[{"id":3668683,"web_url":"http://patchwork.ozlabs.org/comment/3668683/","msgid":"<CAPnwWgOY6UO2JKMNWw_fZK3Vvg_v9zQWX6Ugz=X+b4esPTn7Rg@mail.gmail.com>","list_archive_url":null,"date":"2026-03-24T20:00:20","subject":"Re: [PATCH] HID: ft260: validate report size in raw_event handler","submitter":{"id":5876,"url":"http://patchwork.ozlabs.org/api/people/5876/","name":"Michael Zaidman","email":"michael.zaidman@gmail.com"},"content":"Hi Sebastian,\n\nThanks for the patch. The report size validation gap in ft260_raw_event()\nis a valid concern - the raw_event callback is indeed invoked before\nhid_report_raw_event() validates the report size, so a truncated report\nfrom a malicious or buggy device could cause OOB reads.\n\nHowever, I have a couple of comments on the proposed fix:\n\nPlease use the existing FT260_REPORT_MAX_LENGTH macro instead of the\nhardcoded 64.\n\nMore importantly, the size < 64 check alone is insufficient. It prevents\naccessing struct fields in a truncated buffer, but does not guard against\na corrupted xfer->length field in an otherwise full-sized report.\n\nConsider: a device sends a valid 64-byte report (passes the size check),\nbut with xfer->length set to, say, 100. The data payload starts at offset 2,\nso only 62 bytes are available in the buffer. The existing check at line 1077\nvalidates against the destination buffer (dev->read_len - dev->read_idx),\nnot the source. If read_len is large enough (e.g., 180), the check passes,\nand the memcpy reads 100 bytes from a 62-byte region - a 38-byte OOB heap\nread from the source side.\n\nA more complete fix would validate xfer->length against the actual report size:\n\n    struct ft260_i2c_input_report *xfer = (void *)data;\n    if (size < FT260_REPORT_MAX_LENGTH) {\n        hid_warn(hdev, \"short report: %d\\n\", size);\n        return 0;\n    }\n    if (xfer->length > size -\n        offsetof(struct ft260_i2c_input_report, data)) {\n        hid_warn(hdev, \"payload %d exceeds report size %d\\n\",\n             xfer->length, size);\n        return 0;\n    }\nThis catches both truncated reports and corrupted length fields.\n\nWould you like to send a v2 addressing the above?\n\nThanks, Michael\n\nOn Tue, Mar 24, 2026 at 7:35 PM Sebastian Josue Alba Vives\n<sebasjosue84@gmail.com> wrote:\n>\n> ft260_raw_event() casts the raw data buffer to a\n> ft260_i2c_input_report struct and accesses its fields without\n> validating the size parameter. Since __hid_input_report() invokes\n> the driver's raw_event callback before hid_report_raw_event()\n> performs its own report-size validation, a device sending a\n> truncated HID report can cause out-of-bounds heap reads in the\n> kernel.\n>\n> In the I2C response path, xfer->length (data[1]) is used as the\n> length for a memcpy into dev->read_buf. While xfer->length is\n> checked against dev->read_len, there is no check that size is large\n> enough to actually contain xfer->length bytes of data starting at\n> offset 2. A malicious USB device could therefore cause an OOB read\n> from the kernel heap, with the result accessible from userspace via\n> the I2C read interface.