Description
In the Linux kernel, the following vulnerability has been resolved: HID: i2c-hid: fix potential buffer overflow in i2c_hid_get_report() `i2c_hid_xfer` is used to read `recv_len + sizeof(__le16)` bytes of data into `ihid->rawbuf`. The former can come from the userspace in the hidraw driver and is only bounded by HID_MAX_BUFFER_SIZE(16384) by default (unless we also set `max_buffer_size` field of `struct hid_ll_driver` which we do not). The latter has size determined at runtime by the maximum size of different report types you could receive on any particular device and can be a much smaller value. Fix this by truncating `recv_len` to `ihid->bufsize - sizeof(__le16)`. The impact is low since access to hidraw devices requires root.
Product status
85df713377ddc0482071c3e6b64c37bd1e48f1f1 (git) before f9c9ad89d845f88a1509e9d672f65d234425fde9
85df713377ddc0482071c3e6b64c37bd1e48f1f1 (git) before cff3f619fd1cb40cdd89971df9001f075613d219
85df713377ddc0482071c3e6b64c37bd1e48f1f1 (git) before 786ec171788bdf9dda38789163f1b1fbb47f2d1e
85df713377ddc0482071c3e6b64c37bd1e48f1f1 (git) before 2124279f1f8c32c1646ce98e75a1a39b23b7db76
85df713377ddc0482071c3e6b64c37bd1e48f1f1 (git) before 2497ff38c530b1af0df5130ca9f5ab22c5e92f29
5.18
Any version before 5.18
6.1.163 (semver)
6.6.124 (semver)
6.12.70 (semver)
6.18.10 (semver)
6.19 (original_commit_for_fix)
References
git.kernel.org/...c/f9c9ad89d845f88a1509e9d672f65d234425fde9
git.kernel.org/...c/cff3f619fd1cb40cdd89971df9001f075613d219
git.kernel.org/...c/786ec171788bdf9dda38789163f1b1fbb47f2d1e
git.kernel.org/...c/2124279f1f8c32c1646ce98e75a1a39b23b7db76
git.kernel.org/...c/2497ff38c530b1af0df5130ca9f5ab22c5e92f29