From: Sergey Shtylyov <s.shtylyov@auroraos.dev>
To: Jiri Kosina <jikos@kernel.org>, Georgiy Osokin <g.osokin@auroraos.dev>
Cc: <bonbons@linux-vserver.org>, <bentiss@kernel.org>,
<linux-input@vger.kernel.org>, <linux-kernel@vger.kernel.org>,
<lvc-project@linuxtesting.org>
Subject: Re: [PATCH] HID: picolcd: prevent NULL pointer dereference in picolcd_send_and_wait()
Date: Mon, 29 Jun 2026 16:16:02 +0300 [thread overview]
Message-ID: <df0ed02b-038c-43c2-a84f-b8225f2ffcdd@auroraos.dev> (raw)
In-Reply-To: <886s5548-p183-3nr0-4836-85968p1non0r@xreary.bet>
On 6/29/26 11:46 AM, Jiri Kosina wrote:
>> In picolcd_send_and_wait(), an integer overflow of the signed loop counter
>> 'k' can theoretically lead to a NULL pointer dereference of 'raw_data'.
>> If the loop executes more than INT_MAX times, 'k' becomes negative,
>> making the condition 'k < size' true even when 'size' is 0.
>>
>> Change the type of 'k' to 'unsigned int' to prevent the overflow and
>> eliminate the out-of-bounds access.
>>
>> Found by Linux Verification Center (linuxtesting.org) with the Svace static
>> analysis tool.
>>
>> Fixes: fabdbf2 ("HID: picoLCD: split driver code")
>
> Next time, please make the shas of commits a little bit longer to avoid
> uncertainity.
>
>> Signed-off-by: Georgiy Osokin <g.osokin@auroraos.dev>
>
> Applied, thanks!
Hm, I think we (with the help of Sashiko [1]) arrived to the conclusion
that an overflow should never happen with the current ranges of the loop
counters. We have re-resolved this issue as false positive internally...
[1] https://lore.kernel.org/all/20260517125108.BC3FDC2BCB0@smtp.kernel.org/
> --
> Jiri Kosina
> SUSE Labs
MBR, Sergey
prev parent reply other threads:[~2026-06-29 13:16 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-17 12:06 [PATCH] HID: picolcd: prevent NULL pointer dereference in picolcd_send_and_wait() Georgiy Osokin
2026-05-17 12:51 ` sashiko-bot
2026-06-29 8:46 ` Jiri Kosina
2026-06-29 13:16 ` Sergey Shtylyov [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=df0ed02b-038c-43c2-a84f-b8225f2ffcdd@auroraos.dev \
--to=s.shtylyov@auroraos.dev \
--cc=bentiss@kernel.org \
--cc=bonbons@linux-vserver.org \
--cc=g.osokin@auroraos.dev \
--cc=jikos@kernel.org \
--cc=linux-input@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=lvc-project@linuxtesting.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox