I hadn’t come across this patch earlier—thanks for sharing it! After reviewing it, I can see that it addresses the UBSAN array-index-out-of-bounds issue Alan Stern <stern@xxxxxxxxxxxxxxxxxxx> 于2025年3月4日周二 00:02写道: > > On Mon, Mar 03, 2025 at 04:52:33PM +0800, Strforexc yn wrote: > > Dear Maintainers, When using our customized Syzkaller to fuzz the > > latest Linux kernel, the following crash was triggered. > > > > Kernel commit: v6.14-rc4 (Commits on Feb 24, 2025) > > Kernel Config : https://github.com/Strforexc/LinuxKernelbug/blob/main/.config > > Kernel Log: https://github.com/Strforexc/LinuxKernelbug/blob/main/array-index-out-of-bounds_usbhid_parse/log0 > > Reproduce C: https://github.com/Strforexc/LinuxKernelbug/blob/main/array-index-out-of-bounds_usbhid_parse/repro.cprog > > > > I’ve encountered a UBSAN-reported array-index-out-of-bounds issue in > > the USB HID driver on Linux 6.14.0-rc4 during device probing, likely > > triggered by a malformed USB descriptor. Here are the details: > > > > UBSAN detects an out-of-bounds access at > > drivers/hid/usbhid/hid-core.c:1025:18 in usbhid_parse, where index 1 > > exceeds the bounds of hid_class_descriptor [1] in struct > > hid_descriptor. This occurs when parsing a HID device descriptor > > during USB probing. > > > > Location: The fault occurs in a loop: for (n = 0; n < num_descriptors; > > n++) if (hdesc->desc[n].bDescriptorType == HID_DT_REPORT), accessing > > hdesc->desc[n]. > > > > Cause: struct hid_descriptor defines desc as a fixed-size array [1], > > but the loop iterates up to num_descriptors (based on > > hdesc->bNumDescriptors). UBSAN flags n=1 as out-of-bounds, though the > > underlying descriptor buffer may be larger. > > > > Context: Preceded by a USB descriptor error (-22), suggesting a > > malformed HID device (likely Syzkaller-crafted), triggering the loop > > with bNumDescriptors > 1. > > > > Impact: No immediate crash, but a code hygiene issue flagged by UBSAN. > > Runtime safety depends on descriptor buffer allocation, but it’s a > > potential source of confusion or future bugs. > > > > Could HID maintainers investigate? Suggested fixes: > > 1. Use a flexible array member (desc[]) in struct hid_descriptor and > > adjust parsing to rely on runtime buffer size. > > 2. Add stricter validation of hdesc->bNumDescriptors against bLength > > to reject malformed descriptors earlier. > > > > Our knowledge of the kernel is somewhat limited, and we'd appreciate > > it if you could determine if there is such an issue. If this issue > > doesn't have an impact, please ignore it ☺. > > If you fix this issue, please add the following tag to the commit: > > Reported-by: Zhizhuo Tang <strforexctzzchange@xxxxxxxxxxx>, Jianzhou > > Zhao <xnxc22xnxc22@xxxxxx>, Haoran Liu <cherest_san@xxxxxxx> > > Have you seen this patch or tried to test it? > > https://lore.kernel.org/linux-usb/20250131151600.410242-1-n.zhandarovich@xxxxxxxxxx/ > > Alan Stern