\n>\n> FT260 devices use 64-byte HID reports. Add a check at the top of\n> the handler to reject any report shorter than expected, and log a\n> warning to aid debugging.\n>\n> Cc: stable@vger.kernel.org\n> Signed-off-by: Sebastian Josue Alba Vives <sebasjosue84@gmail.com>\n> ---\n>  drivers/hid/hid-ft260.c | 6 ++++++\n>  1 file changed, 6 insertions(+)\n>\n> diff --git a/drivers/hid/hid-ft260.c b/drivers/hid/hid-ft260.c\n> index 333341e80..7ca323992 100644\n> --- a/drivers/hid/hid-ft260.c\n> +++ b/drivers/hid/hid-ft260.c\n> @@ -1068,6 +1068,12 @@ static int ft260_raw_event(struct hid_device *hdev, struct hid_report *report,\n>         struct ft260_device *dev = hid_get_drvdata(hdev);\n>         struct ft260_i2c_input_report *xfer = (void *)data;\n>\n> +       /* FT260 always sends 64-byte reports */\n> +       if (size < 64) {\n> +               hid_warn(hdev, \"report too short: %d < 64\\n\", size);\n> +               return 0;\n> +       }\n> +\n>         if (xfer->report >= FT260_I2C_REPORT_MIN &&\n>             xfer->report <= FT260_I2C_REPORT_MAX) {\n>                 ft260_dbg(\"i2c resp: rep %#02x len %d\\n\", xfer->report,\n> --\n> 2.43.0\n>","headers":{"Return-Path":"\n <linux-i2c+bounces-16719-incoming=patchwork.ozlabs.org@vger.kernel.org>","X-Original-To":["incoming@patchwork.ozlabs.org","linux-i2c@vger.kernel.org"],"Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256\n header.s=20251104 header.b=F7mtgBtR;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org\n (client-ip=104.64.211.4; helo=sin.lore.kernel.org;\n envelope-from=linux-i2c+bounces-16719-incoming=patchwork.ozlabs.org@vger.kernel.org;\n receiver=patchwork.ozlabs.org)","smtp.subspace.kernel.org;\n\tdkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com\n header.b=\"F7mtgBtR\"","smtp.subspace.kernel.org;\n arc=pass smtp.client-ip=209.85.208.41","smtp.subspace.kernel.org;\n dmarc=pass (p=none dis=none) header.from=gmail.com","smtp.subspace.kernel.org;\n spf=pass smtp.mailfrom=gmail.com"],"Received":["from sin.lore.kernel.org (sin.lore.kernel.org [104.64.211.4])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fgLgC0rV7z1y1K\n\tfor <incoming@patchwork.ozlabs.org>; Wed, 25 Mar 2026 07:07:35 +1100 (AEDT)","from smtp.subspace.kernel.org (conduit.subspace.kernel.org\n [100.90.174.1])\n\tby sin.lore.kernel.org (Postfix) with ESMTP id 2494E305D1F5\n\tfor <incoming@patchwork.ozlabs.org>; Tue, 24 Mar 2026 20:00:36 +0000 (UTC)","from localhost.localdomain (localhost.localdomain [127.0.0.1])\n\tby smtp.subspace.kernel.org (Postfix) with ESMTP id C361E29BDBB;\n\tTue, 24 Mar 2026 20:00:34 +0000 (UTC)","from mail-ed1-f41.google.com (mail-ed1-f41.google.com\n [209.85.208.41])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))\n\t(No client certificate requested)\n\tby smtp.subspace.kernel.org (Postfix) with ESMTPS id 