From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-dy1-f172.google.com (mail-dy1-f172.google.com [74.125.82.172]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 5AF4F28751B for ; Sun, 14 Jun 2026 20:59:36 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=74.125.82.172 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1781470777; cv=none; b=W1wFmGi3Ug5JhYPQE3z1EjeDBn3TMJz1Ih4sBdMmLCFxUJUzGOTKphXueVnk0Kd4bW5WuiHI1O5JdCpmvS3wzpw+wTfFzs7OCHRFm/EHsJLrpI1SqZMVFTQNeCfBUTSJC65h1KHvjVxkfsn5AY+iKOQ0D4XmlSN7NvfdQ6GY8OU= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1781470777; c=relaxed/simple; bh=sNFbsCJeOPwaKXPQsEzBaBiGJ/DYOlHjGmLRUzVAt0U=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=AmFaglo5xdeWX6tCORasEG/5GNHR8+RKWwXlxI/0UQp1RP4F4txK/DuJiOvpENwbeJIPflRwDOnFEEH6LO3RXyNPI/swMLWJ8TgJcLR6ZlyAqRPiM3hxpFR5TEdGwvV7fZzJptlIuowgOyoPpNW2GdE4jWaTqxoiHXMYMp5MSrE= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=A+U25mLD; arc=none smtp.client-ip=74.125.82.172 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="A+U25mLD" Received: by mail-dy1-f172.google.com with SMTP id 5a478bee46e88-304df7ff4c2so2112184eec.0 for ; Sun, 14 Jun 2026 13:59:36 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1781470775; x=1782075575; darn=vger.kernel.org; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:from:to:cc:subject:date:message-id:reply-to; bh=E7BZf0PcZi/GMW4QTHsLeXW1vcBsvCPvj3Zq/xHb3eg=; b=A+U25mLDMx0jIRZXj/5J5pxOkLYgHZSxQXw+CVZ6DyOH5kCenglMf6LTP7AeTixUIW WKYn+bodA7mEBWicO78zHykg/VTtRwfL41OryeTungKyNj4zHaBsL3xuv6wiQEiOk9X6 8pROQPM83R0y3O0sipyx9bdlCPUnGukDdvxGkp6VqaRKaWfLOjw75NDguHDQw6CbmvoN nB1WPzMJ5V2A946XnMYbA5X2MVH73wd+UWvhmshmryPnrYTJYT5nYPBlX0wDNcrSR80i tec4shkjLzwl6T5f92qNB9PDbpsVKJ65lEtdun1ZL6sKKlldBPW0t45/GXc7JZ7xt3/D JFUw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1781470775; x=1782075575; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:x-gm-gg:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=E7BZf0PcZi/GMW4QTHsLeXW1vcBsvCPvj3Zq/xHb3eg=; b=sdohXn4bQ6pg5MLk/sbBFvZAEV25SVgB5bdVPNjSyDPnKAtEaGw1mhxPpkH2b4dOZ1 OYb2FDQ+9MXCtLjE6YP2oVDpdfEkDoHNJ8LJOnjvOUFztuhiJx/Pg64M5r0rYZYqHLqI l6CFxoklyKLnLwEp4gJh3tlSab2G7PUFW29CD1Aj4KXxRBAaK95aaC5jZN9PrsNIQaP9 Kx3FjwI2051uxWy75sJOemsc5+CRrRrZHd+aRzOkyBPbQ1ajvFyYkjwEszjuU1ijuYKB P5bzbusq6meOFDWROpTpWJstAytNiEDZWCHmV1kPdzkLIwo9qM5CYI406LFrYP6DG4sy c2yg== X-Forwarded-Encrypted: i=1; AFNElJ+ZsMkYbUtJn2f5vqanMjOBb7j1S3165qioeWoAR5mQOo4G/ESiVENv8e0ogxCuT8COgTPoSeCkyrkP1fY=@vger.kernel.org X-Gm-Message-State: AOJu0YwHxdL0KOF3cShPxb1fdPTFam7d0gA21x3w3y0A7iN98KGe3IDB INeoF0EXH1Jd28+Cczl5FQ6tSy1onpXnSa8qBnibVa7XGlXi415BvxwvkvKZfw== X-Gm-Gg: