From nobody Sat Jul 4 20:00:20 2026 Received: from mail-pf1-f174.google.com (mail-pf1-f174.google.com [209.85.210.174]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 9DA8932B9B5 for ; Sat, 4 Jul 2026 16:12:58 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.210.174 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1783181579; cv=none; b=kLElDp5mJr4VL1+ccqOU3slF6y2Csk2h++hYfoG3IvAqZw89jKjqYBjK6E35CiJGIRk7qhV3t5DoyNb4xLf2CwJGYTW1+TZAykUdxjCSfMCl1jXwHOVNsrtMc/OAsu+tCeVTnqycVQvTakDEPS2pDDIxDmEhwBlFGfihKVgWUFY= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1783181579; c=relaxed/simple; bh=15YSkLAkQCti5IzcfCpgR1ie8/bhUE9zxOgts1ol0qQ=; h=From:To:Subject:Date:Message-ID:MIME-Version; b=h/2cJcIEGwrI7dbx6CzearHuasaXC6PtIyp4+lHkYhafMInUjw5b9ZbKdpmUhK4Cvsty/+P2+lcCrwquucCSrC6Wgd3JAe7W23XoZmBmaL33Hs7UukoFTkuQVHITG4hOZ4o+ccsfF/QqH0PtReRppSL+YvG3O0mQGud7lmTtkjk= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=jDO1FfoQ; arc=none smtp.client-ip=209.85.210.174 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="jDO1FfoQ" Received: by mail-pf1-f174.google.com with SMTP id d2e1a72fcca58-845537740ddso974729b3a.0 for ; Sat, 04 Jul 2026 09:12:58 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1783181578; x=1783786378; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:to :from:from:to:cc:subject:date:message-id:reply-to:content-type; bh=kVfJZz8SjrFuy7zkpM4CK8nsRN5F1mP1tDE3AslmNig=; b=jDO1FfoQoWl63oe7sQHDR9oAmG9ONvd0B/WM+i8SLvmyEc8wdBoIceTZbVwCXrRegL 7at93vxFF7c36HD/Hze9aWa5qX5cjrdsJdPtxEsy0JJb8gj5MW/K3xtiY0XQnfSUASmi mx/y1PAbGWAWX5+b5elURf7b7fVzD6JgDJbWsEBebe10/62PdUY3fxXFQcfy+fo7q/Ql nkAHarHdeq1+FfG613E7rmXg4SmF8VueVbVasmbqCSfcaG7zrTMGCYkaJCibSuvLZ8eq SD2d/KILw6ukW/IfNZmgHqA/Ds6Ek0kbUGfCSjF+jS3qm0eONDr08VJ1saIEmvHoe4xO G4/A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1783181578; x=1783786378; h=content-transfer-encoding:mime-version:message-id:date:subject:to :from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to:content-type; bh=kVfJZz8SjrFuy7zkpM4CK8nsRN5F1mP1tDE3AslmNig=; b=hlaZpyBvwAopgzYlF9JlXZ3n/ksSYHFYA5iHRuN7SXQqd/pa30Tau8do/mujMxix1d nzCMnVp6h+xFMpruMcEb7JecjC0A2XqtR0dm4C7R3xt5ZIPX1U8aB0yTJWeHu1aRSmG+ izvzewAP8Cd0cdonHXJVQG5ouJLYOUf7HyeODnzf0qaBjt50ZXhMIOBHIM4MjeZSIygr ZJP/vooMMrc+Gd9PJ5qZ8zxy6vnEo24kRo0SH2qZu8ehzj50qaRH3rmW1SSmJcoLdgcQ ryESJnMM8JvtkGTgWgJFDgtTWh/pVbZcDmiMZhpPKcI5B7FENiEW5jJ52Ki90sVfDEho IsrQ== X-Forwarded-Encrypted: i=1; AHgh+RrLkhRxCPh+teGn7tx/Ne0fmfJJ2PnGPwHpS3+Tn0v0RtrH6ARjDLgfhXcVxgQsImjgphS6gUKWc1aSCUc=@vger.kernel.org X-Gm-Message-State: AOJu0YxmL0WOME+SdG2mmU6LZ9t74O9stlgKlTtPh4KFa3zKlDT4P6lT uOiHh2R8z1r0BQ8V7UKoO2uVv9sq7/Vj480L71Ec6dBJtufU70CgiD4j