From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-wm1-f46.google.com (mail-wm1-f46.google.com [209.85.128.46]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 47F9C3C0625 for ; Thu, 16 Apr 2026 14:22:18 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.46 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776349339; cv=none; b=DPh61hqlvrpHV1I5QD+qqMrtMyTCMMTynmfaK8fuwPvdb2pO45tamAMO1YnktMWNd7Tet00tJw/4jk4ChsOSNIPLPyIZ/Is9k25Ux346KmiBg4Mlcs8BYDWGBj4nZOB2j0gFekMKP6B6f87vUTjwixNJZExJWzXFg+TdNWd2QEg= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776349339; c=relaxed/simple; bh=0W9WdKQ9ZVTsjSn2sKBmFdCrD/edyuIoJDuhdVC5j7s=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=Zwd5CHefBVUUhrs8v5THlQD7DsLkRRYdR4h/JJeUGucy6AAPjq4l4TzmJaOMD4IU8Czj9MhNRU9K6xlW2g0YJVZdvY2ud23G52HLsFRU46vP6xl3jVkGVx2iT6ObwFdq5i+OVj4Nhme5WVISYyA2vEAsFjaDlhxEWy6jGFJTgVs= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=bv/j1+mW; arc=none smtp.client-ip=209.85.128.46 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="bv/j1+mW" Received: by mail-wm1-f46.google.com with SMTP id 5b1f17b1804b1-488a14c31eeso64084735e9.0 for ; Thu, 16 Apr 2026 07:22:18 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20251104; t=1776349337; x=1776954137; darn=vger.kernel.org; h=in-reply-to:content-transfer-encoding:content-disposition :mime-version:references:message-id:subject:cc:to:from:date:from:to :cc:subject:date:message-id:reply-to; bh=2m4NTB+CLdKBqyyGrRuoETB+ShVR6sAGsK1M/tDiBbc=; b=bv/j1+mW8Mulz/fb5eFHbHmtaBPT3HuXRLihSL1sbx8ejDgmhlAoKnOBgzC0eydbdo qZEP++aCiO338ZUe8qv9i2/tlnkzfHzPAISWDK9DB3NBijRJOwcrvRd9qoLSdEyiYCws Dihpv4uxJEElHjG1Q9WRVRuCS3vcwA2EXGrqwNsFUDUEEe4ZI3cIddIeTEnJ0QhmDS2E twVGsybWcBLaODNG/psywFJ9XaIxW0E1HVigHwF00MUODVMvFCiYfoIxrgw5nSWSvTuR n0II+4yQz2OZcH6AgufRrV/k2s+Smo3p+zaf5AS5tGh2AVnJmv/x2ICaKXBbGWUGK/Ew uo8A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1776349337; x=1776954137; h=in-reply-to:content-transfer-encoding:content-disposition :mime-version:references:message-id:subject:cc:to:from:date:x-gm-gg :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=2m4NTB+CLdKBqyyGrRuoETB+ShVR6sAGsK1M/tDiBbc=; b=YBQ0f8JsA/fHJ9l/OYi6E1o8y9eU57eSXzRuiMri2QLTtYUV17v32gSyZ3KhCR2Ll5 bMu1U0bD6qFF69DUrg3frstH65k/G4JKi/oigfPC7EBRH3MLnTBSK3V2FbMelRS0IYQJ jqaQ5p3iKOnmlG9ux8wYTTqLJMozsJHTtuvXrEmzugPzq0jaAL4OjJffgvC5t4xErms7 dW5KJb6ChGLcnToWYoP8dzYF4eqb5zC7C/WZGSVqMSdVkCA/7MQrrVAbnXXXS7Oke8CI BC6fR7Ipc1lkeFQhirN/I9A6apG+5fuaHjEHJegZFQvUVod9wBZ/RyZkciKVwfIQ0TUN vtMQ== X-Forwarded-Encrypted: i=1; AFNElJ8hiMwsC/hQsuVugPwZnRhkyARynJa0Q2dVse5hali85pDf0YoAO1BFbzT77KPUfI1FmZyUaLZFY8jktsY=@vger.kernel.org X-Gm-Message-State: AOJu0Yyq7BaPJM8HosNHw4aQ0PT+yG16vfj6bzAuD2/flN5vOrelmmCL nolt8hWBAo5POv+3EA6fJhurHJyXP9Tb1yTy9LxvjpEniQy+Ltg0WAuM8+O8ZkYM/Z4Wig7BeP3 KtNS5+Qkb X-Gm-Gg: AeBDiesQcNE+zRNFgMekKibfoXpLWoUz5j21wINaT1zKxnVr1Ht8nYNLmXkuEHSa0Wh i6XlhMD4iRC/5M22qdM8eOHG1lICigRvb0q4KSIymkdy/fVnh2YvXa67X0BOWKZPMUeON8H5pEQ kLD51vNb40r7lYtVDgXqKI351Y9dfQK8C1FxcMR0MbEoVgIpjwBeMZfeHFQzcin66asDDvCtYvp EqoR9jMez+X7qD8zrBzUfp9EgVjJI10HlmEgC6NxDlayhMfTpm5zuNR4bPer7cjtXE6qkDL1MQL