From: "Günther Noack" <gnoack@google.com>
To: "Derek J. Clark" <derekjohn.clark@gmail.com>
Cc: Jiri Kosina <jikos@kernel.org>,
Benjamin Tissoires <bentiss@kernel.org>,
"Pierre-Loup A . Griffais" <pgriffais@valvesoftware.com>,
Lee Jones <joneslee@google.com>,
Lambert Fan <fanzhaoming@anopc.com>,
Zhouwang Huang <honjow311@gmail.com>,
linux-input@vger.kernel.org, linux-doc@vger.kernel.org,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH v4 0/5] Add OneXPlayer Configuration HID Driver
Date: Fri, 3 Jul 2026 16:25:18 +0200 [thread overview]
Message-ID: <akfGTjId84EjV141@google.com> (raw)
In-Reply-To: <20260419042624.625746-1-derekjohn.clark@gmail.com>
Hello Derek!
On Sat, Apr 18, 2026 at 09:26:19PM -0700, Derek J. Clark wrote:
> Adds an HID driver for OneXPlayer HID configuration devices. There are
> currently 2 generations of OneXPlayer HID protocol. The first (OneXPlayer
> F1 series) only provides an RGB control interface over HID. The Second
> (X1 mini series, G1 series, AOKZOE A1X) also includes a hardware level
> button mapping interface, vibration intensity settings, and the ability
> to switch output between xinput and a debug mode that can be used to debug
> the button mapping. Some devices (G1 Series, APEX) use a hybrid of Gen1
> RGB control and Gen 2 controller settings. To ensure there is no conflicts
> when the driver is loaded, we skip creating the RGB interface for Gen 2
> devices if there is a DMI match.
>
> I'll also add a note that Gen 1 devices also have an interface for
> setting the key map and debug mode, but that is done entirely over a
> serial TTY device so it is not able to be added to this driver. There
> are also some "Gen 0" devices (OneXPlayer 2 Series) also use it, but
> the TTY interface also handles the RGB control so no support is
> provided by this driver for those interfaces.
>
> Signed-off-by: Derel J. Clark <derekjohn.clark@gmail.com>
Sorry I am late to this review, but here are two issues I discovered
when looking at the code:
(1) The functions oxp_hid_raw_event_gen_1() and
oxp_hid_raw_event_gen_2() are both forgetting to do bounds checks
against the "size" argument.
For real devices, which send a real report descriptor, these buffers
will be large enough, but a device that sends a faked report
descriptor can provoke an out-of-bounds-read here by underspecifying
the size for these reports.
(2) oxp_hid_probe() and other functions are populating drvdata, and
drvdata is a static variable. If you plug in two of these devices
at the same time, they will step on each other's toes, and this
leads to all kinds of memory corruption problems when they do.
I believe the right way to go about this is to allocate a separate
piece of memory for each device that you are plugging in. Other
device drivers do this uing devm_kzalloc().
Disclaimer:
I found these through code inspection and curiosity but have not tried
to reproduce the crashes.
Per Linux's official threat model[1], these are not considered security
vulnerabilities. An attacker who impersonates a USB device and gains
illegitimate access to the USB port might be able to provoke these bugs
though, and I wouldn't be surprised if (2) also just leads to system
crashes when using two of these devices at the same time.
—Günther
[1] https://docs.kernel.org/process/threat-model.html
prev parent reply other threads:[~2026-07-03 14:25 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-19 4:26 [PATCH v4 0/5] Add OneXPlayer Configuration HID Driver Derek J. Clark
2026-04-19 4:26 ` [PATCH v4 1/5] HID: hid-oxp: Add OneXPlayer configuration driver Derek J. Clark
2026-04-19 4:26 ` [PATCH v4 2/5] HID: hid-oxp: Add Second Generation RGB Control Derek J. Clark
2026-04-19 4:26 ` [PATCH v4 3/5] HID: hid-oxp: Add Second Generation Gamepad Mode Switch Derek J. Clark
2026-04-19 4:26 ` [PATCH v4 4/5] HID: hid-oxp: Add Button Mapping Interface Derek J. Clark
2026-04-19 4:26 ` [PATCH v4 5/5] HID: hid-oxp: Add Vibration Intensity Attribute Derek J. Clark
2026-05-12 15:56 ` [PATCH v4 0/5] Add OneXPlayer Configuration HID Driver Jiri Kosina
2026-07-03 14:25 ` Günther Noack [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=akfGTjId84EjV141@google.com \
--to=gnoack@google.com \
--cc=bentiss@kernel.org \
--cc=derekjohn.clark@gmail.com \
--cc=fanzhaoming@anopc.com \
--cc=honjow311@gmail.com \
--cc=jikos@kernel.org \
--cc=joneslee@google.com \
--cc=linux-doc@vger.kernel.org \
--cc=linux-input@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=pgriffais@valvesoftware.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox