[PATCH 2/6] HID: roccat-isku: reject short button reports
From: Yousef Alhouseen
Date: Sun Jun 28 2026 - 12:48:17 EST
The Isku raw-event path casts button reports to a five-byte structure
and reads the event payload without validating the received size. A
malformed USB device can therefore trigger out-of-bounds reads from a
short report.
Require the complete button report before updating or forwarding it.
Fixes: d41c2a7011df ("HID: roccat: Add support for Isku keyboard")
Cc: stable@xxxxxxxxxxxxxxx
Signed-off-by: Yousef Alhouseen <alhouseenyousef@xxxxxxxxx>
---
drivers/hid/hid-roccat-isku.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/drivers/hid/hid-roccat-isku.c b/drivers/hid/hid-roccat-isku.c
index 93a49c93ae8c..c65f414b13cd 100644
--- a/drivers/hid/hid-roccat-isku.c
+++ b/drivers/hid/hid-roccat-isku.c
@@ -411,6 +411,10 @@ static int isku_raw_event(struct hid_device *hdev,
if (isku == NULL)
return 0;
+ if (data[0] == ISKU_REPORT_NUMBER_BUTTON &&
+ size < sizeof(struct isku_report_button))
+ return 0;
+
isku_keep_values_up_to_date(isku, data);
if (isku->roccat_claimed)
--
2.54.0