On Tue, Jul 30, 2024 at 07:42:43PM -0400, Camila Alvarez wrote: > report_fixup for the Cougar 500k Gaming Keyboard was not verifying > that the report descriptor size was correct before accessing it > > Reported-by: syzbot+24c0361074799d02c452@xxxxxxxxxxxxxxxxxxxxxxxxx > Closes: https://syzkaller.appspot.com/bug?extid=24c0361074799d02c452 > Signed-off-by: Camila Alvarez <cam.alvarez.i@xxxxxxxxx> > --- > drivers/hid/hid-cougar.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) This LGTM! Reviewed-by: Silvan Jegen <s.jegen@xxxxxxxxx> > > diff --git a/drivers/hid/hid-cougar.c b/drivers/hid/hid-cougar.c > index cb8bd8aae15b..0fa785f52707 100644 > --- a/drivers/hid/hid-cougar.c > +++ b/drivers/hid/hid-cougar.c > @@ -106,7 +106,7 @@ static void cougar_fix_g6_mapping(void) > static __u8 *cougar_report_fixup(struct hid_device *hdev, __u8 *rdesc, > unsigned int *rsize) > { > - if (rdesc[2] == 0x09 && rdesc[3] == 0x02 && > + if (*rsize >= 117 && rdesc[2] == 0x09 && rdesc[3] == 0x02 && > (rdesc[115] | rdesc[116] << 8) >= HID_MAX_USAGES) { > hid_info(hdev, > "usage count exceeds max: fixing up report descriptor\n"); > -- > 2.34.1 > >
