* Patch "Input: gtco - fix potential out-of-bound access" has been added to the 4.4-stable tree
@ 2017-10-30 9:30 gregkh
0 siblings, 0 replies; only message in thread
From: gregkh @ 2017-10-30 9:30 UTC (permalink / raw)
To: dmitry.torokhov, andreyknvl, gregkh; +Cc: stable, stable-commits
This is a note to let you know that I've just added the patch titled
Input: gtco - fix potential out-of-bound access
to the 4.4-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
input-gtco-fix-potential-out-of-bound-access.patch
and it can be found in the queue-4.4 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@vger.kernel.org> know about it.
>From a50829479f58416a013a4ccca791336af3c584c7 Mon Sep 17 00:00:00 2001
From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Date: Mon, 23 Oct 2017 16:46:00 -0700
Subject: Input: gtco - fix potential out-of-bound access
From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
commit a50829479f58416a013a4ccca791336af3c584c7 upstream.
parse_hid_report_descriptor() has a while (i < length) loop, which
only guarantees that there's at least 1 byte in the buffer, but the
loop body can read multiple bytes which causes out-of-bounds access.
Reported-by: Andrey Konovalov <andreyknvl@google.com>
Reviewed-by: Andrey Konovalov <andreyknvl@google.com>
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/input/tablet/gtco.c | 17 ++++++++++-------
1 file changed, 10 insertions(+), 7 deletions(-)
--- a/drivers/input/tablet/gtco.c
+++ b/drivers/input/tablet/gtco.c
@@ -231,13 +231,17 @@ static void parse_hid_report_descriptor(
/* Walk this report and pull out the info we need */
while (i < length) {
- prefix = report[i];
-
- /* Skip over prefix */
- i++;
+ prefix = report[i++];
/* Determine data size and save the data in the proper variable */
- size = PREF_SIZE(prefix);
+ size = (1U << PREF_SIZE(prefix)) >> 1;
+ if (i + size > length) {
+ dev_err(ddev,
+ "Not enough data (need %d, have %d)\n",
+ i + size, length);
+ break;
+ }
+
switch (size) {
case 1:
data = report[i];
@@ -245,8 +249,7 @@ static void parse_hid_report_descriptor(
case 2:
data16 = get_unaligned_le16(&report[i]);
break;
- case 3:
- size = 4;
+ case 4:
data32 = get_unaligned_le32(&report[i]);
break;
}
Patches currently in stable-queue which might be from dmitry.torokhov@gmail.com are
queue-4.4/input-elan_i2c-add-elan0611-to-the-acpi-table.patch
queue-4.4/input-gtco-fix-potential-out-of-bound-access.patch
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2017-10-30 9:30 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-10-30 9:30 Patch "Input: gtco - fix potential out-of-bound access" has been added to the 4.4-stable tree gregkh
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).