From: Richard Davies <richard@arachsys.com>
To: linux-input@vger.kernel.org, Dmitry Torokhov <dmitry.torokhov@gmail.com>
Cc: Mathias Gottschlag <mgottschlag@gmail.com>,
Hans de Goede <hdegoede@redhat.com>
Subject: Re: [PATCH] Input: focaltech - fix array out-of-bounds in focaltech_process_rel_packet
Date: Wed, 1 Jul 2026 19:28:33 +0000 [thread overview]
Message-ID: <akVqYaOOKNrkDf_h@users.org.uk> (raw)
In-Reply-To: <20260701190932.14960-1-richard@arachsys.com>
Richard Davies wrote:
>Make finger2 (and also finger1) unsigned, so that if the finger index in
>the packet is 0 then subtracting 1 creates an array index which overflows
>above the existing check for FOC_MAX_FINGERS, as the existing comment says
>it should, instead of writing to state->fingers[-1].
Some further context for my patch...
I get errors such as the following on my laptop running Ubuntu 26.04 LTS:
[ 52.422376] ------------[ cut here ]------------
[ 52.422381] UBSAN: array-index-out-of-bounds in /build/linux-IJm0IA/linux-7.0.0/drivers/input/mouse/focaltech.c:221:17
[ 52.422386] index -1 is out of range for type 'focaltech_finger_state [5]'
[ 52.422389] CPU: 3 UID: 0 PID: 0 Comm: swapper/3 Tainted: G S 7.0.0-27-generic #27-Ubuntu PREEMPT(lazy)
[ 52.422392] Tainted: [S]=CPU_OUT_OF_SPEC
[ 52.422393] Hardware name: ASUSTeK COMPUTER INC. N550JK/N550JK, BIOS N550JK.208 09/26/2014
[ 52.422395] Call Trace:
[ 52.422396] <IRQ>
[ 52.422399] show_stack+0x49/0x60
[ 52.422405] dump_stack_lvl+0x5f/0x90
[ 52.422409] dump_stack+0x10/0x18
[ 52.422410] ubsan_epilogue+0x9/0x39
[ 52.422416] __ubsan_handle_out_of_bounds.cold+0x50/0x55
[ 52.422421] focaltech_process_packet+0x541/0x560 [psmouse]
[ 52.422435] focaltech_process_byte+0x23/0x30 [psmouse]
[ 52.422443] psmouse_handle_byte+0x19/0x70 [psmouse]
[ 52.422450] psmouse_receive_byte+0x8d/0x300 [psmouse]
[ 52.422456] ps2_interrupt+0xa1/0x110
[ 52.422462] serio_interrupt+0x4b/0xb0
[ 52.422464] i8042_handle_data+0x189/0x370
[ 52.422466] ? timekeeping_adjust+0x1e/0x180
[ 52.422469] ? __note_gp_changes+0x1f3/0x270
[ 52.422473] ? sched_balance_domains+0xd9/0x380
[ 52.422475] i8042_interrupt+0x15/0x60
[ 52.422478] __handle_irq_event_percpu+0x59/0x230
[ 52.422481] handle_irq_event+0x36/0x90
[ 52.422484] handle_edge_irq+0xd3/0x1a0
[ 52.422487] __common_interrupt+0x50/0x160
[ 52.422489] ? irq_enter_rcu+0x75/0x90
[ 52.422492] common_interrupt+0xb0/0xe0
[ 52.422495] </IRQ>
[ 52.422496] <TASK>
[ 52.422497] asm_common_interrupt+0x27/0x40
[ 52.422499] RIP: 0010:cpuidle_enter_state+0xca/0x700
[ 52.422502] Code: 00 e8 ca 91 dd fe e8 15 ee ff ff 49 89 c5 0f 1f 44 00 00 31 ff e8 06 7f db fe 80 7d d0 00 0f 85 c6 01 00 00 fb 0f 1f 44 00 00 <45> 85 e4 0f 88 3e 02 00 00 4d 63 fc 49 83 ff 0a 0f 83 1d 05 00 00
[ 52.422503] RSP: 0018:ffffd20bc00f3e00 EFLAGS: 00000246
[ 52.422505] RAX: 0000000000000000 RBX: ffff8ef0a6dbd6c0 RCX: 0000000000000000
[ 52.422507] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
[ 52.422507] RBP: ffffd20bc00f3e50 R08: 0000000000000000 R09: 0000000000000000
[ 52.422508] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000005
[ 52.422509] R13: 0000000c349ddabc R14: ffffffffb1d54c40 R15: 0000000000000005
[ 52.422511] ? tick_nohz_stop_tick+0x5e/0x260
[ 52.422516] cpuidle_enter+0x30/0x50
[ 52.422520] call_cpuidle+0x21/0x50
[ 52.422523] cpuidle_idle_call+0x16b/0x1f0
[ 52.422526] do_idle+0x94/0xf0
[ 52.422528] cpu_startup_entry+0x29/0x30
[ 52.422529] start_secondary+0x125/0x180
[ 52.422532] ? soft_restart_cpu+0x14/0x14
[ 52.422534] common_startup_64+0x13e/0x141
[ 52.422537] </TASK>
[ 52.422537] ---[ end trace ]---
These no longer occur when this patch is applied.
I found similar reports from other users at
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2125250
I found a related review comment when this code was first written at
https://lore.kernel.org/linux-input/20141111171554.GB27720@dtor-ws/
>Fixes: 05be1d079ec0 ("Input: psmouse - support for the FocalTech PS/2 protocol extensions")
>Signed-off-by: Richard Davies <richard@arachsys.com>
>---
> drivers/input/mouse/focaltech.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
>diff --git a/drivers/input/mouse/focaltech.c b/drivers/input/mouse/focaltech.c
>index 43f9939b7c63..d3ad4af5aa09 100644
>--- a/drivers/input/mouse/focaltech.c
>+++ b/drivers/input/mouse/focaltech.c
>@@ -197,7 +197,7 @@ static void focaltech_process_rel_packet(struct psmouse *psmouse,
> {
> struct focaltech_data *priv = psmouse->private;
> struct focaltech_hw_state *state = &priv->state;
>- int finger1, finger2;
>+ unsigned int finger1, finger2;
>
> state->pressed = packet[0] >> 7;
> finger1 = ((packet[0] >> 4) & 0x7) - 1;
>--
>2.53.0
next prev parent reply other threads:[~2026-07-01 19:28 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-07-01 19:09 [PATCH] Input: focaltech - fix array out-of-bounds in focaltech_process_rel_packet Richard Davies
2026-07-01 19:28 ` Richard Davies [this message]
2026-07-01 19:32 ` sashiko-bot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=akVqYaOOKNrkDf_h@users.org.uk \
--to=richard@arachsys.com \
--cc=dmitry.torokhov@gmail.com \
--cc=hdegoede@redhat.com \
--cc=linux-input@vger.kernel.org \
--cc=mgottschlag@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox