Re: [PATCH bpf-next 1/2] HID: bpf: Fix hid_bpf_get_data() range check

Tue, 16 Jun 2026 10:26:23 -0700 

> commit 7c433bf4ab2de03b77e22dbd3984e39a386997a2
> Author: Yiyang Chen <[email protected]>
> Date:   Tue Jun 16 16:35:06 2026 +0000
>
>     HID: bpf: Fix hid_bpf_get_data() range check
>
>     hid_bpf_get_data() returns a pointer into the HID-BPF context data when
>     the caller-provided offset and size fit inside ctx->allocated_size.
>
>     The current check adds rdwr_buf_size and offset before comparing the
>     result against ctx->allocated_size. Since both values are unsigned, a
>     very large size can wrap the sum below ctx->allocated_size and make the
>     helper return a pointer even though the requested range is not contained
>     in the backing buffer.
>
>     Use a non-wrapping range check instead: reject offsets beyond the
>     allocation, then compare the requested size with the remaining bytes
>     after the offset.
>
>     Fixes: 4171954f56fb ("HID: bpf/dispatch: regroup kfuncs definitions")
>     Signed-off-by: Yiyang Chen <[email protected]>

The Fixes tag points to commit 4171954f56fb, but that commit only moved
hid_bpf_get_data() without changing its logic. Its commit message states
"No code change, just move down the hid_bpf_get_data() kfunc definition".

The vulnerable addition pattern 'rdwr_buf_size + offset > ctx->allocated_size'
was actually introduced in commit 658ee5a64fcf ("HID: bpf: allocate data
memory for device_event BPF programs"), which changed the field from ctx->size
to ctx->allocated_size while keeping the same overflow-prone check.

Should the Fixes tag reference the commit that introduced the buggy code:

  Fixes: 658ee5a64fcf ("HID: bpf: allocate data memory for device_event BPF 
programs")

> diff --git a/drivers/hid/bpf/hid_bpf_dispatch.c 
> b/drivers/hid/bpf/hid_bpf_dispatch.c
> index d0130658091b..09b45c40d84f 100644
> --- a/drivers/hid/bpf/hid_bpf_dispatch.c
> +++ b/drivers/hid/bpf/hid_bpf_dispatch.c
> @@ -299,7 +299,8 @@ hid_bpf_get_data(struct hid_bpf_ctx *ctx, unsigned int 
> offset, const size_t rdwr
>
>       ctx_kern = container_of(ctx, struct hid_bpf_ctx_kern, ctx);
>
> -     if (rdwr_buf_size + offset > ctx->allocated_size)
> +     if (offset > ctx->allocated_size ||
> +         rdwr_buf_size > ctx->allocated_size - offset)
>               return NULL;
>
>       return ctx_kern->data + offset;

---
AI reviewed your patch. Please fix the bug or email reply why it's not a bug.
See: https://github.com/kernel-patches/vmtest/blob/master/ci/claude/README.md

CI run summary: https://github.com/kernel-patches/bpf/actions/runs/27633665618

Reply via email to