Linux Kernel HID Subsystem Out-of-Bounds Read and Write Vulnerability

A vulnerability in the Linux kernel's Human Interface Device (HID) subsystem can lead to out-of-bounds (OOB) reads and writes. This issue arises from a misguided attempt to clear invalid data in the 'hid_report_raw_event()' function. The original intention was to remove erroneous data by zeroing the buffer from the end of the incoming data to the presumed end of the buffer. However, this approach has inadvertently caused OOB read and write operations in subsequent execution threads. The vulnerability affects the Linux kernel HID core, specifically in versions prior to the latest patch.

Impact

Exploitation of this vulnerability can cause out-of-bounds reads and writes, potentially leading to memory corruption or other unintended behavior in the affected application or system.

Reproduction

To reproduce this vulnerability, send an HID report with a data string that is shorter than the expected buffer size. The 'hid_report_raw_event()' function will attempt to clear the 'cdata' buffer by zeroing out the area from the end of the incoming data to the assumed end of the buffer. This can result in out-of-bounds reads and writes in the following execution thread.

Remediation

Users can apply the latest patch available in the Linux kernel stable tree to address this vulnerability.