Re: [PATCH 0/2] HID: roccat: bound device-supplied profile index

From: Jiri Kosina

Date: Mon Jun 29 2026 - 05:26:03 EST


On Wed, 17 Jun 2026, Michael Bommarito wrote:

> The Roccat Kone driver uses an 8-bit value taken straight from a USB HID
> interrupt report as an index into a fixed 5-element profiles[] array,
> without any range check. A malicious or counterfeit device that claims
> the Roccat Kone VID/PID can send a "switch profile" report with an
> out-of-range value and make the driver read out of bounds; the same
> unbounded index is also reachable at probe time from a device-supplied
> startup_profile field. The read result is stored in actual_dpi and
> exposed to user space through the actual_dpi sysfs attribute.
>
> Michael Bommarito (2):
> HID: roccat: bound device-supplied profile index
> HID: roccat: add KUnit test for kone profile-index bounds

Applied, thanks.

--
Jiri Kosina
SUSE Labs