From: sashiko-bot@kernel.org
To: "Yousef Alhouseen" <alhouseenyousef@gmail.com>
Cc: dmitry.torokhov@gmail.com, linux-input@vger.kernel.org
Subject: Re: [PATCH 4/6] HID: roccat-kovaplus: reject short button reports
Date: Sun, 28 Jun 2026 16:58:03 +0000 [thread overview]
Message-ID: <20260628165805.452451F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260628164611.17467-4-alhouseenyousef@gmail.com>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
Pre-existing issues:
- [High] Missing bounds check in savu_raw_event allows out-of-bounds read and kernel memory leak
--
commit e1ed8982777cb731a4bf22c7e12d12c6c15620cc
Author: Yousef Alhouseen <alhouseenyousef@gmail.com>
HID: roccat-kovaplus: reject short button reports
The Kovaplus raw-event helpers cast button reports to a five-byte
structure and read all payload fields without checking the received size.
A malformed USB device can therefore trigger out-of-bounds reads from a
short input report.
> The Kovaplus raw-event helpers cast button reports to a five-byte
> structure and read all payload fields without checking the received size.
> A malformed USB device can therefore trigger out-of-bounds reads from a
> short input report.
[Severity: High]
This isn't a bug introduced by this patch, but it looks like the exact same
vulnerability exists in the savu driver.
While missing checks in several other roccat drivers (koneplus, isku, pyra,
konepure, ryos) were addressed in this series, it appears the savu driver
was missed.
In drivers/hid/hid-roccat-savu.c:savu_raw_event():
if (savu->roccat_claimed)
savu_report_to_chrdev(savu, data);
This calls savu_report_to_chrdev() without validating that size is sufficient
for struct savu_mouse_report_special.
Could a malicious physical USB device send a short HID report with size < 5
and data[0] == SAVU_MOUSE_REPORT_NUMBER_SPECIAL to trigger an out-of-bounds
read and expose uninitialized bytes from the HID transfer buffer to
userspace?
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260628164611.17467-1-alhouseenyousef@gmail.com?part=4
next prev parent reply other threads:[~2026-06-28 16:58 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-28 16:46 [PATCH 1/6] HID: roccat-koneplus: reject short button reports Yousef Alhouseen
2026-06-28 16:46 ` [PATCH 2/6] HID: roccat-isku: " Yousef Alhouseen
2026-06-28 16:59 ` sashiko-bot
2026-06-28 16:46 ` [PATCH 3/6] HID: roccat-pyra: " Yousef Alhouseen
2026-06-28 16:59 ` sashiko-bot
2026-06-28 16:46 ` [PATCH 4/6] HID: roccat-kovaplus: " Yousef Alhouseen
2026-06-28 16:58 ` sashiko-bot [this message]
2026-06-28 16:46 ` [PATCH 5/6] HID: roccat-konepure: " Yousef Alhouseen
2026-06-28 16:59 ` sashiko-bot
2026-06-28 16:46 ` [PATCH 6/6] HID: roccat-ryos: reject short special reports Yousef Alhouseen
2026-06-28 17:01 ` sashiko-bot
2026-06-28 17:01 ` [PATCH 1/6] HID: roccat-koneplus: reject short button reports sashiko-bot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260628165805.452451F000E9@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=alhouseenyousef@gmail.com \
--cc=dmitry.torokhov@gmail.com \
--cc=linux-input@vger.kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox