Input: pegasus-notetaker - fix potential out-of-bounds access - user/sven/linux.git

diff options

author	Seungjin Bae <eeodqql09@gmail.com>	2025-10-17 15:36:31 -0700
committer	Dmitry Torokhov <dmitry.torokhov@gmail.com>	2025-10-17 18:04:15 -0700
commit	69aeb507312306f73495598a055293fa749d454e (patch)
tree	403ca9c576429e2818d36664519a0475671cf7e4 /net/unix/af_unix.c
parent	7363096a5a08f8740c9075ecfc51945375c304bc (diff)

Input: pegasus-notetaker - fix potential out-of-bounds access

In the pegasus_notetaker driver, the pegasus_probe() function allocates the URB transfer buffer using the wMaxPacketSize value from the endpoint descriptor. An attacker can use a malicious USB descriptor to force the allocation of a very small buffer. Subsequently, if the device sends an interrupt packet with a specific pattern (e.g., where the first byte is 0x80 or 0x42), the pegasus_parse_packet() function parses the packet without checking the allocated buffer size. This leads to an out-of-bounds memory access. Fixes: 1afca2b66aac ("Input: add Pegasus Notetaker tablet driver") Signed-off-by: Seungjin Bae <eeodqql09@gmail.com> Link: https://lore.kernel.org/r/20251007214131.3737115-2-eeodqql09@gmail.com Cc: stable@vger.kernel.org Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>

Diffstat (limited to 'net/unix/af_unix.c')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: