From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 37304C2E0; Mon, 23 Jun 2025 21:32:28 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1750714348; cv=none; b=HhVS47uLVRUMsahzWM6FxamG2bnuz2IxPudIdcg8HpVPB2DRRYYzaB180vhbmqtBeIVx9KCkCdz1xZR+fZAKOoafP4OK97IU6S0BgFMiHQW1GW3gBggjzi25kq27/CvLNSIEflNvy4+AlfoN/uOcmRbV++KYQZYNV2EcCeU+Las= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1750714348; c=relaxed/simple; bh=u/oJxI9hh9j68IcFIqUKSIkudg+v+zuuiOcTDBSthxk=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=OPTPKFKr28rwaisDKBXQmofnvkfZFVDzI6yC4XVhyNpuQAZA828Xlvp99832sJOUKcclb+1ukP62cIa1XdndWOCR6zHZ9RtZk01Cn0OLG2Z0z/KnJM/6ISoZs3I5nqIOKelo9xfbMLKX6IxQP4AiT5/rkWY/ac0COU6Fixageic= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=lV5oS2iA; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="lV5oS2iA" Received: by smtp.kernel.org (Postfix) with ESMTPSA id C3E7FC4CEEA; Mon, 23 Jun 2025 21:32:27 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1750714348; bh=u/oJxI9hh9j68IcFIqUKSIkudg+v+zuuiOcTDBSthxk=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=lV5oS2iAZDg1OL+WsOYf8r9gjOl3y1Zlzb/+0l+8yQSEin+37jFE9KExnr0bhqddA xds99oE+UoNEV/9Tl2+SIVI84gvKOfxjay019/wlyNF/wC+/f+nMHFHXybnP5jAIcx ONBHbd8L7i67BVgXViUw3haThSBzRnY2UBBkANKQ= From: Greg Kroah-Hartman To: stable@vger.kernel.org Cc: Greg Kroah-Hartman , patches@lists.linux.dev, Dan Carpenter , Dmitry Torokhov Subject: [PATCH 6.12 097/414] Input: ims-pcu - check record size in ims_pcu_flash_firmware() Date: Mon, 23 Jun 2025 15:03:54 +0200 Message-ID: <20250623130644.519679460@linuxfoundation.org> X-Mailer: git-send-email 2.50.0 In-Reply-To: <20250623130642.015559452@linuxfoundation.org> References: <20250623130642.015559452@linuxfoundation.org> User-Agent: quilt/0.68 X-stable: review X-Patchwork-Hint: ignore Precedence: bulk X-Mailing-List: stable@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit 6.12-stable review patch. If anyone has any objections, please let me know. ------------------ From: Dan Carpenter commit a95ef0199e80f3384eb992889322957d26c00102 upstream. The "len" variable comes from the firmware and we generally do trust firmware, but it's always better to double check. If the "len" is too large it could result in memory corruption when we do "memcpy(fragment->data, rec->data, len);" Fixes: 628329d52474 ("Input: add IMS Passenger Control Unit driver") Signed-off-by: Dan Carpenter Link: https://lore.kernel.org/r/131fd1ae92c828ee9f4fa2de03d8c210ae1f3524.1748463049.git.dan.carpenter@linaro.org Cc: stable@vger.kernel.org Signed-off-by: Dmitry Torokhov Signed-off-by: Greg Kroah-Hartman --- drivers/input/misc/ims-pcu.c | 6 ++++++ 1 file changed, 6 insertions(+) --- a/drivers/input/misc/ims-pcu.c +++ b/drivers/input/misc/ims-pcu.c @@ -844,6 +844,12 @@ static int ims_pcu_flash_firmware(struct addr = be32_to_cpu(rec->addr) / 2; len = be16_to_cpu(rec->len); + if (len > sizeof(pcu->cmd_buf) - 1 - sizeof(*fragment)) { + dev_err(pcu->dev, + "Invalid record length in firmware: %d\n", len); + return -EINVAL; + } + fragment = (void *)&pcu->cmd_buf[1]; put_unaligned_le32(addr, &fragment->addr); fragment->len = len;