HID: core: zero-initialize the report buffer

bmastbergen · bmastbergen · commit 1bf18222a151 · 2025-09-02T09:36:27.000-04:00
jira VULN-40845 cve CVE-2024-50302 commit-author Jiri Kosina <jkosina@suse.com> commit 177f25d Since the report buffer is used by all kinds of drivers in various ways, let's zero-initialize it during allocation to make sure that it can't be ever used to leak kernel memory via specially-crafted report. Fixes: 27ce405 ("HID: fix data access in implement()") Reported-by: Benoît Sevens <bsevens@google.com> Acked-by: Benjamin Tissoires <bentiss@kernel.org> Signed-off-by: Jiri Kosina <jkosina@suse.com> (cherry picked from commit 177f25d) Signed-off-by: Brett Mastbergen <bmastbergen@ciq.com>
diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c
@@ -1353,7 +1353,7 @@ u8 *hid_alloc_report_buf(struct hid_report *report, gfp_t flags)
 
 	u32 len = hid_report_len(report) + 7;
 
-	return kmalloc(len, flags);
+	return kzalloc(len, flags);
 }
 EXPORT_SYMBOL_GPL(hid_alloc_report_buf);
 

Original file line number	Diff line number	Diff line change
`@@ -1353,7 +1353,7 @@ u8 hid_alloc_report_buf(struct hid_report report, gfp_t flags)`
`1353`	`1353`
`1354`	`1354`	`u32 len = hid_report_len(report) + 7;`
`1355`	`1355`
`1356`		`- return kmalloc(len, flags);`
	`1356`	`+ return kzalloc(len, flags);`
`1357`	`1357`	`}`
`1358`	`1358`	`EXPORT_SYMBOL_GPL(hid_alloc_report_buf);`
`1359`	`1359`