Re: [PATCH v2 1/1] HID: magicmouse: Prevent out-of-bounds (OOB) read during DOUBLE_REPORT_ID

Next message: Beno&#xEE;t Monin: " Re: [PATCH v3 2/2] dmaengine: fsl-edma: Support dynamic scatter/gather chaining"
Previous message: Andy Shevchenko: "Re: [PATCH v2 07/10] iio: light: opt3001: prefer dev_err_probe()"
In reply to: Lee Jones: "Re: [PATCH v2 1/1] HID: magicmouse: Prevent out-of-bounds (OOB) read during DOUBLE_REPORT_ID"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Jiri Kosina

Date: Tue May 12 2026 - 11:57:26 EST

On Thu, 16 Apr 2026, Lee Jones wrote:

> It is currently possible for a malicious or misconfigured USB device to
> cause an out-of-bounds (OOB) read when submitting reports using
> DOUBLE_REPORT_ID by specifying a large report length and providing a
> smaller one.
>
> Let's prevent that by comparing the specified report length with the
> actual size of the data read in from userspace. If the actual data
> length ends up being smaller than specified, we'll politely warn the
> user and prevent any further processing.
>
> Signed-off-by: Lee Jones <lee@xxxxxxxxxx>
> ---
> v1 => v2: Add more size checks to protect against issues during recursion

Applied, sorry for the delay.

--
Jiri Kosina
SUSE Labs