Re: [PATCH 0/2] (no cover subject)

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
To: hexlabsecurity@proton.me
Cc: linux-kernel@vger.kernel.org, Hans de Goede <hansg@kernel.org>,
	 Vincent Huang <vincent.huang@tw.synaptics.com>,
	linux-input@vger.kernel.org,
	 Andrew Duggan <aduggan@synaptics.com>
Subject: Re: [PATCH 0/2] (no cover subject)
Date: Thu, 25 Jun 2026 17:47:05 -0700	[thread overview]
Message-ID: <aj3L98m2MI9fzy8Q@google.com> (raw)
In-Reply-To: <20260614-b4-disp-818d6bda-v1-0-cf39a3615085@proton.me>

On Sun, Jun 14, 2026 at 12:36:10AM -0500, Bryam Vargas via B4 Relay wrote:
> From be2c4843f6145374f28edd25cef43c9373542874 Mon Sep 17 00:00:00 2001
> Message-ID: <cover.1781415009.git.hexlabsecurity@proton.me>
> From: Bryam Vargas <hexlabsecurity@proton.me>
> Date: Sun, 14 Jun 2026 00:30:09 -0500
> Subject: [PATCH 0/2] Input: synaptics-rmi4 - fix out-of-bounds keymap access on large GPIO counts
> 
> The RMI4 F3A and F30 function handlers size their GPIO/LED key map to
> min(device_gpio_count, TRACKSTICK_RANGE_END) == at most 6 entries, but
> then consume that map with the full, unclamped device-reported count in
> two places: the attention-interrupt report loop, and input->keycodemax
> (while input->keycode points at the small allocation).
> 
> A device that reports a GPIO/LED count greater than 6 therefore yields a
> key map of at most 12 bytes that is indexed up to count-1:
> 
>   - rmi_f3a_attention() / rmi_f30_attention() read gpio[led]_key_map[i]
>     out of bounds on every attention interrupt (device-triggered), and
> 
>   - the input core's default keymap ioctls bound the index only against
>     keycodemax, so EVIOCGKEYCODE reads adjacent slab memory back to user
>     space and EVIOCSKEYCODE writes a caller-controlled u16 past the
>     allocation -- a controlled out-of-bounds heap write reachable by any
>     process that can open the evdev node.
> 
> Both handlers have the same shape; F3A was copied from F30. Patch 1 fixes
> F3A, patch 2 fixes F30. The one-line fix in each sizes the key map to the
> full device count; the mapping loop is unchanged (it still populates only
> the first min(count, 6) entries, the rest stay KEY_RESERVED and are
> skipped on report), and keycodemax now matches the allocation, closing
> the interrupt and both ioctl paths.
> 
> Reproduced with KASAN on a faithful in-kernel model of each handler
> (kmalloc-16 bucket, 12-byte request, reported count = 127):
> 
>   # without the patch -- attention read path
>   BUG: KASAN: slab-out-of-bounds in rmi_f3a_attention
>   Read of size 2 ... 0 bytes to the right of allocated 12-byte region
>     ... cache kmalloc-16
> 
>   # without the patch -- EVIOCSKEYCODE write path
>   BUG: KASAN: slab-out-of-bounds ...
>   Write of size 2 ... 0 bytes to the right of allocated 12-byte region
> 
>   # with the patch (key map sized to the full count): clean
>   # benign device (reported count <= 6): clean
> 
> The full read and write splats and a 32/64-bit ASan model of the same
> geometry are available on request.

Applied the lot, thank you.

-- 
Dmitry

next prev parent reply	other threads:[~2026-06-26  0:47 UTC|newest]

Thread overview: 17+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-06-14  5:36 [PATCH 0/2] (no cover subject) Bryam Vargas
2026-06-14  5:36 ` Bryam Vargas via B4 Relay
2026-06-14  5:36 ` [PATCH 1/2] Input: synaptics-rmi4 - bound the F3A keymap to the GPIO count Bryam Vargas
2026-06-14  5:36   ` Bryam Vargas via B4 Relay
2026-06-14  5:51   ` sashiko-bot
2026-06-14  5:36 ` [PATCH 2/2] Input: synaptics-rmi4 - bound the F30 keymap to the GPIO/LED count Bryam Vargas
2026-06-14  5:36   ` Bryam Vargas via B4 Relay
2026-06-14  5:50   ` sashiko-bot
2026-06-26  0:47 ` Dmitry Torokhov [this message]
  -- strict thread matches above, loose matches on Subject: below --
2026-01-19 10:08 [PATCH 0/2] (no cover subject) James Clark
2025-09-26 10:34 pratyush.brahma
2025-10-07  4:23 ` Anshuman Khandual
2025-02-24 17:55 Aaron Kling
2025-02-24 17:55 ` Aaron Kling via B4 Relay
2025-03-10 14:08 ` Krzysztof Wilczyński
2023-09-12  7:16 Linus Walleij
2023-09-12  7:16 ` Linus Walleij

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=aj3L98m2MI9fzy8Q@google.com \
    --to=dmitry.torokhov@gmail.com \
    --cc=aduggan@synaptics.com \
    --cc=hansg@kernel.org \
    --cc=hexlabsecurity@proton.me \
    --cc=linux-input@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=vincent.huang@tw.synaptics.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.