HID: i2c-hid: fix potential buffer overflow in i2c_hid_get_report()

kenkinming2002 · Benjamin Tissoires · commit 2497ff38c530 · 2026-01-07T18:35:58.000+01:00
`i2c_hid_xfer` is used to read `recv_len + sizeof(__le16)` bytes of data
into `ihid-&gt;rawbuf`.

The former can come from the userspace in the hidraw driver and is only
bounded by HID_MAX_BUFFER_SIZE(16384) by default (unless we also set
`max_buffer_size` field of `struct hid_ll_driver` which we do not).

The latter has size determined at runtime by the maximum size of
different report types you could receive on any particular device and
can be a much smaller value.

Fix this by truncating `recv_len` to `ihid-&gt;bufsize - sizeof(__le16)`.

The impact is low since access to hidraw devices requires root.

Signed-off-by: Kwok Kin Ming &lt;kenkinming2002@gmail.com&gt;
Signed-off-by: Benjamin Tissoires &lt;bentiss@kernel.org&gt;
diff --git a/drivers/hid/i2c-hid/i2c-hid-core.c b/drivers/hid/i2c-hid/i2c-hid-core.c
@@ -286,6 +286,7 @@ static int i2c_hid_get_report(struct i2c_hid *ihid,
 	 * In addition to report data device will supply data length
 	 * in the first 2 bytes of the response, so adjust .
 	 */
+	recv_len = min(recv_len, ihid->bufsize - sizeof(__le16));
 	error = i2c_hid_xfer(ihid, ihid->cmdbuf, length,
 			     ihid->rawbuf, recv_len + sizeof(__le16));
 	if (error) {
