Received: by 10.213.65.68 with SMTP id h4csp1941901imn; Thu, 5 Apr 2018 06:29:46 -0700 (PDT) X-Google-Smtp-Source: AIpwx4+IBUQZHvqgfKirV98FJhBPbpRFfxLNqsdWM3gXR+wvtvnqE1MhWaW83ZNVuK700cnICE4S X-Received: by 10.99.64.3 with SMTP id n3mr14683764pga.13.1522934986877; Thu, 05 Apr 2018 06:29:46 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1522934986; cv=none; d=google.com; s=arc-20160816; b=bJ/qjfa2bK2tNqk/avqJcNBEk+zEnuNWVR/GbgF9fUW3L1GFRXyZMbVGZQQwHIpXsL VTH+sEOCCNHUvpjsibVRUFuwfvAFXqlNZSKEWSaNmyYWjJNrWITbhWwjZdms05grgRnP jYeEjhv+r9Tk3EOlkhD2sdqWH8Q5FG3+C9X+Yl4CZ2AK4CYWdFL3bcg0UPiP6g7eAqEY PsEA1LCav3c6Ycx74o0SK2eE96MdT5Emid74GSLgMpFniHVEv7TzBPEfPxnFnJKB3KPv 6WLqm4Ff5xUEjweqxeZE/p1xf+4voT/i1wj4PWCTu9068x2O2k78ICvG3r8eQLzka1jd bmOQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:references:in-reply-to:message-id:date :subject:cc:to:from:arc-authentication-results; bh=Uk3plY7w0vHujWU1svFgdxUtT7gVvtXMjKEC+7gSjaI=; b=O0jpLOlxIq9dnY3mP20mDbnD6ahdXZjvd60RE1IGMD3KJimRoCTQ/MUqxiMOYz1Tg4 10QnZP2Y4OZE1+wtNTlJ0AC2vQjCKftJZ3K4IfrHCvJZLUfs7fdPUJ4PlhocgI6QKicC Jwas/JBuRCIYHFMPUUU6aU/8yl0mXAF4OenXAVJFcGEE2nweF0U7Qw5XP+xwiih/+Sgz l7FfGMIrcYv1XtMmT44VDDclqQRdN+IJunlJzPXKaWkZV59DIv0vDFbsLwqThvphsjb6 LSqfnVJ3v31jbfMxOF+R9VKI8RdnlTLbJBqLYE2hi25+q6k4OB238hYCFAjpyC3yDT/e wv+A== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id l91-v6si5764077plb.301.2018.04.05.06.29.33; Thu, 05 Apr 2018 06:29:46 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752033AbeDEN1y (ORCPT + 99 others); Thu, 5 Apr 2018 09:27:54 -0400 Received: from mx3-rdu2.redhat.com ([66.187.233.73]:58608 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1751298AbeDENZu (ORCPT ); Thu, 5 Apr 2018 09:25:50 -0400 Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.rdu2.redhat.com [10.11.54.4]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 2CDD7406E968; Thu, 5 Apr 2018 13:25:49 +0000 (UTC) Received: from plouf.banquise.eu.com (ovpn-117-43.ams2.redhat.com [10.36.117.43]) by smtp.corp.redhat.com (Postfix) with ESMTP id E45DE2023235; Thu, 5 Apr 2018 13:25:47 +0000 (UTC) From: Benjamin Tissoires To: Dmitry Torokhov Cc: kt.liao@emc.com.tw, Oliver Haessler , Benjamin Berg , linux-input@vger.kernel.org, linux-kernel@vger.kernel.org, Benjamin Tissoires Subject: [PATCH 2/8] input: elan_i2c_smbus - fix corrupted stack Date: Thu, 5 Apr 2018 15:25:31 +0200 Message-Id: <20180405132537.3218-3-benjamin.tissoires@redhat.com> In-Reply-To: <20180405132537.3218-1-benjamin.tissoires@redhat.com> References: <20180405132537.3218-1-benjamin.tissoires@redhat.com> X-Scanned-By: MIMEDefang 2.78 on 10.11.54.4 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.7]); Thu, 05 Apr 2018 13:25:49 +0000 (UTC) X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.7]); Thu, 05 Apr 2018 13:25:49 +0000 (UTC) for IP:'10.11.54.4' DOMAIN:'int-mx04.intmail.prod.int.rdu2.redhat.com' HELO:'smtp.corp.redhat.com' FROM:'benjamin.tissoires@redhat.com' RCPT:'' Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org New ICs (like the one on the Lenovo T480s) answer to ETP_SMBUS_IAP_VERSION_CMD 4 bytes instead of 3. This corrupts the stack as i2c_smbus_read_block_data() uses the values returned by the i2c device to know how many data it need to return. i2c_smbus_read_block_data() can read up to 32 