Acq92OH92PSBxCfDty1J0AJLtOXcuvfdrjEQCCPZsT9UraR1ga0HFlzmlKd7prD1NyP /NpKHQAmk7Krv/TANQYc/TZHh+l/ldPoXMNC0ZyoZOtxbKx3lIgBxCZU1iB9uJs4NlOv9oWPuC1 6R5C3i2Io6DKXLDsi9gNzmbsZkP69eqCCKv9r+r86QrkdMOMFRtlkcIx+LPBnYr0SpUoi78CMrU IucjKMeh7LLEh8qoEHPRA8buJhglWGDyyEfu4yMbkvPQeX4Al/XJCv8Fq1RBK9wr0LRR5thDyns cGiUmnZuYe8KhA//tPN/hpeDLtotTbFYe2NMmGStlRXAkNM53cMku4QuHwaDd099SapWFHkdXVn QLQNpe34zGgns4sieE5vDkqdBNVd4uhtjZ9Kw/iPYOFV1BjM1ncQlgTk4q1t3CskNHkwesEgbpi arp7/I0TBTnfIwYzSGEqC7fguxsSZ6yCz2a/L9xo1EKqOtY+x6AohWKha0LCDLrw40sIcl8Hq6l Ts= X-Received: by 2002:a05:7301:e103:b0:307:91f5:9522 with SMTP id 5a478bee46e88-3081de03505mr3904694eec.4.1781470775486; Sun, 14 Jun 2026 13:59:35 -0700 (PDT) Received: from google.com ([2a00:79e0:2ebe:8:5d91:5c26:602d:6a99]) by smtp.gmail.com with ESMTPSA id 5a478bee46e88-3081ea4f7a0sm11104337eec.24.2026.06.14.13.59.34 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 14 Jun 2026 13:59:34 -0700 (PDT) Date: Sun, 14 Jun 2026 13:59:32 -0700 From: Dmitry Torokhov To: hexlabsecurity@proton.me Cc: linux-input@vger.kernel.org, Rick Koch , linux-kernel@vger.kernel.org Subject: Re: [PATCH] Input: touchwin - reset the packet index on every complete packet Message-ID: References: <20260613-b4-disp-69921bfd-v1-1-82c036899959@proton.me> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20260613-b4-disp-69921bfd-v1-1-82c036899959@proton.me> On Sat, Jun 13, 2026 at 08:07:20PM -0500, Bryam Vargas via B4 Relay wrote: > From: Bryam Vargas > > tw_interrupt() accumulates each non-zero serial byte into a fixed > three-byte buffer with a running index that is only reset once a full > packet has been received *and* the device's two Y bytes agree: > > tw->data[tw->idx++] = data; > if (tw->idx == TW_LENGTH && tw->data[1] == tw->data[2]) { > ... > tw->idx = 0; > } > > The reset is gated on tw->data[1] == tw->data[2], a value the device > controls. A malicious, malfunctioning or counterfeit Touchwindow > peripheral can stream non-zero bytes whose 2nd and 3rd bytes differ: the > index reaches TW_LENGTH without the equality holding, is never reset, and > keeps growing, so tw->data[tw->idx++] walks off the end of the three-byte > array and the rest of the heap-allocated struct tw, one attacker-chosen > byte at a time -- an unbounded, device-driven heap out-of-bounds write. > > Reset the index on every completed packet and report an event only when > the two Y bytes match, like the other serio touchscreen drivers do. > > Fixes: 11ea3173d5f2 ("Input: add driver for Touchwin serial touchscreens") > Cc: stable@vger.kernel.org > Signed-off-by: Bryam Vargas Applied, thank you. -- Dmitry