[PATCH] HID: pxrc: fix slab-out-of-bounds read/write in pxrc_raw_event()

Next message: Konrad Dybcio: "Re: [PATCH v3 1/2] pinctrl: qcom: lpass-lpi: Enable runtime PM hooks on remaining SoCs"
Previous message: Jonathan Cameron: "Re: [PATCH 0/8] iio: magnetometer: ak8975: driver cleanup"
Next in thread: Jiri Kosina: "Re: [PATCH] HID: pxrc: fix slab-out-of-bounds read/write in pxrc_raw_event()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Jinmo Yang

Date: Fri May 08 2026 - 09:43:07 EST

pxrc_raw_event() accesses data[7] without verifying that the buffer is
large enough. A device that sends a report shorter than 8 bytes causes
an out-of-bounds read (priv->dial = data[7]) and an out-of-bounds write
(data[7] = priv->dial) on the report buffer, corrupting adjacent slab
memory.

This can be triggered from userspace via /dev/uhid by creating a virtual
device with VID 0x1781 / PID 0x0898 and sending a short UHID_INPUT2
report.

Add a size check at the top of pxrc_raw_event() to bail out when the
report buffer is shorter than 8 bytes.

Fixes: a2dccedac664 ("HID: pxrc: new driver for PhoenixRC Flight Controller Adapter")
Cc: stable@xxxxxxxxxxxxxxx
Signed-off-by: Jinmo Yang <jinmo44.yang@xxxxxxxxx>
---
drivers/hid/hid-pxrc.c | 3 +++
1 file changed, 3 insertions(+)

diff --git a/drivers/hid/hid-pxrc.c b/drivers/hid/hid-pxrc.c
index 07e20ff6018e..f2524547c7a1 100644
--- a/drivers/hid/hid-pxrc.c
+++ b/drivers/hid/hid-pxrc.c
@@ -53,6 +53,9 @@ static int pxrc_raw_event(struct hid_device *hdev, struct hid_report *report,
u8 *data, int size)
{
struct pxrc_priv *priv = hid_get_drvdata(hdev);
+
+ if (size < 8)
+ return 0;

if (priv->alternate)
priv->slider = data[7];
--
2.47.0