Linux Kernel Wacom HID Driver Out-of-Bounds Read Vulnerability

A vulnerability has been identified in the Linux kernel's handling of Bluetooth HID reports for Wacom Intuos tablets. The issue arises in the 'wacom_intuos_bt_irq()' function, which processes HID reports without adequate bounds checking. This flaw can lead to an out-of-bounds read when data is copied into the Wacom structure, potentially allowing for memory corruption or other unintended behavior. Specifically, report 0x03 requires a minimum of 22 bytes to safely read the data and battery status, while report 0x04 (which falls through to 0x03) requires 32 bytes. The vulnerability affects several versions of the Linux kernel.

Impact

Exploitation of this vulnerability can cause an out-of-bounds read, which may lead to memory corruption or other unintended behavior by reading data outside the allocated buffer.

Reproduction

To reproduce this vulnerability, send a Bluetooth HID report to a Wacom Intuos tablet that is less than the required length for report 0x03 or 0x04. The 'wacom_intuos_bt_irq()' function will process the report, leading to an out-of-bounds read when the data is copied into the Wacom structure.

Remediation

Users can update to the latest version of the Linux kernel, where this vulnerability has been addressed. Instructions for updating the kernel can be found in the documentation for your specific Linux distribution.