[PATCH] Input: pegasus-notetaker - fix out-of-bounds access vulnerability in pegasus_parse_packet() function of the pegasus driver
From: Seungjin Bae eeodqql09@gmail.com
In the pegasus_notetaker driver, the pegasus_probe() function allocates the URB transfer buffer using the wMaxPacketSize value from the endpoint descriptor. An attacker can use a malicious USB descriptor to force the allocation of a very small buffer.
Subsequently, if the device sends an interrupt packet with a specific pattern (e.g., where the first byte is 0x80 or 0x42), the pegasus_parse_packet() function parses the packet without checking the allocated buffer size. This leads to an out-of-bounds memory access, which could result in a system panic.
Fixes: 948bf18 ("Input: remove third argument of usb_maxpacket()") Signed-off-by: Seungjin Bae eeodqql09@gmail.com --- drivers/input/tablet/pegasus_notetaker.c | 5 +++++ 1 file changed, 5 insertions(+)
diff --git a/drivers/input/tablet/pegasus_notetaker.c b/drivers/input/tablet/pegasus_notetaker.c index 8d6b71d59793..6c4199712a4e 100644 --- a/drivers/input/tablet/pegasus_notetaker.c +++ b/drivers/input/tablet/pegasus_notetaker.c @@ -311,6 +311,11 @@ static int pegasus_probe(struct usb_interface *intf, }
pegasus->data_len = usb_maxpacket(dev, pipe); + if (pegasus->data_len < 5) { + dev_err(&intf->dev, "Invalid number of wMaxPacketSize\n"); + error = -EINVAL; + goto err_free_mem; + }
pegasus->data = usb_alloc_coherent(dev, pegasus->data_len, GFP_KERNEL, &pegasus->data_dma);
On Tue, Oct 07, 2025 at 05:41:32PM -0400, pip-izony wrote:
From: Seungjin Bae eeodqql09@gmail.com
In the pegasus_notetaker driver, the pegasus_probe() function allocates the URB transfer buffer using the wMaxPacketSize value from the endpoint descriptor. An attacker can use a malicious USB descriptor to force the allocation of a very small buffer.
Subsequently, if the device sends an interrupt packet with a specific pattern (e.g., where the first byte is 0x80 or 0x42), the pegasus_parse_packet() function parses the packet without checking the allocated buffer size. This leads to an out-of-bounds memory access, which could result in a system panic.
Fixes: 948bf18 ("Input: remove third argument of usb_maxpacket()") Signed-off-by: Seungjin Bae eeodqql09@gmail.com
drivers/input/tablet/pegasus_notetaker.c | 5 +++++ 1 file changed, 5 insertions(+)
diff --git a/drivers/input/tablet/pegasus_notetaker.c b/drivers/input/tablet/pegasus_notetaker.c index 8d6b71d59793..6c4199712a4e 100644 --- a/drivers/input/tablet/pegasus_notetaker.c +++ b/drivers/input/tablet/pegasus_notetaker.c @@ -311,6 +311,11 @@ static int pegasus_probe(struct usb_interface *intf, } pegasus->data_len = usb_maxpacket(dev, pipe);
- if (pegasus->data_len < 5) {
dev_err(&intf->dev, "Invalid number of wMaxPacketSize\n");error = -EINVAL;goto err_free_mem;- }
pegasus->data = usb_alloc_coherent(dev, pegasus->data_len, GFP_KERNEL, &pegasus->data_dma); -- 2.43.0
<formletter>
This is not the correct way to submit patches for inclusion in the stable kernel tree. Please read: https://www.kernel.org/doc/html/latest/process/stable-kernel-rules.html for how to do this properly.
</formletter>
linux-stable-mirror@lists.linaro.org
-
Greg KH -
pip-izony