On Sat, Jul 18, 2020 at 07:12:18PM -0400, Peilin Ye wrote: > `uref->usage_index` is not always being properly checked, causing > hiddev_ioctl_usage() to go out of bounds under some cases. Fix it. > Yeah. This code is not obvious. It doesn't come from the user directly so we don't have to worry about nospec. It comes from hiddev_lookup_usage() where we set: uref->usage_index = j; We know that j is less than field->maxusage but we do need to check against field->report_count like your patch does... The two arrays are allocated in hid_register_field(). I don't know the code well enough to say how these arrays are used or why the one is larger than the other so I can't give a proper reviewed-by. But the patch looks reasonable and doesn't introduce any bugs which weren't there in the original code. regards, dan carpenter
