[PATCH 3/4] HID: wacom: validate report length for DTUS handler

Next message: Jinmo Yang: "[PATCH 1/4] HID: wacom: validate report length for PL and PTU handlers"
Previous message: Jinmo Yang: "[PATCH 0/4] HID: wacom: add report length validation in irq handlers"
In reply to: Jinmo Yang: "[PATCH 0/4] HID: wacom: add report length validation in irq handlers"
Next in thread: Jinmo Yang: "[PATCH 1/4] HID: wacom: validate report length for PL and PTU handlers"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Jinmo Yang

Date: Sun May 17 2026 - 09:52:46 EST

wacom_dtus_irq() accesses fixed offsets up to data[6] in the raw HID
report buffer without validating the buffer length. This sub-function
is called from wacom_wac_irq() which receives the length parameter but
does not pass it to the handler.

A malicious USB device can declare a small HID report in its descriptor
and send a matching short report that passes the HID core size check
(csize >= rsize), but the driver assumes a full-size hardware report
layout, leading to slab-out-of-bounds reads.

Add a minimum length check in wacom_wac_irq() before dispatching to
wacom_dtus_irq().

Fixes: 497ab1f290a2 ("Input: wacom - add support for DTU-1031")
Cc: stable@xxxxxxxxxxxxxxx
Signed-off-by: Jinmo Yang <jinmo44.yang@xxxxxxxxx>
---
drivers/hid/wacom_wac.c | 2 ++
1 file changed, 2 insertions(+)

diff --git a/drivers/hid/wacom_wac.c b/drivers/hid/wacom_wac.c
index 873d58a6d..269e8318f 100644
--- a/drivers/hid/wacom_wac.c
+++ b/drivers/hid/wacom_wac.c
@@ -3479,6 +3479,8 @@ void wacom_wac_irq(struct wacom_wac *wacom_wac, size_t len)

case DTUS:
case DTUSX:
+ if (len < 7)
+ return;
sync = wacom_dtus_irq(wacom_wac);
break;

--
2.53.0