJ0n31yIWQtS+hohmRCe0F182Vn+ey4AQfpYxeUnB5d9bww m49X1LHP0mprsPSLDRLmGwZyl4ReINQVVNRdEOkk5qndzzZ/q1WjchUTQxWQddG4Daoa Fu6Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1779025946; x=1779630746; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=QO75HleHGDZqT7J517EBpplpM7jMyRvzAuKel4/gPzs=; b=PPmUfkWf6kjcOGO2Nc6xRtglheviaHQz7h4bpcnMVqp6krQY8KDSLIt2bOwHaxcB5B xEjvhk/iNOgcXBRwrm8mLwk+U6zqN3e42QKvW+sTc4SSj6W+bicii+p6hcLXBLJNUYyj UmTZgZE9iBg432B7D116/Wt5LvuSJA5x4Osve1WjYaUG5vMqHcvHkevza+8LR/p3J67m 4UFHYlsQp+Q3pWI//LmBZjICSQA9hh25kOl7KBYjXK3kC88mazeH6LF2VBmLS3cobTP5 jWB1Wa7lLnz2Y+K6/fza4m7MUHaaJLTdWtqgFdz9vm/fRcmgWG8vKIIQolXn/qIgjW9s cp+g== X-Forwarded-Encrypted: i=1; AFNElJ+UhKb6ZAYxwAWyA8cL9+sAsY3Ycpc8H0ZW12vCd/mYfT0uLDWS1T3dUiJR+XE0yoejGEMBgsdx+rHst4g=@vger.kernel.org X-Gm-Message-State: AOJu0YwK1V8XCYCwpjEeAav5LuNFbTCLozxnXK+u+plrk/LF+ofx7ue9 aFjtvxc3E9XDdgN706NOYjHEkLPz6W1EmxDE9S0Ff+u/6fSUSMcjaokk X-Gm-Gg: Acq92OE7RKVX2/WKF92Kv8EuUzsQa1/D6JnRsnzC7Gl7VcQ74lbir1H2YlrJ90flL/V XA42TfkcwmY9SgorEVMmJbLaoi1Pfs0ebwJX3T1cHRd576qy9lHCpgatLt66Nn7MyotOH0n3DRy iKAAKvg2cXgJj5gq/ITvzUDBzk5VP2+lXlOosET40NapSO4pcwPHQ3cJGp9qDyrqf2LFJl3k1XP nDCTj6YjpByIsHaK89GHD3VPuYzfcd7YTjyM50ScwH7Nw0fTHw+K+ah9U6Ouv5KXspkgGbhm3UM BDnVi2czrLG+T4r8P2IvhA0v9Um1h0p0BPatX+SEaThwu0GKuZHlPUUNco3OeYsEiUQEu0vyd6+ jBtlULBt0SkMEWWbSw7KtOOfUnPVQcJe4LVcEWuCPmsTPEdSbqe3ZC1pTZDPTq2qNSb+FagjjOj NZl13iSeosfMTPmI04/I6r+9t9r8/I6/g7hu07bL5kTcnCGonr X-Received: by 2002:a17:903:1210:b0:2bd:c60d:2968 with SMTP id d9443c01a7336-2bdc60d2bdcmr28937195ad.12.1779025946291; Sun, 17 May 2026 06:52:26 -0700 (PDT) Received: from jmoon ([118.220.156.4]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-2bd5bd5fc47sm113873385ad.10.2026.05.17.06.52.24 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 17 May 2026 06:52:26 -0700 (PDT) From: Jinmo Yang To: linux-input@vger.kernel.org Cc: jikos@kernel.org, benjamin.tissoires@redhat.com, linux-kernel@vger.kernel.org, stable@vger.kernel.org, Jinmo Yang Subject: [PATCH 4/4] HID: wacom: validate report length for 24HDT and 27QHDT handlers Date: Sun, 17 May 2026 22:52:15 +0900 Message-ID: <20260517135215.2220117-5-jinmo44.yang@gmail.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260517135215.2220117-1-jinmo44.yang@gmail.com> References: <20260517135215.2220117-1-jinmo44.yang@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" wacom_24hdt_irq() accesses data[61] for WACOM_24HDT and data[63] for WACOM_27QHDT in the raw HID report buffer without validating the buffer length. This sub-function is called from wacom_wac_irq() which receives the length parameter but does not pass it to the handler. A malicious USB device can declare a small HID report in its descriptor and send a matching short report that passes the HID core size check (csize >=3D rsize), but the driver assumes a full-size hardware report layout, leading to slab-out-of-bounds reads. Add minimum length checks in wacom_wac_irq() before dispatching to wacom_24hdt_irq() for both device types. Fixes: b1e4279e4ef5 ("Input: wacom - add touch sensor support for Cintiq 24= HD touch") Cc: stable@vger.kernel.org Signed-off-by: Jinmo Yang --- drivers/hid/wacom_wac.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/drivers/hid/wacom_wac.c b/drivers/hid/wacom_wac.c index 269e8318f..2fd1c4e80 100644 --- a/drivers/hid/wacom_wac.c +++ b/drivers/hid/wacom_wac.c @@ -3509,7 +3509,14 @@ void wacom_wac_irq(struct wacom_wac *wacom_wac, size= _t len) break; =20 case WACOM_24HDT: + if (len < 62) + return; + sync =3D wacom_24hdt_irq(wacom_wac); + break; + case WACOM_27QHDT: + if (len < 64) + return; sync =3D wacom_24hdt_irq(wacom_wac); break; =20 --=20 2.53.0