From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-dy1-f171.google.com (mail-dy1-f171.google.com [74.125.82.171]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 41E5A245008 for ; Sun, 26 Apr 2026 05:07:11 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=74.125.82.171 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777180032; cv=none; b=aI1/9DrPFzxJJxfXJhKZmwHwXMmmWD8zqdw96LxilmT9DlOtPJv8pJZnEuYVj+OQCavTsTbpHiGXRwoZL5ZIRWfS0E2gfmq7nYYF75zABUxc7Ipspfp9IcvuPizm+ky+gkm8ZHOlHPJHnTyfBGG0v7QaJUwKyaNZdv5tV2rb+nY= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777180032; c=relaxed/simple; bh=PrydE+y26snjne7bTdgpz29EtcT79cYstuG6/6e8H+g=; h=Date:From:To:Cc:Subject:Message-ID:MIME-Version:Content-Type: Content-Disposition; b=YdkKN/oyzqhRPTuR+SQqDBEO6GBPPD61iMoM00GkqN487sHZu6FJ43EQfdsVRsbVR7P6E3BLtMmd8tOT1njbfoxgGJ42ZML/ZH7TzGyE/jPsAWV+wy5eBJnHy8ww8cISAqBlcfj3Tq2mDMP2tQOn7XpvJV/HNufIg36njT1Gh/s= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=gAkEolPz; arc=none smtp.client-ip=74.125.82.171 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="gAkEolPz" Received: by mail-dy1-f171.google.com with SMTP id 5a478bee46e88-2b4520f6b32so12878065eec.0 for ; Sat, 25 Apr 2026 22:07:11 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1777180030; x=1777784830; darn=vger.kernel.org; h=content-disposition:mime-version:message-id:subject:cc:to:from:date :from:to:cc:subject:date:message-id:reply-to; bh=p8qGDvhFge6p1O5v/iCkCdtT21/Uc3WBmLDQiwCw4L0=; b=gAkEolPzeMKKlsT7A6f6sfQWUrT5Z9GHvzgSk+SyUu7+UzYAYrpAWzED9bzDyEDGOB 6wUXrTq3Lm1dYFB0LXWRdipCEGOSLxCTJJV7ovS8bU2w8QO88jW2J9LUy9fJYfQSWmrl mqwyuxNank2BlpHc1Qkjxbd2W8QhtkkKmsOF+FWRP+97n2AK8girDJlx5dBQKeIzJ6d3 WrA+e8L+fUHz/MXUQKEn3zzbHY8QoQ7MxU4ZKkmEA6EWe4PNmMlY2/YkCjoEV0SpY/7x Rc82AVFK47bsrhob/nRnsxf4sXi++UlMIXZy++FYxD7T1SX2J7yC9WED+e+r81nsmnN9 xAyg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1777180030; x=1777784830; h=content-disposition:mime-version:message-id:subject:cc:to:from:date :x-gm-gg:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=p8qGDvhFge6p1O5v/iCkCdtT21/Uc3WBmLDQiwCw4L0=; b=NZ/vC9DsL0ZweCHsMqeC4e080E0kNUU1j9fsFZsxC+RlDzR1ikWH4EGUDkTUYv0Pkg Svcsk59Gh3lkDjrIefE1t50LIZcUt1EH4G62wvg6eqlFqePamNgZYkleL4hjmNS9Vs9V CR9NMwM+BBQGVw8nwlHVfCSoPanV2JZqjjgCwD3Jrs1gUJuIL4LpkUcD8QdFucAmUQqa V0ywA6bvpw1gy3UadAux75BXiQIlFMBFNioWdFWbUgJQxfy0ae66WNCtvnLD6x91K65s XUEJNf7zXXWhIwIr24HEWqUxFKbYYtEh2yysr42uUZwpGQVfXbJ/XA+Zo8pBvJDsgfCH VIlw== X-Gm-Message-State: AOJu0YziwNi2b3l5/QM3mm6dii2kJ1uuhFhBwqhsRtwJG9+d/A5aCEbC RdjTp2NacccBqJragihSVaPNO7udcWbpNtz5G/l1iuAyGAC9k8SEluGf X-Gm-Gg: AeBDietpgei4LynDaEnpBZerQCv+QR58491ctih3mk9a5afk9v1TK2vPHzwXqA/37PQ E95ESrvmVu3hamaPLNQ/UNbBBnkHf1IRKQxwTYKGjsSV2msF95avFnHRmGv6eEb+1yqv64YpYEq OgZi9WiK69ApoSzmuvKlcdfS6q5fU7LZR+tZAx9Cc7+tT8GQndEXEvRxhqy1ZnIMLH+nbvIWKz6 8Vb9+a0EYgXo/YSXuDtpLXrt+JCfpiFU05VayK/hcALppTgHEFwLSknwWF0JEXqiooqUs9VK66p hGKE89qc2BkkF6QX7LCVIs33PnrF7JCNOPQqWkyHbVPqhwVvgHLuANxD1DT5g2+B1+oVEIyZAVA IYB1YHRY7ItnC9OXv4pzYBqnPL9VyfHC1NnhINFnJ2o07AFpOwYkvzNQ/srLw0iM6IuiiJbg6I3 eaoCHpHyHd1e4MQBZusgwP0agdomJWXoXz2kaTqwkQPbk3YmvbuWcMYSjVgNMKTsMeG2wYx6+5K hic0t1B22gsRg== X-Received: by 2002:a05:7300:72cc:b0:2be:7885:31df with SMTP id 5a478bee46e88-2e478839275mr22966860eec.17.1777180030258; Sat, 25 Apr 2026 22:07:10 -0700 (PDT) Received: from google.com ([2a00:79e0:2ebe:8:f359:aa0c:530d:9dfd]) by smtp.gmail.com with ESMTPSA id 5a478bee46e88-2e53d2cfc1dsm37822023eec.22.2026.04.25.22.07.09 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 25 Apr 2026 22:07:09 -0700 (PDT) Date: Sat, 25 Apr 2026 22:07:06 -0700 From: Dmitry Torokhov To: linux-input@vger.kernel.org, Jingle Wu =?utf-8?B?5ZCz6YeR5ZyL?= Cc: linux-kernel@vger.kernel.org Subject: [PATCH] Input: elan_i2c - validate firmware size before use Message-ID: Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Ensure that the firmware file is large enough to contain the expected number of pages and the signature (which resides at the end of the firmware blob) before accessing them to prevent potential out-of-bounds reads. Cc: stable@vger.kernel.org Signed-off-by: Dmitry Torokhov --- drivers/input/mouse/elan_i2c_core.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/drivers/input/mouse/elan_i2c_core.c b/drivers/input/mouse/elan_i2c_core.c index fee1796da3d0..74f822cd8774 100644 --- a/drivers/input/mouse/elan_i2c_core.c +++ b/drivers/input/mouse/elan_i2c_core.c @@ -645,6 +645,11 @@ static ssize_t elan_sysfs_update_fw(struct device *dev, return error; } + if (fw->size < data->fw_signature_address + sizeof(signature)) { + dev_err(dev, "firmware file too small\n"); + return -EBADF; + } + /* Firmware file must match signature data */ fw_signature = &fw->data[data->fw_signature_address]; if (memcmp(fw_signature, signature, sizeof(signature)) != 0) { -- 2.54.0.545.g6539524ca2-goog -- Dmitry