On Tue Jun 16, 2026 at 12:35 PM EDT, Yiyang Chen wrote: > hid_bpf_get_data() returns a pointer into the HID-BPF context data when > the caller-provided offset and size fit inside ctx->allocated_size. > > The current check adds rdwr_buf_size and offset before comparing the > result against ctx->allocated_size. Since both values are unsigned, a > very large size can wrap the sum below ctx->allocated_size and make the > helper return a pointer even though the requested range is not contained > in the backing buffer. > > Use a non-wrapping range check instead: reject offsets beyond the > allocation, then compare the requested size with the remaining bytes > after the offset. >
Reviewed-by: Emil Tsalapatis <[email protected]> > Fixes: 4171954f56fb ("HID: bpf/dispatch: regroup kfuncs definitions") > Signed-off-by: Yiyang Chen <[email protected]> > --- > drivers/hid/bpf/hid_bpf_dispatch.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > diff --git a/drivers/hid/bpf/hid_bpf_dispatch.c > b/drivers/hid/bpf/hid_bpf_dispatch.c > index d0130658091b0..09b45c40d84f0 100644 > --- a/drivers/hid/bpf/hid_bpf_dispatch.c > +++ b/drivers/hid/bpf/hid_bpf_dispatch.c > @@ -299,7 +299,8 @@ hid_bpf_get_data(struct hid_bpf_ctx *ctx, unsigned int > offset, const size_t rdwr > > ctx_kern = container_of(ctx, struct hid_bpf_ctx_kern, ctx); > > - if (rdwr_buf_size + offset > ctx->allocated_size) > + if (offset > ctx->allocated_size || > + rdwr_buf_size > ctx->allocated_size - offset) > return NULL; > > return ctx_kern->data + offset;
