[PATCH 4/6] HID: roccat-kovaplus: reject short button reports

Next message: Yousef Alhouseen: "[PATCH 5/6] HID: roccat-konepure: reject short button reports"
Previous message: Yousef Alhouseen: "[PATCH] HID: cp2112: validate input response lengths"
In reply to: Yousef Alhouseen: "[PATCH 2/6] HID: roccat-isku: reject short button reports"
Next in thread: Yousef Alhouseen: "[PATCH 5/6] HID: roccat-konepure: reject short button reports"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Yousef Alhouseen

Date: Sun Jun 28 2026 - 12:49:13 EST

The Kovaplus raw-event helpers cast button reports to a five-byte
structure and read all payload fields without checking the received size.
A malformed USB device can therefore trigger out-of-bounds reads from a
short input report.

Require a complete button report before updating or forwarding it.

Fixes: 0e70f97f257e ("HID: roccat: Add support for Kova[+] mouse")
Cc: stable@xxxxxxxxxxxxxxx
Signed-off-by: Yousef Alhouseen <alhouseenyousef@xxxxxxxxx>
---
drivers/hid/hid-roccat-kovaplus.c | 4 ++++
1 file changed, 4 insertions(+)

diff --git a/drivers/hid/hid-roccat-kovaplus.c b/drivers/hid/hid-roccat-kovaplus.c
index 9ec42c218ef9..55de262e165b 100644
--- a/drivers/hid/hid-roccat-kovaplus.c
+++ b/drivers/hid/hid-roccat-kovaplus.c
@@ -614,6 +614,10 @@ static int kovaplus_raw_event(struct hid_device *hdev,
if (kovaplus == NULL)
return 0;

+ if (data[0] == KOVAPLUS_MOUSE_REPORT_NUMBER_BUTTON &&
+ size < sizeof(struct kovaplus_mouse_report_button))
+ return 0;
+
kovaplus_keep_values_up_to_date(kovaplus, data);

if (kovaplus->roccat_claimed)
--
2.54.0