From mboxrd@z Thu Jan 1 00:00:00 1970 From: Djalal Harouni Subject: Re: [PATCH 1/2] Input: cyttsp - fix memcpy size param Date: Mon, 17 Jun 2013 22:38:59 +0100 Message-ID: <20130617213858.GA2805@dztty> References: <1368192769-24067-1-git-send-email-fery@cypress.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Return-path: Content-Disposition: inline In-Reply-To: <1368192769-24067-1-git-send-email-fery@cypress.com> Sender: linux-kernel-owner@vger.kernel.org To: Ferruh Yigit Cc: Dmitry Torokhov , ttdrivers@cypress.com, Javier Martinez Canillas , Kees Cook , Greg KH , linux-input@vger.kernel.org, linux-kernel@vger.kernel.org List-Id: linux-input@vger.kernel.org (Cc'ed Kees and Greg) Hi Dmitry, On Fri, May 10, 2013 at 04:32:48PM +0300, Ferruh Yigit wrote: > memcpy param is wrong because of offset in bl_cmd, this may corrupt the > stack which may cause a crash. > > Tested-by: Ferruh Yigit on TMA300-DVK > Signed-off-by: Ferruh Yigit > --- > drivers/input/touchscreen/cyttsp_core.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/drivers/input/touchscreen/cyttsp_core.c b/drivers/input/touchscreen/cyttsp_core.c > index 8e60437..97ba891 100644 > --- a/drivers/input/touchscreen/cyttsp_core.c > +++ b/drivers/input/touchscreen/cyttsp_core.c > @@ -133,7 +133,7 @@ static int cyttsp_exit_bl_mode(struct cyttsp *ts) > memcpy(bl_cmd, bl_command, sizeof(bl_command)); > if (ts->pdata->bl_keys) > memcpy(&bl_cmd[sizeof(bl_command) - CY_NUM_BL_KEYS], > - ts->pdata->bl_keys, sizeof(bl_command)); > + ts->pdata->bl_keys, CY_NUM_BL_KEYS); > > error = ttsp_write_block_data(ts, CY_REG_BASE, > sizeof(bl_cmd), bl_cmd); > -- > 1.7.9.5 I was going to send a patch and found that it was just fixed in todays next-20130617 Anyway, will this overflow fix go for the next -rc? Thanks in advance Dmitry! -- Djalal Harouni http://opendz.org