Input: pegasus-notetaker - fix potential out-of-bounds access - kernel

diff options

author	Seungjin Bae <[email protected]>	2025-10-17 22:36:31 +0000
committer	Dmitry Torokhov <[email protected]>	2025-10-18 01:04:15 +0000
commit	69aeb507312306f73495598a055293fa749d454e (patch)
tree	403ca9c576429e2818d36664519a0475671cf7e4 /tools/lib/traceevent/plugins/plugin_function.c
parent	Input: goodix - remove setting of RST pin to input (diff)
download	kernel-69aeb507312306f73495598a055293fa749d454e.tar.gz kernel-69aeb507312306f73495598a055293fa749d454e.zip

Input: pegasus-notetaker - fix potential out-of-bounds access

In the pegasus_notetaker driver, the pegasus_probe() function allocates the URB transfer buffer using the wMaxPacketSize value from the endpoint descriptor. An attacker can use a malicious USB descriptor to force the allocation of a very small buffer. Subsequently, if the device sends an interrupt packet with a specific pattern (e.g., where the first byte is 0x80 or 0x42), the pegasus_parse_packet() function parses the packet without checking the allocated buffer size. This leads to an out-of-bounds memory access. Fixes: 1afca2b66aac ("Input: add Pegasus Notetaker tablet driver") Signed-off-by: Seungjin Bae <[email protected]> Link: https://lore.kernel.org/r/[email protected] Cc: [email protected] Signed-off-by: Dmitry Torokhov <[email protected]>

Diffstat (limited to 'tools/lib/traceevent/plugins/plugin_function.c')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: