Received: by 10.192.165.148 with SMTP id m20csp2483459imm; Sun, 22 Apr 2018 08:00:37 -0700 (PDT) X-Google-Smtp-Source: AIpwx48JclMBzbDOf7SIdXE3UqRmZyi6AVX0fqaP1pIKwWsdNkulLrpS0RkSe7ZQUEti6aNcCW1h X-Received: by 10.98.165.8 with SMTP id v8mr16864566pfm.225.1524409237060; Sun, 22 Apr 2018 08:00:37 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1524409237; cv=none; d=google.com; s=arc-20160816; b=G/pBXxMW/03e7MIHT3DiUdRJlaVq1I2uAxYDx8COvZTLzJBBJQfEaG5tVklAZGYz59 znUB3J1nYwVcCDnRsvOpWj+Lr+KEqSTAn5RMpqXWJ+i/1QitKsf5xL9UK3+tSbs9WwlE S4vCEHfEwvyzZ9fhk6wWlLL/rSCoisVULKrw10/ArrZCCDkxE+bghSKt8m0IsVyLfBXI MGQVhCwgntxr5W6Vx0dEcU6aE9DknpqIMCqVpCIP/xcmIV0sRYz8+l+yuJTgFCMuydJO ENW5DVKA0/yMZBFD+uVf0m4owdiLsPJPw1khsPkf3sDgErLwFRGS7IWHq7KHi9jkC9bA DwHQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :in-reply-to:message-id:date:subject:cc:to:from :arc-authentication-results; bh=0mCU1bFzN+w7zSpCzb9AWFngf/KlmMvfQNVBaYYcxjs=; b=USzJgQETqF+m3VCuG1Rf6cEIyr2gvUghQzqv7qL+jpzWAIGvzOawOuMUcKGhnSYIZY W4A2co0IBAZ7l/fEASavQVuEQLcriyUgraE/rnlSgM8TBoTux6iAN9lBzZpOHPCFQ5zG 7PjleIp/wYEhZtbA83UQEJdMd/qDXlT5spGBkd31f4EcvCZl5m8TvaqLv8kdf0CDLJkH Aj9/P230HG+msBMMILgYA/V87JP8mrJiU83yjwri1uvIYW8JfkS/BVzpHFFpyeaAUVL3 r4iEb8ccHXd/C+7fV1HsEjL9k8hUN0yj4mjUG6wzXDLtmmwQ/1Wb9mjzW6eW1lb+xWG7 CmCw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id e6si8309985pgn.473.2018.04.22.08.00.22; Sun, 22 Apr 2018 08:00:37 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1756796AbeDVONJ (ORCPT + 99 others); Sun, 22 Apr 2018 10:13:09 -0400 Received: from mail.linuxfoundation.org ([140.211.169.12]:55478 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1756740AbeDVONE (ORCPT ); Sun, 22 Apr 2018 10:13:04 -0400 Received: from localhost (LFbn-1-12247-202.w90-92.abo.wanadoo.fr [90.92.61.202]) by mail.linuxfoundation.org (Postfix) with ESMTPSA id B15D2CCE; Sun, 22 Apr 2018 14:13:03 +0000 (UTC) From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Aaron Ma , Jiri Kosina Subject: [PATCH 4.9 24/95] HID: i2c-hid: fix size check and type usage Date: Sun, 22 Apr 2018 15:52:53 +0200 Message-Id: <20180422135211.425609597@linuxfoundation.org> X-Mailer: git-send-email 2.17.0 In-Reply-To: <20180422135210.432103639@linuxfoundation.org> References: <20180422135210.432103639@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.9-stable review patch. If anyone has any objections, please let me know. ------------------ From: Aaron Ma commit ac75a041048b8c1f7418e27621ca5efda8571043 upstream. When convert char array with signed int, if the inbuf[x] is negative then upper bits will be set to 1. Fix this by using u8 instead of char. ret_size has to be at least 3, hid_input_report use it after minus 2 bytes. Cc: stable@vger.kernel.org Signed-off-by: Aaron Ma Signed-off-by: Jiri Kosina Signed-off-by: Greg Kroah-Hartman --- drivers/hid/i2c-hid/i2c-hid.c | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) --- a/drivers/hid/i2c-hid/i2c-hid.c +++ b/drivers/hid/i2c-hid/i2c-hid.c @@ -142,10 +142,10 @@ struct i2c_hid { * register of the HID * descriptor. */ unsigned int bufsize; /* i2c buffer size */ - char *inbuf; /* Input buffer */ - char *rawbuf; /* Raw Input buffer */ - char *cmdbuf; /* Command buffer */ - char *argsbuf; /* Command arguments buffer */ + u8 *inbuf; /* Input buffer */ + u8 *rawbuf; /* Raw Input buffer */ + u8 *cmdbuf; /* Command buffer */ + u8 *argsbuf; /* Command arguments buffer */ unsigned long flags; /* device flags */ unsigned long quirks; /* Various quirks */ @@ -451,7 +451,8 @@ out_unlock: static void i2c_hid_get_input(struct i2c_hid *ihid) { - int ret, ret_size; + int ret; + u32 ret_size; int size = le16_to_cpu(ihid->hdesc.wMaxInputLength); if (size > ihid->bufsize) @@ -476,7 +477,7 @@ static void i2c_hid_get_input(struct i2c return; } - if (ret_size > size) { + if ((ret_size > size) || (ret_size <= 2)) { dev_err(&ihid->client->dev, "%s: incomplete report (%d/%d)\n", __func__, size, ret_size); return;