bytes (I2C_SMBUS_BLOCK_MAX) and there is no safeguard on how many bytes are provided in the return value. Ensure we always have enough space for any future firmware. Also 0-initialize the values to prevent any access to uninitialized memory. Signed-off-by: Benjamin Tissoires --- drivers/input/mouse/elan_i2c_smbus.c | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/drivers/input/mouse/elan_i2c_smbus.c b/drivers/input/mouse/elan_i2c_smbus.c index 29f99529b187..cfcb32559925 100644 --- a/drivers/input/mouse/elan_i2c_smbus.c +++ b/drivers/input/mouse/elan_i2c_smbus.c @@ -130,7 +130,7 @@ static int elan_smbus_get_baseline_data(struct i2c_client *client, bool max_baseline, u8 *value) { int error; - u8 val[3]; + u8 val[I2C_SMBUS_BLOCK_MAX] = {0}; error = i2c_smbus_read_block_data(client, max_baseline ? @@ -149,7 +149,7 @@ static int elan_smbus_get_version(struct i2c_client *client, bool iap, u8 *version) { int error; - u8 val[3]; + u8 val[I2C_SMBUS_BLOCK_MAX] = {0}; error = i2c_smbus_read_block_data(client, iap ? ETP_SMBUS_IAP_VERSION_CMD : @@ -170,7 +170,7 @@ static int elan_smbus_get_sm_version(struct i2c_client *client, u8 *clickpad) { int error; - u8 val[3]; + u8 val[I2C_SMBUS_BLOCK_MAX] = {0}; error = i2c_smbus_read_block_data(client, ETP_SMBUS_SM_VERSION_CMD, val); @@ -188,7 +188,7 @@ static int elan_smbus_get_sm_version(struct i2c_client *client, static int elan_smbus_get_product_id(struct i2c_client *client, u16 *id) { int error; - u8 val[3]; + u8 val[I2C_SMBUS_BLOCK_MAX] = {0}; error = i2c_smbus_read_block_data(client, ETP_SMBUS_UNIQUEID_CMD, val); @@ -205,7 +205,7 @@ static int elan_smbus_get_checksum(struct i2c_client *client, bool iap, u16 *csum) { int error; - u8 val[3]; + u8 val[I2C_SMBUS_BLOCK_MAX] = {0}; error = i2c_smbus_read_block_data(client, iap ? ETP_SMBUS_FW_CHECKSUM_CMD : @@ -226,7 +226,7 @@ static int elan_smbus_get_max(struct i2c_client *client, { int ret; int error; - u8 val[3]; + u8 val[I2C_SMBUS_BLOCK_MAX] = {0}; ret = i2c_smbus_read_block_data(client, ETP_SMBUS_RANGE_CMD, val); if (ret != 3) { @@ -246,7 +246,7 @@ static int elan_smbus_get_resolution(struct i2c_client *client, { int ret; int error; - u8 val[3]; + u8 val[I2C_SMBUS_BLOCK_MAX] = {0}; ret = i2c_smbus_read_block_data(client, ETP_SMBUS_RESOLUTION_CMD, val); if (ret != 3) { @@ -267,7 +267,7 @@ static int elan_smbus_get_num_traces(struct i2c_client *client, { int ret; int error; - u8 val[3]; + u8 val[I2C_SMBUS_BLOCK_MAX] = {0}; ret = i2c_smbus_read_block_data(client, ETP_SMBUS_XY_TRACENUM_CMD, val); if (ret != 3) { @@ -294,7 +294,7 @@ static int elan_smbus_iap_get_mode(struct i2c_client *client, { int error; u16 constant; - u8 val[3]; + u8 val[I2C_SMBUS_BLOCK_MAX] = {0}; error = i2c_smbus_read_block_data(client, ETP_SMBUS_IAP_CTRL_CMD, val); if (error < 0) { @@ -345,7 +345,7 @@ static int elan_smbus_prepare_fw_update(struct i2c_client *client) int len; int error; enum tp_mode mode; - u8 val[3]; + u8 val[I2C_SMBUS_BLOCK_MAX] = {0}; u8 cmd[4] = {0x0F, 0x78, 0x00, 0x06}; u16 password; @@ -419,7 +419,7 @@ static int elan_smbus_write_fw_block(struct i2c_client *client, struct device *dev = &client->dev; int error; u16 result; - u8 val[3]; + u8 val[I2C_SMBUS_BLOCK_MAX] = {0}; /* * Due to the limitation of smbus protocol limiting -- 2.14.3