diff options
| author | Lee Jones <lee@kernel.org> | 2026-02-27 19:30:25 +0300 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2026-04-11 15:29:21 +0300 |
| commit | 2edc92f89eee328b5be5706b5d431bf90669e9c0 (patch) | |
| tree | 8355b04fceae6e9cec1577f301760d070204a338 /drivers/hid | |
| parent | 3362980d8e02aa6e7d35fc7b2322fa8d84f7c25c (diff) | |
| download | linux-2edc92f89eee328b5be5706b5d431bf90669e9c0.tar.xz | |
HID: multitouch: Check to ensure report responses match the request
[ Upstream commit e716edafedad4952fe3a4a273d2e039a84e8681a ]
It is possible for a malicious (or clumsy) device to respond to a
specific report's feature request using a completely different report
ID. This can cause confusion in the HID core resulting in nasty
side-effects such as OOB writes.
Add a check to ensure that the report ID in the response, matches the
one that was requested. If it doesn't, omit reporting the raw event and
return early.
Signed-off-by: Lee Jones <lee@kernel.org>
Signed-off-by: Benjamin Tissoires <bentiss@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Diffstat (limited to 'drivers/hid')
| -rw-r--r-- | drivers/hid/hid-multitouch.c | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/drivers/hid/hid-multitouch.c b/drivers/hid/hid-multitouch.c index b8a748bbf0fd..e82a3c4e5b44 100644 --- a/drivers/hid/hid-multitouch.c +++ b/drivers/hid/hid-multitouch.c @@ -526,12 +526,19 @@ static void mt_get_feature(struct hid_device *hdev, struct hid_report *report) dev_warn(&hdev->dev, "failed to fetch feature %d\n", report->id); } else { + /* The report ID in the request and the response should match */ + if (report->id != buf[0]) { + hid_err(hdev, "Returned feature report did not match the request\n"); + goto free; + } + ret = hid_report_raw_event(hdev, HID_FEATURE_REPORT, buf, size, 0); if (ret) dev_warn(&hdev->dev, "failed to report feature\n"); } +free: kfree(buf); } |