Input: pegasus-notetaker - fix potential out-of-bounds access

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

In the pegasus_notetaker driver, the pegasus_probe() function allocates
the URB transfer buffer using the wMaxPacketSize value from
the endpoint descriptor. An attacker can use a malicious USB descriptor
to force the allocation of a very small buffer.

Subsequently, if the device sends an interrupt packet with a specific
pattern (e.g., where the first byte is 0x80 or 0x42),
the pegasus_parse_packet() function parses the packet without checking
the allocated buffer size. This leads to an out-of-bounds memory access.

Fixes: 1afca2b66aac ("Input: add Pegasus Notetaker tablet driver")
Signed-off-by: Seungjin Bae <eeodqql09@gmail.com>
Link: https://lore.kernel.org/r/20251007214131.3737115-2-eeodqql09@gmail.com
Cc: stable@vger.kernel.org
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>

authored by

Seungjin Bae and committed by

Dmitry Torokhov 5 months ago 69aeb507 7363096a

1 changed file

expand all

drivers

input

tablet

pegasus_notetaker.c

drivers/input/tablet/pegasus_notetaker.c

··· 63 63 #define BUTTON_PRESSED 0xb5 64 64 #define COMMAND_VERSION 0xa9 65 65 66 + /* 1 Status + 1 Color + 2 X + 2 Y = 6 bytes */ 67 + #define NOTETAKER_PACKET_SIZE 6 68 + 66 69 /* in xy data packet */ 67 70 #define BATTERY_NO_REPORT 0x40 68 71 #define BATTERY_LOW 0x41 ··· 314 311 } 315 312 316 313 pegasus->data_len = usb_maxpacket(dev, pipe); 314 + if (pegasus->data_len < NOTETAKER_PACKET_SIZE) { 315 + dev_err(&intf->dev, "packet size is too small (%d)\n", 316 + pegasus->data_len); 317 + error = -EINVAL; 318 + goto err_free_mem; 319 + } 317 320 318 321 pegasus->data = usb_alloc_coherent(dev, pegasus->data_len, GFP_KERNEL, 319 322 &pegasus->data_dma);