On Mon, 12 Sep 2022, Silvan Jegen wrote: > Hi > > Lee Jones <lee@xxxxxxxxxx> wrote: > > On Wed, 03 Aug 2022, Lee Jones wrote: > > > > > It is possible for a malicious device to forgo submitting a Feature > > > Report. The HID Steam driver presently makes no prevision for this > > > and de-references the 'struct hid_report' pointer obtained from the > > > HID devices without first checking its validity. Let's change that. > > > > This patch has been floating around since the beginning of July. > > > > It fixes a real issue which was found by creating a virtual > > (software based) malicious device and registering it as a HID device. > > > > There is nothing preventing a real attacker from creating a H/W > > version of the device in order to instigate an out-of-bounds read, > > potentially leading to a data leak. > > > > Would someone be kind enough to review please? > > AFACT this patch has been applied by Jiri on the 25th of August already. Ah, I missed his reply to the original patch. > Is a review still needed in this case? Certainly not. Thank you for your reply. -- Lee Jones [李琼斯]
