From: sashiko-bot@kernel.org
To: "Stuart Hayhurst" <stuart.a.hayhurst@gmail.com>
Cc: dmitry.torokhov@gmail.com, linux-input@vger.kernel.org
Subject: Re: [PATCH] HID: corsair-void: Check size of status and firmware events before reading them
Date: Tue, 30 Jun 2026 00:53:18 +0000 [thread overview]
Message-ID: <20260630005319.3D5B81F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260630004003.579171-2-stuart.a.hayhurst@gmail.com>
Thank you for your contribution! Sashiko AI review found 2 potential issue(s) to consider:
- [High] Un-ratelimited kernel warning in a high-frequency packet processing path.
- [Medium] Overly strict bounds checking on report sizes incorrectly rejects valid, padded reports.
--
commit 867047370d14d44d5c13655e52c433ab8be9dd4a
Author: Stuart Hayhurst <stuart.a.hayhurst@gmail.com>
HID: corsair-void: Check size of status and firmware events before reading them
This commit adds bounds checking for status and firmware events in the
corsair-void HID driver to prevent out-of-bounds reads. If the size of the
event does not match the expected size, it logs a warning and returns early.
Cc: stable@vger.kernel.org
> diff --git a/drivers/hid/hid-corsair-void.c b/drivers/hid/hid-corsair-void.c
> index 5e9a5b8f7f167..fdcc4b8cd2720 100644
> --- a/drivers/hid/hid-corsair-void.c
> +++ b/drivers/hid/hid-corsair-void.c
[ ... ]
> @@ -742,6 +745,11 @@ static int corsair_void_raw_event(struct hid_device *hid_dev,
>
> /* Description of packets are documented at the top of this file */
> if (hid_report->id == CORSAIR_VOID_STATUS_REPORT_ID) {
> + if (size != CORSAIR_VOID_STATUS_REPORT_SIZE) {
[Severity: Medium]
Does this overly strict bounds check reject valid, padded reports?
It is common for USB host controllers to pad reports for 32-bit alignment,
or for newer headset firmwares to append data. Checking for an exact match
instead of a minimum length could cause the driver to silently drop these
packets and break headset functionality like battery status.
Would it be safer to check for a minimum length instead?
> + hid_warn(hid_dev, "unexpected status report of size %d", size);
[Severity: High]
Can a malfunctioning or malicious USB device flood the kernel log here?
Since this warning is un-ratelimited and occurs in the high-frequency packet
processing path of corsair_void_raw_event(), a device continuously sending
incorrectly sized reports could spam dmesg and potentially stall the CPU on
a slow serial console.
Should this use a ratelimited print, such as hid_warn_ratelimited() or
dev_warn_ratelimited()?
> + return 1;
> + }
> +
> drvdata->mic_up = FIELD_GET(CORSAIR_VOID_MIC_MASK, data[2]);
> drvdata->connected = (data[3] == CORSAIR_VOID_WIRELESS_CONNECTED) ||
> drvdata->is_wired;
> @@ -750,6 +758,11 @@ static int corsair_void_raw_event(struct hid_device *hid_dev,
> FIELD_GET(CORSAIR_VOID_CAPACITY_MASK, data[2]),
> data[3], data[4]);
> } else if (hid_report->id == CORSAIR_VOID_FIRMWARE_REPORT_ID) {
> + if (size != CORSAIR_VOID_FIRMWARE_REPORT_SIZE) {
[Severity: Medium]
This has the same strict bounds checking issue as the status report check
above. Does this also need to be converted to a minimum length check?
> + hid_warn(hid_dev, "unexpected firmware report of size %d", size);
[Severity: High]
This warning is also un-ratelimited. Can this be changed to use a
ratelimited print to prevent log flooding from malformed firmware reports?
> + return 1;
> + }
> +
> drvdata->fw_receiver_major = data[1];
> drvdata->fw_receiver_minor = data[2];
> drvdata->fw_headset_major = data[3];
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260630004003.579171-2-stuart.a.hayhurst@gmail.com?part=1
prev parent reply other threads:[~2026-06-30 0:53 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-30 0:40 [PATCH] HID: corsair-void: Check size of status and firmware events before reading them Stuart Hayhurst
2026-06-30 0:53 ` sashiko-bot [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260630005319.3D5B81F000E9@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=dmitry.torokhov@gmail.com \
--cc=linux-input@vger.kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
--cc=stuart.a.hayhurst@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.