HID: bpf: prevent buffer overflow in hid_hw_request

right now the returned value is considered to be always valid. However, when playing with HID-BPF, the return value can be arbitrary big, because it's the return value of dispatch_hid_bpf_raw_requests(), which calls the struct_ops and we have no guarantees that the value makes sense. Fixes: 8bd0488b5ea5 ("HID: bpf: add HID-BPF hooks for hid_hw_raw_requests") Cc: stable@vger.kernel.org Acked-by: Jiri Kosina <jkosina@suse.com> Signed-off-by: Benjamin Tissoires <bentiss@kernel.org>
author: Benjamin Tissoires <bentiss@kernel.org> 2026-03-13 08:40:25 +0100
committer: Benjamin Tissoires <bentiss@kernel.org> 2026-03-16 16:21:06 +0100
commit: 2b658c1c442ec1cd9eec5ead98d68662c40fe645 (patch)
tree: 127b0f24350f5b370ad30a2ddae4a55eb303fdee
parent: 5d4c6c132ea9a967d48890dd03e6a786c060e968 (diff)
1 files changed, 2 insertions, 0 deletions
diff --git a/drivers/hid/bpf/hid_bpf_dispatch.c b/drivers/hid/bpf/hid_bpf_dispatch.c
index 892aca026ffa..33af17fdc729 100644
--- a/drivers/hid/bpf/hid_bpf_dispatch.c
+++ b/drivers/hid/bpf/hid_bpf_dispatch.c
@@ -444,6 +444,8 @@ hid_bpf_hw_request(struct hid_bpf_ctx *ctx, __u8 *buf, size_t buf__sz,
 					      (u64)(long)ctx,
 					      true); /* prevent infinite recursions */
 
+	if (ret > size)
+		ret = size;
 	if (ret > 0)
 		memcpy(buf, dma_data, ret);
author	Benjamin Tissoires <bentiss@kernel.org>	2026-03-13 08:40:25 +0100
committer	Benjamin Tissoires <bentiss@kernel.org>	2026-03-16 16:21:06 +0100
commit	2b658c1c442ec1cd9eec5ead98d68662c40fe645 (patch)
tree	127b0f24350f5b370ad30a2ddae4a55eb303fdee
parent	5d4c6c132ea9a967d48890dd03e6a786c060e968 (diff)