From: sashiko-bot@kernel.org
To: "Vicki Pfau" <vi@endrift.com>
Cc: linux-input@vger.kernel.org, dmitry.torokhov@gmail.com
Subject: Re: [PATCH 10/10] HID: steam: Retry send/recv reports if stale
Date: Thu, 02 Jul 2026 22:36:37 +0000 [thread overview]
Message-ID: <20260702223638.CE4121F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260702222145.1863104-10-vi@endrift.com>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
Pre-existing issues:
- [High] Insufficient bounds checking allows uninitialized kernel stack memory to be parsed, exposed to userspace, and logged to dmesg.
--
commit 74668d65404cd2e20c8afd5929ec0da105fd2ec0
Author: Vicki Pfau <vi@endrift.com>
HID: steam: Retry send/recv reports if stale
This commit introduces a retry mechanism for sending and receiving reports to
handle stale replies. It adds steam_exchange_report() to wrap the send and
receive logic with retries, avoiding failures from firmware bugs.
> diff --git a/drivers/hid/hid-steam.c b/drivers/hid/hid-steam.c
> index e97431bc2828c..8d036b3412539 100644
> --- a/drivers/hid/hid-steam.c
> +++ b/drivers/hid/hid-steam.c
[ ... ]
> +static int steam_exchange_report(struct steam_device *steam, u8 *cmd, int csize,
> + u8 *reply, int rsize)
> +{
> + unsigned int retries = 5;
> + int ret;
> +
> + guard(mutex)(&steam->report_mutex);
> + do {
> + ret = steam_send_report(steam, cmd, csize);
> + if (ret < 0)
> + return ret;
> + ret = steam_recv_report(steam, reply, rsize);
[ ... ]
> + if (ret < 0) {
> + hid_err(steam->hdev, "%s: error reading reply (%*ph)\n",
> + __func__, csize, cmd);
> + return ret;
> + }
> + if (reply[0] == cmd[0] && reply[1] >= 1)
[Severity: High]
This is a pre-existing issue, but does this code evaluate uninitialized
stack memory if steam_recv_report() returns a short read?
steam_recv_report() has a mathematically flawed bounds check that can fail
to reject truncated packets or bypass the check entirely for 0-1 byte replies:
if (ret >= 2 && data[1] > ret + 2) {
...
return -EPROTO;
}
Because reply is uninitialized on the stack in callers like steam_get_serial(),
can a short read from a malfunctioning or malicious USB device cause us to
read uninitialized memory here?
Could it also potentially return success if the stack happens to match the
expected values?
> + break;
> + if (retries > 0)
> + continue;
> + hid_err(steam->hdev, "%s: invalid reply (%*ph)\n", __func__,
> + rsize, reply);
[Severity: High]
This is a pre-existing issue, but if steam_recv_report() returned a short read,
does this log uninitialized stack memory to dmesg since it dumps the full
rsize bytes of the reply buffer?
> + return -EPROTO;
> + } while (retries--);
> +
> + return ret;
> +}
> +
> static int steam_get_serial(struct steam_device *steam)
> {
[ ... ]
> u8 cmd[] = {ID_GET_STRING_ATTRIBUTE, sizeof(steam->serial_no), ATTRIB_STR_UNIT_SERIAL};
> u8 reply[3 + STEAM_SERIAL_LEN + 1];
>
> - guard(mutex)(&steam->report_mutex);
> - ret = steam_send_report(steam, cmd, sizeof(cmd));
> + ret = steam_exchange_report(steam, cmd, sizeof(cmd), reply, sizeof(reply));
> if (ret < 0)
> return ret;
> - ret = steam_recv_report(steam, reply, sizeof(reply));
> - if (ret < 0)
> - return ret;
> - if (reply[0] != ID_GET_STRING_ATTRIBUTE || reply[1] < 1 ||
> - reply[1] > sizeof(steam->serial_no) || reply[2] != ATTRIB_STR_UNIT_SERIAL) {
> + if (reply[1] > sizeof(steam->serial_no) || reply[2] != ATTRIB_STR_UNIT_SERIAL) {
[Severity: High]
This is a pre-existing issue, but since the length from reply[1] is not
validated against the actual bytes received, does the later call to strscpy()
leak up to 31 bytes of uninitialized kernel stack memory to userspace?
drivers/hid/hid-steam.c:steam_get_serial() {
...
reply[3 + STEAM_SERIAL_LEN] = 0;
strscpy(steam->serial_no, reply + 3, reply[1]);
return ret;
}
Can a remote or malfunctioning USB device returning short or empty HID payloads
trigger this information leak?
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260702222145.1863104-1-vi@endrift.com?part=10
prev parent reply other threads:[~2026-07-02 22:36 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-07-02 22:21 [PATCH 01/10] HID: steam: Update documentation Vicki Pfau
2026-07-02 22:21 ` [PATCH 02/10] HID: steam: Refactor and clean up report parsing Vicki Pfau
2026-07-02 22:21 ` [PATCH 03/10] HID: steam: Rename some constants that got renamed upstream Vicki Pfau
2026-07-02 22:21 ` [PATCH 04/10] HID: steam: Add support for sensor events on the Steam Controller (2015) Vicki Pfau
2026-07-02 22:36 ` sashiko-bot
2026-07-02 22:21 ` [PATCH 05/10] HID: steam: Coalesce rumble packets Vicki Pfau
2026-07-02 22:34 ` sashiko-bot
2026-07-02 22:21 ` [PATCH 06/10] HID: steam: Fully unregister controller when hidraw is opened Vicki Pfau
2026-07-02 22:34 ` sashiko-bot
2026-07-02 22:21 ` [PATCH 07/10] HID: steam: Rearrange deinitialization sequence Vicki Pfau
2026-07-02 22:35 ` sashiko-bot
2026-07-02 22:21 ` [PATCH 08/10] HID: steam: Improve logging and other cleanup Vicki Pfau
2026-07-02 22:36 ` sashiko-bot
2026-07-02 22:21 ` [PATCH 09/10] HID: steam: Reject short reads Vicki Pfau
2026-07-02 22:36 ` sashiko-bot
2026-07-03 11:26 ` Yousef Alhouseen
2026-07-02 22:21 ` [PATCH 10/10] HID: steam: Retry send/recv reports if stale Vicki Pfau
2026-07-02 22:36 ` sashiko-bot [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260702223638.CE4121F000E9@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=dmitry.torokhov@gmail.com \
--cc=linux-input@vger.kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
--cc=vi@endrift.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox