Linux Kernel HID i2c-hid Buffer Overflow Vulnerability in i2c_hid_get_report

A potential buffer overflow vulnerability has been identified in the Linux kernel's i2c-hid HID driver. This issue arises in the i2c_hid_get_report function, where the i2c_hid_xfer function is used to read a length of data into a buffer. The length can be influenced by userspace input through the hidraw driver, and is only limited by a default maximum of 16,384 bytes. The data length can be further constrained by the specific report types of the device, potentially leading to a smaller value. The vulnerability has been addressed by modifying the code to ensure that the received length does not exceed the buffer size, minus the size of a header field. Access to hidraw devices typically requires root privileges, which limits the impact of this vulnerability.

Impact

Exploitation of this vulnerability could lead to a buffer overflow, a common programming error that can be exploited to execute arbitrary code or cause a crash. However, in this case, the vulnerability's impact is considered low because access to the affected hidraw devices requires root privileges.

Reproduction

The vulnerability can be reproduced by sending a report through the hidraw driver that exceeds the buffer size limit, taking advantage of the fact that the received length can be influenced by userspace input. This can be done by creating a hidraw device that sends a larger than allowed report length, which the i2c-hid driver will then improperly handle, leading to a buffer overflow.

Remediation

Users can upgrade to the patched version of the Linux kernel available in the Linux kernel stable tree. Instructions for downloading the updated kernel can be found in the Linux kernel documentation.