)]}'
{
  "commit": "c4e746651bd74c38f581e1cf31651119a94de8cd",
  "tree": "c40595af72eb98f7c66cb9a213a4e5f95c489cba",
  "parents": [
    "a643fecbcac0a343fc83393ebf31eb09cd556e5b"
  ],
  "author": {
    "name": "Seungjin Bae",
    "email": "eeodqql09@gmail.com",
    "time": "Mon Nov 24 14:20:46 2025 -0500"
  },
  "committer": {
    "name": "Greg Kroah-Hartman",
    "email": "gregkh@linuxfoundation.org",
    "time": "Wed Dec 03 12:45:22 2025 +0100"
  },
  "message": "Input: pegasus-notetaker - fix potential out-of-bounds access\n\n[ Upstream commit 69aeb507312306f73495598a055293fa749d454e ]\n\nIn the pegasus_notetaker driver, the pegasus_probe() function allocates\nthe URB transfer buffer using the wMaxPacketSize value from\nthe endpoint descriptor. An attacker can use a malicious USB descriptor\nto force the allocation of a very small buffer.\n\nSubsequently, if the device sends an interrupt packet with a specific\npattern (e.g., where the first byte is 0x80 or 0x42),\nthe pegasus_parse_packet() function parses the packet without checking\nthe allocated buffer size. This leads to an out-of-bounds memory access.\n\nFixes: 1afca2b66aac (\"Input: add Pegasus Notetaker tablet driver\")\nSigned-off-by: Seungjin Bae \u003ceeodqql09@gmail.com\u003e\nLink: https://lore.kernel.org/r/20251007214131.3737115-2-eeodqql09@gmail.com\nCc: stable@vger.kernel.org\nSigned-off-by: Dmitry Torokhov \u003cdmitry.torokhov@gmail.com\u003e\nSigned-off-by: Sasha Levin \u003csashal@kernel.org\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\n",
  "tree_diff": [
    {
      "type": "modify",
      "old_id": "4e412a73a5aad285dc438fd510361b898c23bf6d",
      "old_mode": 33188,
      "old_path": "drivers/input/tablet/pegasus_notetaker.c",
      "new_id": "64a5ce54622936f3ffbfd15f42d5159e5b58df62",
      "new_mode": 33188,
      "new_path": "drivers/input/tablet/pegasus_notetaker.c"
    }
  ]
}