1BE1020D4FF\n\tfor <linux-i2c@vger.kernel.org>; Tue, 24 Mar 2026 20:00:32 +0000 (UTC)","by mail-ed1-f41.google.com with SMTP id\n 4fb4d7f45d1cf-66a4c2cbfb6so1586769a12.1\n        for <linux-i2c@vger.kernel.org>; Tue, 24 Mar 2026 13:00:32 -0700 (PDT)"],"ARC-Seal":["i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;\n\tt=1774382434; cv=pass;\n b=JUv+6OMFJg2DHZYKatQMmJzq5johV1GrDxRk+WU4YB3nKA/grX1F8UqZY6YaV9ibL3TgaiIlvHi2mltsiWvZW7KRTwaenw+rJJAqE53evCSSB0RUJ1xZX0S6hdXPNfMM7/IzouXYua37CmAWnEQke24d6xjpfoukSxxK2J4m/aQ=","i=1; a=rsa-sha256; t=1774382431; cv=none;\n        d=google.com; s=arc-20240605;\n        b=bDTWNMsVFF3q3J4qUvEs/GYkBEUsTVHMuprUNHDwzeEKYx1Os2qrSIqjFu5Lz9w57E\n         GUEKilEre/1mqNzXUFBki7Eu7MB9gqh3zmnih3KtxNlJGa004Xo+jQMpn0I4ZtD1Za9e\n         FeoslBDjFopjc/umckbgb+IJbG/bWhrWiIntrMeiL+5rJ9wT/qrNpG4Qu3l66gAwdEWr\n         IGYYRnam9NA0UpT8p0DOrh7X1vfXchnNXjGUw9KNP2V4ct4ATbQAMFkL4y3UR22Aa/E0\n         ZzgbzKADxek6Uhw839EAdu8LVkpJHWukWgVqbePOfK1UBkQ5W9LpEGokXss+E5jXp14y\n         yiuA=="],"ARC-Message-Signature":["i=2; a=rsa-sha256; d=subspace.kernel.org;\n\ts=arc-20240116; t=1774382434; c=relaxed/simple;\n\tbh=H/3/HljBKkNQvfAF2nYLo4pPn7IMLelTewsSEwuiXqA=;\n\th=MIME-Version:References:In-Reply-To:From:Date:Message-ID:Subject:\n\t To:Cc:Content-Type;\n b=dlb+UbXLUilXIi3ZvzqDSI77pC63O1RoeTDOYjH2IKBosO5mJp9G8ybLUBwaSr1skFa3RkEwshUn351g2PK3xK6/WBfSTGCLue4K92uwy7Gmc+5oV0P4+tBl3G0YpThhBixb1dT35TdHy/fZt1uLjP3SuZ2Z4TZj2zFFB6JWc18=","i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;\n s=arc-20240605;\n        h=content-transfer-encoding:cc:to:subject:message-id:date:from\n         :in-reply-to:references:mime-version:dkim-signature;\n        bh=1nuigy5i6MlCzZ5OS0a7Db3vipXMg/2DN1anL0e9s4w=;\n        fh=58P/iLzrGlXCc8o4PsYa6pa4W9i/y3rqGUL5UoOKYMY=;\n        b=gtL6DC7K3NLQDgRzwCW+KnjK8QuGS1URDbrjL5GpDtW8vsUkAM5xuz9eK02agdOifS\n         rBtuO/rDNIgZOAaNWxSLAC3Ykc0KeZro5VzWeQ9yebQj9Rk1SkGJqu/c8PkTBkB22WGq\n         arxtIM62abnOAHErJOANy8sDE+13XAIE+XpRXSYTz0amdeH/hQuTsrtHAcvhhO20j44O\n         0VDJvgYfedKt/fKPm1ddbNpX5ShpwxMCWIJkuk4ezhigkayE9ib2tgGkOYxqtirHiSoj\n         8UTJeFrmm0uhK4nO5VR0oF52Z0c4cGDfro4mIbEfWjP4ja3YM4goxoSmHH0yuad1aUOB\n         hBGA==;\n        darn=vger.kernel.org"],"ARC-Authentication-Results":["i=2; smtp.subspace.kernel.org;\n dmarc=pass (p=none dis=none) header.from=gmail.com;\n spf=pass smtp.mailfrom=gmail.com;\n dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com\n header.b=F7mtgBtR; arc=pass smtp.client-ip=209.85.208.41","i=1; mx.google.com; arc=none"],"DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n        d=gmail.com; s=20251104; t=1774382431; x=1774987231;\n darn=vger.kernel.org;\n        h=content-transfer-encoding:cc:to:subject:message-id:date:from\n         :in-reply-to:references:mime-version:from:to:cc:subject:date\n         :message-id:reply-to;\n        bh=1nuigy5i6MlCzZ5OS0a7Db3vipXMg/2DN1anL0e9s4w=;\n        b=F7mtgBtRyRp+eUyW0oozsSHJAmc87CmiVVOlDMGik0btrZGo5RYmJmYgRT96t2z4Z0\n         