diff options
| author | Yiyang Chen <chenyy23@mails.tsinghua.edu.cn> | 2026-06-23 06:23:15 +0000 |
|---|---|---|
| committer | Benjamin Tissoires <bentiss@kernel.org> | 2026-07-01 09:55:36 +0200 |
| commit | eebbef7c468a5cb58c4772849ee5066441166cf0 (patch) | |
| tree | 4fd881bf317103ef8688b1adc0115ef19097177e /include/linux | |
| parent | 5aad55011a37d999cf99d14bafb6a093a1a70466 (diff) | |
selftests/hid: Cover hid_bpf_get_data() size overflow
Add a HID-BPF regression check for hid_bpf_get_data() requests whose
size would overflow when added to the offset.
The new rdesc fixup callback asks for offset 2 and size ~0ULL, then
records whether the helper returns NULL. A vulnerable kernel returns a
non-NULL pointer because the runtime check wraps the addition. A fixed
kernel rejects the request. The callback records the helper result
without dereferencing any returned pointer.
The callback reports the helper result through BSS and returns 0
intentionally. hid_rdesc_fixup return values are consumed as report
descriptor fixup results, so a positive test-result value would be
interpreted as a replacement report descriptor size.
Also add KHDR_INCLUDES to the HID selftest build so hid_bpf.c sees the
current kernel UAPI HID definitions on systems whose installed headers do
not provide enum hid_report_type.
Fixes: 658ee5a64fcf ("HID: bpf: allocate data memory for device_event BPF programs")
Signed-off-by: Yiyang Chen <chenyy23@mails.tsinghua.edu.cn>
Signed-off-by: Benjamin Tissoires <bentiss@kernel.org>
Diffstat (limited to 'include/linux')
0 files changed, 0 insertions, 0 deletions
