From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
To: hexlabsecurity@proton.me
Cc: linux-input@vger.kernel.org, Rick Koch <n1gp@hotmail.com>,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH] Input: touchwin - reset the packet index on every complete packet
Date: Sun, 14 Jun 2026 13:59:32 -0700 [thread overview]
Message-ID: <ai8WLJQsQda3r4eI@google.com> (raw)
In-Reply-To: <20260613-b4-disp-69921bfd-v1-1-82c036899959@proton.me>
On Sat, Jun 13, 2026 at 08:07:20PM -0500, Bryam Vargas via B4 Relay wrote:
> From: Bryam Vargas <hexlabsecurity@proton.me>
>
> tw_interrupt() accumulates each non-zero serial byte into a fixed
> three-byte buffer with a running index that is only reset once a full
> packet has been received *and* the device's two Y bytes agree:
>
> tw->data[tw->idx++] = data;
> if (tw->idx == TW_LENGTH && tw->data[1] == tw->data[2]) {
> ...
> tw->idx = 0;
> }
>
> The reset is gated on tw->data[1] == tw->data[2], a value the device
> controls. A malicious, malfunctioning or counterfeit Touchwindow
> peripheral can stream non-zero bytes whose 2nd and 3rd bytes differ: the
> index reaches TW_LENGTH without the equality holding, is never reset, and
> keeps growing, so tw->data[tw->idx++] walks off the end of the three-byte
> array and the rest of the heap-allocated struct tw, one attacker-chosen
> byte at a time -- an unbounded, device-driven heap out-of-bounds write.
>
> Reset the index on every completed packet and report an event only when
> the two Y bytes match, like the other serio touchscreen drivers do.
>
> Fixes: 11ea3173d5f2 ("Input: add driver for Touchwin serial touchscreens")
> Cc: stable@vger.kernel.org
> Signed-off-by: Bryam Vargas <hexlabsecurity@proton.me>
Applied, thank you.
--
Dmitry
prev parent reply other threads:[~2026-06-14 20:59 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-14 1:07 [PATCH] Input: touchwin - reset the packet index on every complete packet Bryam Vargas via B4 Relay
2026-06-14 1:07 ` Bryam Vargas
2026-06-14 20:59 ` Dmitry Torokhov [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ai8WLJQsQda3r4eI@google.com \
--to=dmitry.torokhov@gmail.com \
--cc=hexlabsecurity@proton.me \
--cc=linux-input@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=n1gp@hotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.