diff options
| author | Tianchu Chen <flynnnchen@tencent.com> | 2026-05-29 13:42:47 +0000 |
|---|---|---|
| committer | Jiri Kosina <jkosina@suse.com> | 2026-06-10 18:34:56 +0200 |
| commit | db0a0768d09273aadadeb76730cd658d720333a4 (patch) | |
| tree | 935474c28aee89ddb7243b1b587700c813af3a15 /scripts | |
| parent | b251598b8bf37300510868f739a79e07800d41ce (diff) | |
HID: hid-goodix-spi: validate report size to prevent stack buffer overflow
goodix_hid_set_raw_report() builds a protocol frame in a 128-byte stack
buffer (tmp_buf), writing an 11-12 byte header followed by the
caller-supplied report data. The HID core caps report size at
HID_MAX_BUFFER_SIZE (16384) by default, while the driver does not set
hid_ll_driver.max_buffer_size and performs no bounds checking before
copying the payload:
memcpy(tmp_buf + tx_len, buf, len);
A hidraw SET_REPORT ioctl with a report larger than ~116 bytes
overflows the stack buffer.
Add a size check after constructing the header, rejecting reports that
would exceed the buffer capacity.
Discovered by Atuin - Automated Vulnerability Discovery Engine.
Fixes: 75e16c8ce283 ("HID: hid-goodix: Add Goodix HID-over-SPI driver")
Cc: stable@vger.kernel.org
Signed-off-by: Tianchu Chen <flynnnchen@tencent.com>
Reviewed-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Jiri Kosina <jkosina@suse.com>
Diffstat (limited to 'scripts')
0 files changed, 0 insertions, 0 deletions
