From: Seungjin Bae eeodqql09@gmail.com
In the pegasus_notetaker driver, the pegasus_probe() function allocates the URB transfer buffer using the wMaxPacketSize value from the endpoint descriptor. An attacker can use a malicious USB descriptor to force the allocation of a very small buffer.
Subsequently, if the device sends an interrupt packet with a specific pattern (e.g., where the first byte is 0x80 or 0x42), the pegasus_parse_packet() function parses the packet without checking the allocated buffer size. This leads to an out-of-bounds memory access, which could result in a system panic.
Fixes: 948bf18 ("Input: remove third argument of usb_maxpacket()") Signed-off-by: Seungjin Bae eeodqql09@gmail.com --- drivers/input/tablet/pegasus_notetaker.c | 5 +++++ 1 file changed, 5 insertions(+)
diff --git a/drivers/input/tablet/pegasus_notetaker.c b/drivers/input/tablet/pegasus_notetaker.c index 8d6b71d59793..6c4199712a4e 100644 --- a/drivers/input/tablet/pegasus_notetaker.c +++ b/drivers/input/tablet/pegasus_notetaker.c @@ -311,6 +311,11 @@ static int pegasus_probe(struct usb_interface *intf, }
pegasus->data_len = usb_maxpacket(dev, pipe); + if (pegasus->data_len < 5) { + dev_err(&intf->dev, "Invalid number of wMaxPacketSize\n"); + error = -EINVAL; + goto err_free_mem; + }
pegasus->data = usb_alloc_coherent(dev, pegasus->data_len, GFP_KERNEL, &pegasus->data_dma);