[PATCH 0/2] HID: roccat: bound device-supplied profile index

Next message: Krzysztof Wilczy&#x144;ski: "Re: [BUG] KASAN: slab-use-after-free in pci_endpoint_test_ioctl"
Previous message: Michael Bommarito: "[PATCH 2/2] nfc: pn533: add KUnit tests for receive-path bounds"
Next in thread: Michael Bommarito: "[PATCH 1/2] HID: roccat: bound device-supplied profile index"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Michael Bommarito

Date: Wed Jun 17 2026 - 23:01:27 EST

The Roccat Kone driver uses an 8-bit value taken straight from a USB HID
interrupt report as an index into a fixed 5-element profiles[] array,
without any range check. A malicious or counterfeit device that claims
the Roccat Kone VID/PID can send a "switch profile" report with an
out-of-range value and make the driver read out of bounds; the same
unbounded index is also reachable at probe time from a device-supplied
startup_profile field. The read result is stored in actual_dpi and
exposed to user space through the actual_dpi sysfs attribute.

Michael Bommarito (2):
HID: roccat: bound device-supplied profile index
HID: roccat: add KUnit test for kone profile-index bounds

drivers/hid/Kconfig | 9 +++++
drivers/hid/hid-roccat-kone.c | 65 +++++++++++++++++++++++++++++++++--
2 files changed, 72 insertions(+), 2 deletions(-)

--
2.53.0