HID: core: zero-initialize the report buffer

Jiri Kosina · mehmetb0 · commit 67be55488941 · 2025-01-13T03:47:54.000+03:00
BugLink: https://bugs.launchpad.net/bugs/2089533 [ Upstream commit 177f25d ] Since the report buffer is used by all kinds of drivers in various ways, let's zero-initialize it during allocation to make sure that it can't be ever used to leak kernel memory via specially-crafted report. Fixes: 27ce405 ("HID: fix data access in implement()") Reported-by: Benoît Sevens <bsevens@google.com> Acked-by: Benjamin Tissoires <bentiss@kernel.org> Signed-off-by: Jiri Kosina <jkosina@suse.com> Signed-off-by: Sasha Levin <sashal@kernel.org> CVE-2024-50302 Signed-off-by: Manuel Diewald <manuel.diewald@canonical.com> Signed-off-by: Mehmet Basaran <mehmet.basaran@canonical.com>
diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c
@@ -1664,7 +1664,7 @@ u8 *hid_alloc_report_buf(struct hid_report *report, gfp_t flags)
 
 	u32 len = hid_report_len(report) + 7;
 
-	return kmalloc(len, flags);
+	return kzalloc(len, flags);
 }
 EXPORT_SYMBOL_GPL(hid_alloc_report_buf);
 

Original file line number	Diff line number	Diff line change
`@@ -1664,7 +1664,7 @@ u8 hid_alloc_report_buf(struct hid_report report, gfp_t flags)`
`1664`	`1664`
`1665`	`1665`	`u32 len = hid_report_len(report) + 7;`
`1666`	`1666`
`1667`		`- return kmalloc(len, flags);`
	`1667`	`+ return kzalloc(len, flags);`
`1668`	`1668`	`}`
`1669`	`1669`	`EXPORT_SYMBOL_GPL(hid_alloc_report_buf);`
`1670`	`1670`