drivers/hid/wacom_sys.c | 6 ++++++ 1 file changed, 6 insertions(+)
Hi,
I found the following slab-out-of-bounds write in the wacom HID driver
while fuzzing with syzkaller on v7.1.0-rc4-next-20260522:
BUG: KASAN: slab-out-of-bounds in kfifo_copy_in+0xf3/0x130 lib/kfifo.c:106
Write of size 3842 at addr ffff888009179000 by task syz.3.9362/61135
CPU: 1 UID: 0 PID: 61135 Comm: syz.3.9362 Not tainted 7.1.0-rc4-next-20260522-dirty #3 PREEMPT(lazy)
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-debian-1.17.0-1 04/01/2014
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x97/0xe0 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0x157/0x4c9 mm/kasan/report.c:482
kasan_report+0xce/0x100 mm/kasan/report.c:595
check_region_inline mm/kasan/generic.c:186 [inline]
kasan_check_range+0x10f/0x1e0 mm/kasan/generic.c:200
__asan_memcpy+0x3c/0x60 mm/kasan/shadow.c:106
kfifo_copy_in+0xf3/0x130 lib/kfifo.c:106
__kfifo_in_r lib/kfifo.c:442 [inline]
__kfifo_in_r+0x1b2/0x230 lib/kfifo.c:434
wacom_wac_queue_insert drivers/hid/wacom_sys.c:65 [inline]
wacom_wac_pen_serial_enforce drivers/hid/wacom_sys.c:165 [inline]
wacom_raw_event+0x900/0xa90 drivers/hid/wacom_sys.c:179
__hid_input_report.constprop.0+0x39a/0x4d0 drivers/hid/hid-core.c:2161
uhid_dev_input2 drivers/hid/uhid.c:618 [inline]
uhid_char_write+0xa8a/0xfa0 drivers/hid/uhid.c:776
vfs_write+0x2c0/0xe40 fs/read_write.c:686
ksys_write+0x1f8/0x250 fs/read_write.c:740
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xee/0x590 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Allocated by task 4174:
kasan_save_stack+0x30/0x50 mm/kasan/common.c:57
kasan_save_track+0x14/0x30 mm/kasan/common.c:78
poison_kmalloc_redzone mm/kasan/common.c:398 [inline]
__kasan_kmalloc+0x8f/0xa0 mm/kasan/common.c:415
kasan_kmalloc include/linux/kasan.h:263 [inline]
__do_kmalloc_node mm/slub.c:5309 [inline]
__kmalloc_node_noprof+0x19a/0x4e0 mm/slub.c:5315
_kmalloc_array_node_noprof include/linux/slab.h:1269 [inline]
__kfifo_alloc_node+0x11e/0x260 lib/kfifo.c:44
__kfifo_alloc include/linux/kfifo.h:932 [inline]
wacom_devm_kfifo_alloc drivers/hid/wacom_sys.c:1315 [inline]
wacom_parse_and_register+0x2b4/0x5640 drivers/hid/wacom_sys.c:2381
wacom_probe+0x8d5/0xc40 drivers/hid/wacom_sys.c:2880
The buggy address belongs to the object at ffff888009179000
which belongs to the cache kmalloc-256 of size 256
The buggy address is located 0 bytes inside of
allocated 256-byte region [ffff888009179000, ffff888009179100)
Memory state around the buggy address:
ffff888009179000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff888009179080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff888009179100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
^
ffff888009179180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff888009179200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
This is a regression from commit 5e013ad20689 ("HID: wacom: Remove
static WACOM_PKGLEN_MAX limit"), first present in v6.15-rc1. Before
that commit, wacom_raw_event() rejected reports exceeding
WACOM_PKGLEN_MAX (361 bytes) and the kfifo was sized at 512 bytes
(361 rounded up). After the commit, the size cap was removed and the
kfifo is dynamically sized as min(PAGE_SIZE, 10 * pktlen), which can
be as small as 256 bytes.
wacom_wac_queue_insert() passes the report size directly to kfifo_in()
without validating that it fits. When a UHID_INPUT2 event delivers a
report up to 4096 bytes (UHID_DATA_MAX), kfifo_copy_in() writes up to
3840 bytes past the end of the kmalloc-256 slab object.
The fix adds a bounds check in wacom_wac_queue_insert() to reject
reports that exceed the kfifo capacity.
Thanks,
Jinmo
Jinmo Yang (1):
HID: wacom: validate report size before kfifo insert
drivers/hid/wacom_sys.c | 6 ++++++
1 file changed, 6 insertions(+)
--
2.53.0
© 2016 - 2026 Red Hat, Inc.