[PATCH 6/6] HID: roccat-ryos: reject short special reports

Next message: SJ Park: "Re: [PATCH] mm/damon/core: reduce kernel stack usage"
Previous message: Hugo Osvaldo Barrera: "Re: [PATCH 2/2] dt-bindings: bluetooth: broadcom: add BCM43752"
In reply to: Yousef Alhouseen: "[PATCH 5/6] HID: roccat-konepure: reject short button reports"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Yousef Alhouseen

Date: Sun Jun 28 2026 - 12:50:14 EST

ryos_raw_event() forwards special reports directly to the Roccat
character-device layer, which copies the fixed five-byte report size
registered by this driver. A malformed USB device can send a shorter
report and trigger an out-of-bounds read during that copy.

Only forward complete special reports.

Fixes: 6f3a19360545 ("HID: roccat: add support for Ryos MK keyboards")
Cc: stable@xxxxxxxxxxxxxxx
Signed-off-by: Yousef Alhouseen <alhouseenyousef@xxxxxxxxx>
---
drivers/hid/hid-roccat-ryos.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/hid/hid-roccat-ryos.c b/drivers/hid/hid-roccat-ryos.c
index db83f42457da..5087defc7c37 100644
--- a/drivers/hid/hid-roccat-ryos.c
+++ b/drivers/hid/hid-roccat-ryos.c
@@ -189,7 +189,8 @@ static int ryos_raw_event(struct hid_device *hdev,
!= RYOS_USB_INTERFACE_PROTOCOL)
return 0;

- if (data[0] != RYOS_REPORT_NUMBER_SPECIAL)
+ if (data[0] != RYOS_REPORT_NUMBER_SPECIAL ||
+ size < sizeof(struct ryos_report_special))
return 0;

if (ryos != NULL && ryos->roccat_claimed)
--
2.54.0