mc4Nk8sWxJchq649GdRU6OASjd5yuU6Xa/XOUWBIi1UjosCrLm0/ik25at6SYzopnDOOrUHwJHS +I7QSUOs1BKWTFBPdJhisTSTZKRhs2Rkak4Buv5ItzM/fpC539BRPktIQTq4aXbysg+n495W9GI JE3jkl+pwFpHfjRc20O2KFaWDDxv8XwSHSk/LfDKvR2dAt52agyGWsEQxMBXQ/6uYHQS5dmR8E2 6Q= X-Received: by 2002:a05:600c:a413:b0:485:2fe9:336f with SMTP id 5b1f17b1804b1-488d689bad8mr280259955e9.30.1776349336139; Thu, 16 Apr 2026 07:22:16 -0700 (PDT) Received: from google.com ([2a00:79e0:288a:8:7ad9:6b96:1f0e:264f]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-488f54666eesm39056585e9.1.2026.04.16.07.22.14 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 16 Apr 2026 07:22:15 -0700 (PDT) Date: Thu, 16 Apr 2026 16:22:09 +0200 From: =?utf-8?Q?G=C3=BCnther?= Noack To: Lee Jones Cc: Jiri Kosina , Benjamin Tissoires , linux-input@vger.kernel.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH v2 1/1] HID: magicmouse: Prevent out-of-bounds (OOB) read during DOUBLE_REPORT_ID Message-ID: References: <20260416131655.2279756-1-lee@kernel.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <20260416131655.2279756-1-lee@kernel.org> On Thu, Apr 16, 2026 at 02:16:54PM +0100, Lee Jones wrote: > It is currently possible for a malicious or misconfigured USB device to > cause an out-of-bounds (OOB) read when submitting reports using > DOUBLE_REPORT_ID by specifying a large report length and providing a > smaller one. > > Let's prevent that by comparing the specified report length with the > actual size of the data read in from userspace. If the actual data > length ends up being smaller than specified, we'll politely warn the > user and prevent any further processing. > > Signed-off-by: Lee Jones > --- > v1 => v2: Add more size checks to protect against issues during recursion > > drivers/hid/hid-magicmouse.c | 16 ++++++++++++++++ > 1 file changed, 16 insertions(+) > > diff --git a/drivers/hid/hid-magicmouse.c b/drivers/hid/hid-magicmouse.c > index 91f621ceb924..e84e6b21d113 100644 > --- a/drivers/hid/hid-magicmouse.c > +++ b/drivers/hid/hid-magicmouse.c > @@ -390,6 +390,10 @@ static int magicmouse_raw_event(struct hid_device *hdev, > struct input_dev *input = msc->input; > int x = 0, y = 0, ii, clicks = 0, npoints; > > + /* Protect against zero sized recursive calls from DOUBLE_REPORT_ID */ > + if (size < 1) > + return 0; > + > switch (data[0]) { > case TRACKPAD_REPORT_ID: > case TRACKPAD2_BT_REPORT_ID: > @@ -490,6 +494,18 @@ static int magicmouse_raw_event(struct hid_device *hdev, > /* Sometimes the trackpad sends two touch reports in one > * packet. > */ > + > + /* Ensure that we have at least 2 elements (report type and size) */ > + if (size < 2) > + return 0; > + > + if (size < data[1] + 2) { > + hid_warn(hdev, > + "received report length (%d) was smaller than specified (%d)", > + size, data[1] + 2); > + return 0; > + } > + > magicmouse_raw_event(hdev, report, data + 2, data[1]); > magicmouse_raw_event(hdev, report, data + 2 + data[1], > size - 2 - data[1]); > -- > 2.54.0.rc1.513.gad8abe7a5a-goog > Thank you! This looks correct now. Reviewed-by: Günther Noack —Günther