From: sashiko-bot@kernel.org
To: "Andrei Fed" <andfed.net@gmail.com>
Cc: dmitry.torokhov@gmail.com, linux-input@vger.kernel.org
Subject: Re: [PATCH] HID: magicmouse: fix battery reporting for Bluetooth Magic Trackpad USB-C
Date: Mon, 06 Jul 2026 18:13:46 +0000 [thread overview]
Message-ID: <20260706181347.700DB1F00A3F@smtp.kernel.org> (raw)
In-Reply-To: <20260706175507.47288-1-andfed.net@gmail.com>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
Pre-existing issues:
- [Critical] Unbounded recursion in `magicmouse_raw_event` when parsing malicious `DOUBLE_REPORT_ID` packets can cause a kernel stack overflow.
--
commit 58987e236bab550dc05b66346833ee21ed261110
Author: Andrei Fed <andfed.net@gmail.com>
HID: magicmouse: fix battery reporting for Bluetooth Magic Trackpad USB-C
This commit fixes battery reporting for the Bluetooth Magic Trackpad USB-C by
avoiding the misparsing query path. It introduces a battery quirk to skip the
query and instead fetches the battery at the end of the device probe.
> diff --git a/drivers/hid/hid-magicmouse.c b/drivers/hid/hid-magicmouse.c
> index 802a3479e24b9..0c4e959322c3c 100644
> --- a/drivers/hid/hid-magicmouse.c
> +++ b/drivers/hid/hid-magicmouse.c
[ ... ]
[Severity: Critical]
This is a pre-existing issue, but while reviewing this file I noticed
that magicmouse_raw_event() doesn't seem to enforce a depth limit when
recursively calling itself to parse DOUBLE_REPORT_ID packets:
drivers/hid/hid-magicmouse.c:magicmouse_raw_event() {
...
case DOUBLE_REPORT_ID:
/* Sometimes the trackpad sends two touch reports in one
* packet.
*/
/* Ensure that we have at least 2 elements (report type and size) */
if (size < 2)
return 0;
if (size < data[1] + 2) {
hid_warn(hdev,
"received report length (%d) was smaller than specified (%d)",
size, data[1] + 2);
return 0;
}
magicmouse_raw_event(hdev, report, data + 2, data[1]);
magicmouse_raw_event(hdev, report, data + 2 + data[1],
size - 2 - data[1]);
return 0;
...
}
If a malicious Bluetooth or USB device sends a HID report starting with
DOUBLE_REPORT_ID (0xf7) and filled with the sequence [0xf7, 0x00], the inner
size byte data[1] evaluates to 0.
Could this cause magicmouse_raw_event() to recursively call itself with
size 0 (which returns immediately) and size - 2?
A 16KB malicious report could force ~8192 nested recursions, which might
overflow the standard kernel stack and lead to a denial of service panic.
Does this need an upper bound on recursion depth or an iterative approach
to prevent stack exhaustion?
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260706175507.47288-1-andfed.net@gmail.com?part=1
prev parent reply other threads:[~2026-07-06 18:13 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-07-06 17:55 [PATCH] HID: magicmouse: fix battery reporting for Bluetooth Magic Trackpad USB-C Andrei Fed
2026-07-06 18:13 ` sashiko-bot [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260706181347.700DB1F00A3F@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=andfed.net@gmail.com \
--cc=dmitry.torokhov@gmail.com \
--cc=linux-input@vger.kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox