[PATCH 0/2] HID: roccat: bound device-supplied profile index
From: Michael Bommarito <hidden>
Date: 2026-06-18 03:00:41
Also in:
lkml
From: Michael Bommarito <hidden>
Date: 2026-06-18 03:00:41
Also in:
lkml
The Roccat Kone driver uses an 8-bit value taken straight from a USB HID interrupt report as an index into a fixed 5-element profiles[] array, without any range check. A malicious or counterfeit device that claims the Roccat Kone VID/PID can send a "switch profile" report with an out-of-range value and make the driver read out of bounds; the same unbounded index is also reachable at probe time from a device-supplied startup_profile field. The read result is stored in actual_dpi and exposed to user space through the actual_dpi sysfs attribute. Michael Bommarito (2): HID: roccat: bound device-supplied profile index HID: roccat: add KUnit test for kone profile-index bounds drivers/hid/Kconfig | 9 +++++ drivers/hid/hid-roccat-kone.c | 65 +++++++++++++++++++++++++++++++++-- 2 files changed, 72 insertions(+), 2 deletions(-) -- 2.53.0