Thread (9 messages) 9 messages, 5 authors, 1d ago

Re: [PATCH v3] Bluetooth: HIDP: fix missing length checks in hidp_input_report()

From: patchwork-bot+bluetooth@kernel.org
Date: 2026-05-21 15:30:11
Also in: lkml, stable 

Hello:

This patch was applied to bluetooth/bluetooth-next.git (master)
by Luiz Augusto von Dentz [off-list ref]:

On Wed, 20 May 2026 18:56:43 -0400 you wrote:
hidp_input_report() reads keyboard and mouse payload data from an skb
without first verifying that skb->len contains enough data.

hidp_recv_intr_frame() pulls the 1-byte HIDP header before dispatching
to hidp_input_report(). If a paired device sends a truncated packet,
the handler reads beyond the valid skb data, resulting in an
out-of-bounds read of skb data. The OOB bytes may be interpreted as
phantom key presses or spurious mouse movement.

[...]
Here is the summary with links:
  - [v3] Bluetooth: HIDP: fix missing length checks in hidp_input_report()
    https://git.kernel.org/bluetooth/bluetooth-next/c/6522ecbcd122

You are awesome, thank you!
-- 
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
Keyboard shortcuts
hback out one level
jnext message in thread
kprevious message in thread
ldrill in
Escclose help / fold thread tree
?toggle this help