From e606d8329be1e19b7eb3e0c6c72a73cbbb25ae3d Mon Sep 17 00:00:00 2001 From: =?utf8?q?G=C3=BCnther=20Noack?= Date: Tue, 31 Mar 2026 09:40:51 +0200 Subject: [PATCH] HID: logitech-hidpp: Check bounds when deleting force-feedback effects MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit Without this bounds check, this might otherwise overwrite index -1. Triggering this condition requires action both from the USB device and from userspace, which reduces the scenarios in which it can be exploited. Cc: Lee Jones Signed-off-by: Günther Noack Reviewed-by: Lee Jones Signed-off-by: Jiri Kosina --- drivers/hid/hid-logitech-hidpp.c | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/drivers/hid/hid-logitech-hidpp.c b/drivers/hid/hid-logitech-hidpp.c index 65bfad405ac5b..ab5d676cbb029 100644 --- a/drivers/hid/hid-logitech-hidpp.c +++ b/drivers/hid/hid-logitech-hidpp.c @@ -2502,12 +2502,15 @@ static void hidpp_ff_work_handler(struct work_struct *w) } break; case HIDPP_FF_DESTROY_EFFECT: - if (wd->effect_id >= 0) - /* regular effect destroyed */ - data->effect_ids[wd->params[0]-1] = -1; - else if (wd->effect_id >= HIDPP_FF_EFFECTID_AUTOCENTER) - /* autocenter spring destroyed */ - data->slot_autocenter = 0; + slot = wd->params[0]; + if (slot > 0 && slot <= data->num_effects) { + if (wd->effect_id >= 0) + /* regular effect destroyed */ + data->effect_ids[slot-1] = -1; + else if (wd->effect_id >= HIDPP_FF_EFFECTID_AUTOCENTER) + /* autocenter spring destroyed */ + data->slot_autocenter = 0; + } break; case HIDPP_FF_SET_GLOBAL_GAINS: data->gain = (wd->params[0] << 8) + wd->params[1]; -- 2.47.3