Linux Kernel HID-BPF Buffer Overflow Vulnerability in hid_hw_request

A buffer overflow vulnerability has been identified in the Linux kernel's HID-BPF implementation, specifically within the hid_hw_request function. This issue arises because the function currently assumes that the return value from dispatch_hid_bpf_raw_requests() is always valid. However, when interacting with HID-BPF, this return value can be arbitrarily large, potentially leading to a buffer overflow. The vulnerability is present in the Linux kernel stable tree.

Impact

Exploitation of this vulnerability can lead to a buffer overflow, which may allow for arbitrary code execution or cause a denial-of-service condition by crashing the system.

Reproduction

The vulnerability can be reproduced by using HID-BPF hooks that interact with the hid_hw_request function. The return value from these hooks can be manipulated to exceed expected limits, causing a buffer overflow.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been addressed. Instructions for downloading the patched version are available on the Linux kernel official website.