Input: pegasus-notetaker - fix potential out-of-bounds access - user/sven/linux.git

diff options

author	Seungjin Bae <eeodqql09@gmail.com>	2025-11-24 14:20:46 -0500
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2025-12-03 12:45:22 +0100
commit	c4e746651bd74c38f581e1cf31651119a94de8cd (patch)
tree	c40595af72eb98f7c66cb9a213a4e5f95c489cba /kernel/debug
parent	a643fecbcac0a343fc83393ebf31eb09cd556e5b (diff)

Input: pegasus-notetaker - fix potential out-of-bounds access

[ Upstream commit 69aeb507312306f73495598a055293fa749d454e ] In the pegasus_notetaker driver, the pegasus_probe() function allocates the URB transfer buffer using the wMaxPacketSize value from the endpoint descriptor. An attacker can use a malicious USB descriptor to force the allocation of a very small buffer. Subsequently, if the device sends an interrupt packet with a specific pattern (e.g., where the first byte is 0x80 or 0x42), the pegasus_parse_packet() function parses the packet without checking the allocated buffer size. This leads to an out-of-bounds memory access. Fixes: 1afca2b66aac ("Input: add Pegasus Notetaker tablet driver") Signed-off-by: Seungjin Bae <eeodqql09@gmail.com> Link: https://lore.kernel.org/r/20251007214131.3737115-2-eeodqql09@gmail.com Cc: stable@vger.kernel.org Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com> Signed-off-by: Sasha Levin <sashal@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Diffstat (limited to 'kernel/debug')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: