From: Bryam Vargas <hexlabsecurity@proton.me>
To: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Cc: linux-input@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH] Input: goodix - clamp the device-reported contact count
Date: Mon, 15 Jun 2026 18:42:10 +0000 [thread overview]
Message-ID: <20260615184204.26707-1-hexlabsecurity@proton.me> (raw)
In-Reply-To: <ai8WppWIAsSKXwFk@google.com>
On Sun, Jun 14, 2026 at 02:02:27PM -0700, Dmitry Torokhov wrote:
> Should we drop the report if is has bogus data in it?
We already do, for the per-interrupt count. goodix_ts_read_input_report()
drops a report whose reported touch count is out of range:
touch_num = data[0] & 0x0f;
if (touch_num > ts->max_touch_num)
return -EPROTO;
The only gap this patch closes is that ts->max_touch_num itself could be
larger than what point_data[] holds: it was taken straight from the 4-bit
config nibble (0..15), while the buffer is sized for GOODIX_MAX_CONTACTS
(10) -- 2 + 9*10 = 92 bytes. A config advertising 11..15 made that -EPROTO
check accept an out-of-range touch_num and overflow the stack buffer.
Clamping max_touch_num to GOODIX_MAX_CONTACTS at config-read time makes
that existing per-report drop a safe bound: a report claiming more than 10
contacts is now dropped with -EPROTO, and 10 is exactly point_data[]'s
capacity, so no legitimate report is lost (the driver maximum is 10, and
the other max_touch_num assignments already use GOODIX_MAX_CONTACTS).
If you'd rather flag a bogus config than silently clamp it, I'm happy to
add a dev_warn_ratelimited() in a v2 -- just say the word.
Thanks,
Bryam
prev parent reply other threads:[~2026-06-15 18:42 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-13 2:10 [PATCH] Input: goodix - clamp the device-reported contact count Bryam Vargas via B4 Relay
2026-06-13 2:10 ` Bryam Vargas
2026-06-13 2:22 ` sashiko-bot
2026-06-14 11:44 ` Hans de Goede
2026-06-14 21:02 ` Dmitry Torokhov
2026-06-15 18:42 ` Bryam Vargas [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260615184204.26707-1-hexlabsecurity@proton.me \
--to=hexlabsecurity@proton.me \
--cc=dmitry.torokhov@gmail.com \
--cc=linux-input@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.