[PATCH 1/4] HID: wacom: validate report length for PL and PTU handlers

Next message: Jinmo Yang: "[PATCH 2/4] HID: wacom: validate report length for DTU handler"
Previous message: Jinmo Yang: "[PATCH 3/4] HID: wacom: validate report length for DTUS handler"
In reply to: Jinmo Yang: "[PATCH 3/4] HID: wacom: validate report length for DTUS handler"
Next in thread: Jinmo Yang: "[PATCH 2/4] HID: wacom: validate report length for DTU handler"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Jinmo Yang

Date: Sun May 17 2026 - 09:53:01 EST

wacom_pl_irq() and wacom_ptu_irq() access fixed offsets up to data[7]
in the raw HID report buffer without validating the buffer length.
These sub-functions are called from wacom_wac_irq() which receives the
length parameter but does not pass it to the handlers.

A malicious USB device can declare a small HID report in its descriptor
and send a matching short report that passes the HID core size check
(csize >= rsize), but the driver assumes a full-size hardware report
layout, leading to slab-out-of-bounds reads.

Add minimum length checks in wacom_wac_irq() before dispatching to
wacom_pl_irq() and wacom_ptu_irq().

Fixes: 4104d13fe019 ("Input: move USB tablets under drivers/input/tablet")
Cc: stable@xxxxxxxxxxxxxxx
Signed-off-by: Jinmo Yang <jinmo44.yang@xxxxxxxxx>
---
drivers/hid/wacom_wac.c | 4 ++++
1 file changed, 4 insertions(+)

diff --git a/drivers/hid/wacom_wac.c b/drivers/hid/wacom_wac.c
index da1f0ea85..6d06842b6 100644
--- a/drivers/hid/wacom_wac.c
+++ b/drivers/hid/wacom_wac.c
@@ -3453,6 +3453,8 @@ void wacom_wac_irq(struct wacom_wac *wacom_wac, size_t len)
break;

case PL:
+ if (len < 8)
+ return;
sync = wacom_pl_irq(wacom_wac);
break;

@@ -3464,6 +3466,8 @@ void wacom_wac_irq(struct wacom_wac *wacom_wac, size_t len)
break;

case PTU:
+ if (len < 8)
+ return;
sync = wacom_ptu_irq(wacom_wac);
break;

--
2.53.0