X-Gm-Gg: AfdE7cnbFOjkn/xb657KmiU6/TlvVYSOdYfJRzP5kx1y92WwxEycMemj6nCxhlfXVdU fxCjp5gZoukkrV6ofu4YF+cJHs7znXq6nLcYXFiepNj9Sk77v0X2r8kIVeLrFqpAdBobuaaSxSd RoQqYEbvX5Cll7GFFvQhNWhlIFfYMWectZUly5N8J8ohWWxydS/hYhAjD84tQbGeFqhfAxZwlj8 tTOLsUrsGIovtb3j0/nvltFwblSL1IVpjkdADw1o4bKLcyOO/6f8POh1znKgLLwR0x+lXKAh2sK FboTdUOQmSPEQ2zpfEafYDr5ETIj91c//VigWt2JWwJnG0CgJejhVHn4YAM5C5beV1+Jj2r5MKU lgBHToLzyD2FMNOld3LAiS9/OAXEcts3ptZ9eYNeKJhXsSXsLQoDUszMAwwCimV5bNYYnW9eLnZ 2WXpgkow== X-Received: by 2002:a05:6a00:2789:b0:845:e703:e with SMTP id d2e1a72fcca58-847f6dd4a7fmr3713537b3a.19.1783181577928; Sat, 04 Jul 2026 09:12:57 -0700 (PDT) Received: from lgs.. ([2001:250:5800:1000::f280]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-847f6b6162esm1391522b3a.11.2026.07.04.09.12.52 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 04 Jul 2026 09:12:56 -0700 (PDT) From: Guangshuo Li To: Jiri Kosina , Benjamin Tissoires , Kees Cook , Puranjay Mohan , Johan Hovold , Guangshuo Li , linux-input@vger.kernel.org, linux-kernel@vger.kernel.org, bpf@vger.kernel.org Subject: [PATCH] HID: bpf: Fix signedness bug in hid_bpf_hw_request Date: Sun, 5 Jul 2026 00:07:02 +0800 Message-ID: <20260704160703.156298-1-lgs201920130244@gmail.com> X-Mailer: git-send-email 2.43.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" hid_bpf_hw_request() clamps the return value of hid_hw_raw_request() to the size of the caller supplied buffer before copying data back to the BPF buffer. However, ret is signed while size is unsigned. If hid_hw_raw_request() returns a negative error code, the comparison promotes ret to size_t. This makes the negative value look like a very large positive value, so the error is clamped to size. The following memcpy() then treats the failed request as a successful transfer and copies stale data back to the caller. Only clamp positive return values. This preserves negative error codes while still preventing oversized successful returns from overflowing the caller supplied buffer. Fixes: 2b658c1c442e ("HID: bpf: prevent buffer overflow in hid_hw_request") Signed-off-by: Guangshuo Li --- drivers/hid/bpf/hid_bpf_dispatch.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/hid/bpf/hid_bpf_dispatch.c b/drivers/hid/bpf/hid_bpf_d= ispatch.c index d0130658091b..b13f911e5944 100644 --- a/drivers/hid/bpf/hid_bpf_dispatch.c +++ b/drivers/hid/bpf/hid_bpf_dispatch.c @@ -446,7 +446,7 @@ hid_bpf_hw_request(struct hid_bpf_ctx *ctx, __u8 *buf, = size_t buf__sz, (u64)(long)ctx, true); /* prevent infinite recursions */ =20 - if (ret > size) + if (ret > 0 && ret > size) ret =3D size; if (ret > 0) memcpy(buf, dma_data, ret); --=20 2.43.0