Re: [PATCH v2 1/1] HID: magicmouse: Prevent out-of-bounds (OOB) read during DOUBLE_REPORT_ID

Re: [PATCH v2 1/1] HID: magicmouse: Prevent out-of-bounds (OOB) read during DOUBLE_REPORT_ID

[Lee Jones]

On Thu, 30 Apr 2026, Lee Jones wrote:

> On Thu, 16 Apr 2026, Günther Noack wrote:
> 
> > On Thu, Apr 16, 2026 at 02:16:54PM +0100, Lee Jones wrote:
> > > It is currently possible for a malicious or misconfigured USB device to
> > > cause an out-of-bounds (OOB) read when submitting reports using
> > > DOUBLE_REPORT_ID by specifying a large report length and providing a
> > > smaller one.
> > > 
> > > Let's prevent that by comparing the specified report length with the
> > > actual size of the data read in from userspace.  If the actual data
> > > length ends up being smaller than specified, we'll politely warn the
> > > user and prevent any further processing.
> > > 
> > > Signed-off-by: Lee Jones <lee@kernel.org>
> > > ---
> > > v1 => v2: Add more size checks to protect against issues during recursion
> > > 
> > >  drivers/hid/hid-magicmouse.c | 16 ++++++++++++++++
> > >  1 file changed, 16 insertions(+)
> > > 
> > > diff --git a/drivers/hid/hid-magicmouse.c b/drivers/hid/hid-magicmouse.c
> > > index 91f621ceb924..e84e6b21d113 100644
> > > --- a/drivers/hid/hid-magicmouse.c
> > > +++ b/drivers/hid/hid-magicmouse.c
> > > @@ -390,6 +390,10 @@ static int magicmouse_raw_event(struct hid_device *hdev,
> > >  	struct input_dev *input = msc->input;
> > >  	int x = 0, y = 0, ii, clicks = 0, npoints;
> > >  
> > > +	/* Protect against zero sized recursive calls from DOUBLE_REPORT_ID */
> > > +	if (size < 1)
> > > +		return 0;
> > > +
> > >  	switch (data[0]) {
> > >  	case TRACKPAD_REPORT_ID:
> > >  	case TRACKPAD2_BT_REPORT_ID:
> > > @@ -490,6 +494,18 @@ static int magicmouse_raw_event(struct hid_device *hdev,
> > >  		/* Sometimes the trackpad sends two touch reports in one
> > >  		 * packet.
> > >  		 */
> > > +
> > > +		/* Ensure that we have at least 2 elements (report type and size) */
> > > +		if (size < 2)
> > > +			return 0;
> > > +
> > > +		if (size < data[1] + 2) {
> > > +			hid_warn(hdev,
> > > +				 "received report length (%d) was smaller than specified (%d)",
> > > +				 size, data[1] + 2);
> > > +			return 0;
> > > +		}
> > > +
> > >  		magicmouse_raw_event(hdev, report, data + 2, data[1]);
> > >  		magicmouse_raw_event(hdev, report, data + 2 + data[1],
> > >  			size - 2 - data[1]);
> > > -- 
> > > 2.54.0.rc1.513.gad8abe7a5a-goog
> > > 
> > 
> > Thank you! This looks correct now.
> > 
> > Reviewed-by: Günther Noack <gnoack@google.com>
> 
> Contentless ping. =:-)

Biweekly ping on this please - if you'd prefer a [RESEND], let me know.

-- 
Lee Jones

Re: [PATCH v2 1/1] HID: magicmouse: Prevent out-of-bounds (OOB) read during DOUBLE_REPORT_ID

[Jiri Kosina]

On Thu, 16 Apr 2026, Lee Jones wrote:

> It is currently possible for a malicious or misconfigured USB device to
> cause an out-of-bounds (OOB) read when submitting reports using
> DOUBLE_REPORT_ID by specifying a large report length and providing a
> smaller one.
> 
> Let's prevent that by comparing the specified report length with the
> actual size of the data read in from userspace.  If the actual data
> length ends up being smaller than specified, we'll politely warn the
> user and prevent any further processing.
> 
> Signed-off-by: Lee Jones <lee@kernel.org>
> ---
> v1 => v2: Add more size checks to protect against issues during recursion

Applied, sorry for the delay.

-- 
Jiri Kosina
SUSE Labs