tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

HID: bpf: prevent buffer overflow in hid_hw_request

right now the returned value is considered to be always valid. However,
when playing with HID-BPF, the return value can be arbitrary big,
because it's the return value of dispatch_hid_bpf_raw_requests(), which
calls the struct_ops and we have no guarantees that the value makes
sense.

Fixes: 8bd0488b5ea5 ("HID: bpf: add HID-BPF hooks for hid_hw_raw_requests")
Cc: stable@vger.kernel.org
Acked-by: Jiri Kosina <jkosina@suse.com>
Signed-off-by: Benjamin Tissoires <bentiss@kernel.org>

Benjamin Tissoires 2b658c1c 5d4c6c13

+2
+2
drivers/hid/bpf/hid_bpf_dispatch.c
··· 444 444 (u64)(long)ctx, 445 445 true); /* prevent infinite recursions */ 446 446 447 + if (ret > size) 448 + ret = size; 447 449 if (ret > 0) 448 450 memcpy(buf, dma_data, ret); 449 451