Commit 2497ff38 authored Jan 01, 2026 by Kwok Kin Ming Committed by Benjamin Tissoires Jan 07, 2026

HID: i2c-hid: fix potential buffer overflow in i2c_hid_get_report()



`i2c_hid_xfer` is used to read `recv_len + sizeof(__le16)` bytes of data
into `ihid->rawbuf`.

The former can come from the userspace in the hidraw driver and is only
bounded by HID_MAX_BUFFER_SIZE(16384) by default (unless we also set
`max_buffer_size` field of `struct hid_ll_driver` which we do not).

The latter has size determined at runtime by the maximum size of
different report types you could receive on any particular device and
can be a much smaller value.

Fix this by truncating `recv_len` to `ihid->bufsize - sizeof(__le16)`.

The impact is low since access to hidraw devices requires root.

Signed-off-by: Kwok Kin Ming <kenkinming2002@gmail.com>
Signed-off-by: Benjamin Tissoires <bentiss@kernel.org>

parent f287ba59

drivers/hid/i2c-hid/i2c-hid-core.c

+1 −0

Original line number	Diff line number	Diff line
		@@ -286,6 +286,7 @@ static int i2c_hid_get_report(struct i2c_hid *ihid,
		* In addition to report data device will supply data length
		* in the first 2 bytes of the response, so adjust .
		*/
		recv_len = min(recv_len, ihid->bufsize - sizeof(__le16));
		error = i2c_hid_xfer(ihid, ihid->cmdbuf, length,
		ihid->rawbuf, recv_len + sizeof(__le16));
		if (error) {