lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <iq4fdv5yak7xqiitlsmglsulsdzqaklsqdcv2rxswsduwqxfpy@lknyfow3yxwg>
Date: Mon, 8 Dec 2025 09:54:35 +0100
From: Benjamin Tissoires <bentiss@...nel.org>
To: Davide Beatrici <me@...idebeatrici.dev>
Cc: Terry Junge <linuxhid@...micgizmosystems.com>, 
	linux-kernel@...r.kernel.org, linux-input@...r.kernel.org, jikos@...nel.org, 
	benjamin.tissoires@...hat.com
Subject: Re: [PATCH] HID: validate report length and constants

On Dec 05 2025, Davide Beatrici wrote:
> > report 8 has csize=16 rsize=16
> > report 0 has csize=1 rsize=8
> > report 0 is too short, (1 < 8)
> > 
> > Which means we do enter the test and execute the memset()...
> 
> I added further debug prints to trace the flow after that:
> 
> hid-generic 0003:373B:1107.000F: report 8 has csize=16 rsize=16
> hid-generic 0003:373B:1107.000F: Calling hiddev_report_event()
> hid-generic 0003:373B:1107.000F: Calling hidraw_report_event()
> hid-generic 0003:373B:1107.000F: Calling hid_process_report()
> hid-generic 0003:373B:1107.000F: Calling hidinput_report_event()
> hid-generic 0003:373B:1107.000E: report 0 has csize=1 rsize=8
> hid-generic 0003:373B:1107.000E: report 0 is too short, (1 < 8)
> hid-generic 0003:373B:1107.000E: Calling hidraw_report_event()
> hid-generic 0003:373B:1107.000E: Calling hid_process_report()
> hid-generic 0003:373B:1107.000E: Calling hidinput_report_event()
> hid-generic 0003:373B:1107.0010: report 0 has csize=7 rsize=7
> hid-generic 0003:373B:1107.0010: Calling hidraw_report_event()
> hid-generic 0003:373B:1107.0010: Calling hid_process_report()
> hid-generic 0003:373B:1107.0010: Calling hidinput_report_event()
> 
> The last report is a normal mouse movement.

Thanks for the logs.

So the most conservative change should be to either:
- have a HID-BPF program that strips out reports of size 1
- have a new kernel driver for this device which maps to .raw_event()
	and rejects reports of size 1.

AFAICT, all the transport drivers are allocating the buffer with enough
space, so the memset should be safe, meaning that we can not enforce
the size to be at least the report size without risking of breaking
devices as this code has been around for a while.

IMO, the simplest is the HID-BPF route, as it's a matter of going to the
udev-hid-bpf project [1], add your program in the testing dir, and
submit a merge request. This way your device will be fixed and I'll
eventually take care of putting the HID-BPF program in
drivers/hid/bpf/progs so it gets installed in all distributions.


Cheers,
Benjamin

[1] https://gitlab.freedesktop.org/libevdev/udev-hid-bpf

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