summaryrefslogtreecommitdiff
path: root/include/linux
diff options
context:
space:
mode:
authorYiyang Chen <chenyy23@mails.tsinghua.edu.cn>2026-06-23 06:23:15 +0000
committerBenjamin Tissoires <bentiss@kernel.org>2026-07-01 09:55:36 +0200
commiteebbef7c468a5cb58c4772849ee5066441166cf0 (patch)
tree4fd881bf317103ef8688b1adc0115ef19097177e /include/linux
parent5aad55011a37d999cf99d14bafb6a093a1a70466 (diff)
selftests/hid: Cover hid_bpf_get_data() size overflow
Add a HID-BPF regression check for hid_bpf_get_data() requests whose size would overflow when added to the offset. The new rdesc fixup callback asks for offset 2 and size ~0ULL, then records whether the helper returns NULL. A vulnerable kernel returns a non-NULL pointer because the runtime check wraps the addition. A fixed kernel rejects the request. The callback records the helper result without dereferencing any returned pointer. The callback reports the helper result through BSS and returns 0 intentionally. hid_rdesc_fixup return values are consumed as report descriptor fixup results, so a positive test-result value would be interpreted as a replacement report descriptor size. Also add KHDR_INCLUDES to the HID selftest build so hid_bpf.c sees the current kernel UAPI HID definitions on systems whose installed headers do not provide enum hid_report_type. Fixes: 658ee5a64fcf ("HID: bpf: allocate data memory for device_event BPF programs") Signed-off-by: Yiyang Chen <chenyy23@mails.tsinghua.edu.cn> Signed-off-by: Benjamin Tissoires <bentiss@kernel.org>
Diffstat (limited to 'include/linux')
0 files changed, 0 insertions, 0 deletions