Re: [RFC v3 2/2] HID: core: Check to ensure report responses match the request

Next message: Albert Esteve: "[PATCH v6 4/5] drm: Suppress intentional warning backtraces in scaling unit tests"
Previous message: Harshal Dev: "Re: [PATCH v3 1/2] dt-bindings: crypto: ice: Document sm8250 inline crypto engine"
In reply to: Benjamin Tissoires: "Re: [RFC v3 2/2] HID: core: Check to ensure report responses match the request"
Next in thread: Benjamin Tissoires: "Re: [RFC v3 2/2] HID: core: Check to ensure report responses match the request"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Lee Jones

Date: Tue Mar 17 2026 - 05:28:35 EST

On Mon, 16 Mar 2026, Benjamin Tissoires wrote:

> On Mar 09 2026, Lee Jones wrote:
> > It is possible for a malicious (or clumsy) device to respond to a
> > specific report's feature request using a completely different report
> > ID. This can cause confusion in the HID core resulting in nasty
> > side-effects such as OOB writes.
> >
> > Add a check to ensure that the report ID in the response, matches the
> > one that was requested.
> >
> > Signed-off-by: Lee Jones <lee@xxxxxxxxxx>
> > ---
> > v2 -> v3: Cover more bases by moving the check up a layer from MT to HID Core
> >
> > RFC query: Is this always okay?
> > Should the report number always match the request?
> > Are there legitimate times where the two would differ?
>
> Technically, there is no reasons for a HID_SET_REPORT request to change
> the incoming buffer. So that test might break it.
>
> I prefered fixing the calling sites (hid-multitouch and others), because
> here we are making decisions on the device behaviour which is not ours
> to make. More specifically, such a test will prevent us to fix a bogus
> device by plainly rejecting the call after the facts.

Okay, so this one is a NACK? No changes, do not resend?

--
Lee Jones [李琼斯]