On Tue, 23 Jun 2026 06:23:12 +0000, Yiyang Chen wrote:
> hid_bpf_get_data() exposes a pointer into the HID-BPF context data when
> the caller-provided offset and size fit inside ctx->allocated_size.
> The helper currently checks that range with:
> 
>   rdwr_buf_size + offset > ctx->allocated_size
> 
> Since both operands are unsigned, a very large size can wrap the sum and
> make an out-of-range request look valid.
> 
> [...]

Applied to https://git.kernel.org/pub/scm/linux/kernel/git/hid/hid.git 
(for-7.2/upstream-fixes), thanks!

[1/3] HID: bpf: Fix hid_bpf_get_data() range check
      https://git.kernel.org/hid/hid/c/2d044049421d
[2/3] selftests/hid: Load only requested struct_ops maps
      https://git.kernel.org/hid/hid/c/5aad55011a37
[3/3] selftests/hid: Cover hid_bpf_get_data() size overflow
      https://git.kernel.org/hid/hid/c/eebbef7c468a

Cheers,
-- 
Benjamin Tissoires <[email protected]>


Reply via email to