Re: (subset) [RFC v3 1/2] HID: core: Mitigate potential OOB by removing bogus memset()

Next message: Benjamin Tissoires: "Re: (subset) [PATCH 0/4] HID: bpf fixes for 7.0/7.1"
Previous message: Laurent Pinchart: "Re: [PATCH 03/14] drm/mode-config: Mention drm_mode_config_reset() culprits"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Benjamin Tissoires

Date: Mon Mar 16 2026 - 12:00:40 EST

On Mon, 09 Mar 2026 14:59:29 +0000, Lee Jones wrote:
> The memset() in hid_report_raw_event() has the good intention of
> clearing out bogus data by zeroing the area from the end of the incoming
> data string to the assumed end of the buffer. However, as we have
> previously seen, doing so can easily result in OOB reads and writes in
> the subsequent thread of execution.
>
> The current suggestion from one of the HID maintainers is to remove the
> memset() and simply return if the incoming event buffer size is not
> large enough to fill the associated report.
>
> [...]

Applied, thanks!

[1/2] HID: core: Mitigate potential OOB by removing bogus memset()
commit: 0a3fe972a7cb1404f693d6f1711f32bc1d244b1c

Best regards,
--
Benjamin Tissoires <bentiss@xxxxxxxxxx>