nsrFs9OpzCJIGsa781SDRlkGBbsYJqmGG97BglLgX61JkLrPRiD3SfBwjtB0YVa7iG+9\n         6BYQAdAtt5l1GPtIhdFwwhxzq0/HecEKOW02Wqa7Ri8HmEvzRj/ScQAhuUAagwjHmXmc\n         /RJYmPkOxHygfmmfKQxW83CzScLwt2/udvyzth7Sh5HsjFF8k0KmUSD9CO2SC+u2BvA9\n         B0VEhihjRnX36imrSDFJLI8UV4rEG+PCUgEvq8z/skQhTZi3D2fphLhf/K83K6MJ8/Kz\n         Ffcw==","X-Google-DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n        d=1e100.net; s=20251104; t=1774382431; x=1774987231;\n        h=content-transfer-encoding:cc:to:subject:message-id:date:from\n         :in-reply-to:references:mime-version:x-gm-gg:x-gm-message-state:from\n         :to:cc:subject:date:message-id:reply-to;\n        bh=1nuigy5i6MlCzZ5OS0a7Db3vipXMg/2DN1anL0e9s4w=;\n        b=fZvlmd7Tb4rs2Q9PF2A1CEZcjuq727GZ+KULW/UTgKuP4lC1oiDw2ymP9TB4T5ebyR\n         8wy+7yVvRkUIbInNn310g9XpIjOIr8wHc508Xx4mGzmF5MnlSYR9lWjrAmtOa9x3qYaw\n         zZrlT9VWlGR2shXTWqQ/EFt9sJ1YWSK26X9/wxENkfHM0KBwBYvDUXPCIIl/vl5Jsj/j\n         cGLUOc183D2Dn4hwgvXqMBVTM4RGz9o7kh4JbTvOD9LSgVNzKXYo7wIteob6AiS2WmHT\n         qr8tT3g6Jczf37c22AkaXovJYwFUcBukP1kceWLurcH2nqD98OcLK5fcuvA6ePHwwcFO\n         igCA==","X-Forwarded-Encrypted":"i=1;\n AJvYcCW9+SOAqjDIKb0Vxlh91H9qnoFeB6kMYI+uhmihtQwiix7sTeqsv0+sT8GWnNbPTXU4GbaH1zegu5E=@vger.kernel.org","X-Gm-Message-State":"AOJu0YxK2BCFS8zuV2yRjQxKVNV+IIUooiI4yGUBhHdh18xb62ZnXyA5\n\tqBGru3y5R5kvnNaNH1FJkfMLscL2cEUm7xV23687/tjLt774G/+hlvHMdE3usUJmC9TsW+oGC0y\n\to9ufKhTCj3IPaW3E5nZZgF9Eu0YAMJRA=","X-Gm-Gg":"ATEYQzzZH82hjdzWCmgoI1QjYNFvz95Umh3Ynsp9iRGMxRLnlFtKfx2Fcyh5mPP99h/\n\t3JzfUCpLqBTF7b0iwbMs+n5Z4bmz901kYlkqDUvSVwERgqblFmiCKH3iPl4ttYk8H0TLR42ptHH\n\tI6VBv92D3kkNORH/EDC4IEvKPSfYNyNMYx8PhcysLIfW5NnndPnGhZr9DY9uek2cTW76j4EqCR0\n\tj9ic3oQ8w3ueLt6SOJBUpRgo0p1R9HGbWVgoJaGnOE+q/zHLdoBqW7A1AkvlTqR3qT/es7e22HV\n\tikK9fZw=","X-Received":"by 2002:a17:907:1999:b0:b97:89b5:d7a0 with SMTP id\n a640c23a62f3a-b9a54288647mr44602266b.48.1774382431128; Tue, 24 Mar 2026\n 13:00:31 -0700 (PDT)","Precedence":"bulk","X-Mailing-List":"linux-i2c@vger.kernel.org","List-Id":"<linux-i2c.vger.kernel.org>","List-Subscribe":"<mailto:linux-i2c+subscribe@vger.kernel.org>","List-Unsubscribe":"<mailto:linux-i2c+unsubscribe@vger.kernel.org>","MIME-Version":"1.0","References":"<20260324173527.11321-1-sebasjosue84@gmail.com>","In-Reply-To":"<20260324173527.11321-1-sebasjosue84@gmail.com>","From":"Michael Zaidman <michael.zaidman@gmail.com>","Date":"Tue, 24 Mar 2026 22:00:20 +0200","X-Gm-Features":"AQROBzD7DJFoR-w2ZbaKS2onxXaNipjwmPIQropG4PSX5rpIV2agbqhUt5sEkcM","Message-ID":"\n <CAPnwWgOY6UO2JKMNWw_fZK3Vvg_v9zQWX6Ugz=X+b4esPTn7Rg@mail.gmail.com>","Subject":"Re: [PATCH] HID: ft260: validate report size in raw_event handler","To":"Sebastian Josue Alba Vives <sebasjosue84@gmail.com>","Cc":"jikos@kernel.org, bentiss@kernel.org, linux-i2c@vger.kernel.org,\n\tlinux-input@vger.kernel.org, linux-kernel@vger.kernel.org,\n\tstable@vger.kernel.org","Content-Type":"text/plain; charset=\"UTF-8\"","Content-Transfer-Encoding":"quoted-printable"}}]