Received: by 2002:ac0:a581:0:0:0:0:0 with SMTP id m1-v6csp2971634imm; Sun, 1 Jul 2018 09:26:10 -0700 (PDT) X-Google-Smtp-Source: ADUXVKJxVxmAtvzLipgmnHlbkkdmbUTTqYkycZRZox7UA9ixZlLLFvtTqqtOgyUt+l2HaAYUyNT8 X-Received: by 2002:a65:6699:: with SMTP id b25-v6mr19234092pgw.426.1530462370643; Sun, 01 Jul 2018 09:26:10 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1530462370; cv=none; d=google.com; s=arc-20160816; b=bBk413Pgtr5jx1xGuvZQgkPqwFV1k0LYbpf8+8tMEFWG1mVM823J8wkVYzYGa/wDCh PCcjXb0Cjol2Ed/fCExzFMHw6Us9Dv9qkEkrwU/8X86VzXX0fHVMi/KtVPE/k0c0UC3v 2+s4mgQoOT+sOKHXC5SGr/uaaLRTmrYEj1ISJ5OU4tU3f4lN9uPEbfuBTD3+ySC5JFBz KXfTHjWcTMHpW5OTEFv2/Le4wH/HcOgEVel2F6nGIArGrFTXSbyB1cIHuUKk1zquE26E cKsOJpkub3hCPpjAceg/C6JvrGCr+5+7dw9xvMGnmj+GXqvFg7LST4kYjjsiJM8TWXvU lWyQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :in-reply-to:message-id:date:subject:cc:to:from :arc-authentication-results; bh=G2K4WgPY/8RVhtUqZiWnCVYQeTK2gNLrVxr3QMmafjI=; b=G6bGv13AYiV4d1MCJ1+rAzgcRCSgoovr6+qqg5y4sbupoKe/pOcvwEuVyLPRzBbHaC ZDxMpdZVw4NF4AgxqfyDjefBAc9JL34rBA3UzzOrmLKCkoq2e5AlWncoAufVnIYReL0+ kz/KGdVcPapA++0T5sMxpgcETy2oNil/HJU4510aHu7gQ6S5YPmYoWhKAI4hfux6pNCC 424JCsNhoXBPiPgdHJcc5btViHU4WMbf+HzLLonNLtFwGRVbvphv8Fx52Sx7hWVqM6kj oP0yoCOPXHa+Mm9KL9EFG0Vh8RbVnqsTNUP/0/exOi+nTK44uNRWW9XswnLtAzq0Ezm0 7gCQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id t17-v6si11802932pgv.615.2018.07.01.09.25.56; Sun, 01 Jul 2018 09:26:10 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S965118AbeGAQXU (ORCPT + 99 others); Sun, 1 Jul 2018 12:23:20 -0400 Received: from mail.linuxfoundation.org ([140.211.169.12]:33190 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753508AbeGAQTV (ORCPT ); Sun, 1 Jul 2018 12:19:21 -0400 Received: from localhost (LFbn-1-12247-202.w90-92.abo.wanadoo.fr [90.92.61.202]) by mail.linuxfoundation.org (Postfix) with ESMTPSA id DDC5186A; Sun, 1 Jul 2018 16:19:20 +0000 (UTC) From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Ben Hutchings , Benjamin Tissoires , Dmitry Torokhov Subject: [PATCH 4.4 096/105] Input: elan_i2c_smbus - fix more potential stack buffer overflows Date: Sun, 1 Jul 2018 18:02:46 +0200 Message-Id: <20180701153156.266092061@linuxfoundation.org> X-Mailer: git-send-email 2.18.0 In-Reply-To: <20180701153149.382300170@linuxfoundation.org> References: <20180701153149.382300170@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.4-stable review patch. If anyone has any objections, please let me know. ------------------ From: Ben Hutchings commit 50fc7b61959af4b95fafce7fe5dd565199e0b61a upstream. Commit 40f7090bb1b4 ("Input: elan_i2c_smbus - fix corrupted stack") fixed most of the functions using i2c_smbus_read_block_data() to allocate a buffer with the maximum block size. However three functions were left unchanged: * In elan_smbus_initialize(), increase the buffer size in the same way. * In elan_smbus_calibrate_result(), the buffer is provided by the caller (calibrate_store()), so introduce a bounce buffer. Also name the result buffer size. * In elan_smbus_get_report(), the buffer is provided by the caller but happens to be the right length. Add a compile-time assertion to ensure this remains the case. Cc: # 3.19+ Signed-off-by: Ben Hutchings Reviewed-by: Benjamin Tissoires Signed-off-by: Dmitry Torokhov Signed-off-by: Greg Kroah-Hartman --- drivers/input/mouse/elan_i2c.h | 2 ++ drivers/input/mouse/elan_i2c_core.c | 2 +- drivers/input/mouse/elan_i2c_smbus.c | 10 ++++++++-- 3 files changed, 11 insertions(+), 3 deletions(-) --- a/drivers/input/mouse/elan_i2c.h +++ b/drivers/input/mouse/elan_i2c.h @@ -27,6 +27,8 @@ #define ETP_DISABLE_POWER 0x0001 #define ETP_PRESSURE_OFFSET 25 +#define ETP_CALIBRATE_MAX_LEN 3 + /* IAP Firmware handling */ #define ETP_PRODUCT_ID_FORMAT_STRING "%d.0" #define ETP_FW_NAME "elan_i2c_" ETP_PRODUCT_ID_FORMAT_STRING ".bin" --- a/drivers/input/mouse/elan_i2c_core.c +++ b/drivers/input/mouse/elan_i2c_core.c @@ -595,7 +595,7 @@ static ssize_t calibrate_store(struct de int tries = 20; int retval; int error; - u8 val[3]; + u8 val[ETP_CALIBRATE_MAX_LEN]; retval = mutex_lock_interruptible(&data->sysfs_mutex); if (retval) --- a/drivers/input/mouse/elan_i2c_smbus.c +++ b/drivers/input/mouse/elan_i2c_smbus.c @@ -56,7 +56,7 @@ static int elan_smbus_initialize(struct i2c_client *client) { u8 check[ETP_SMBUS_HELLOPACKET_LEN] = { 0x55, 0x55, 0x55, 0x55, 0x55 }; - u8 values[ETP_SMBUS_HELLOPACKET_LEN] = { 0, 0, 0, 0, 0 }; + u8 values[I2C_SMBUS_BLOCK_MAX] = {0}; int len, error; /* Get hello packet */ @@ -117,12 +117,16 @@ static int elan_smbus_calibrate(struct i static int elan_smbus_calibrate_result(struct i2c_client *client, u8 *val) { int error; + u8 buf[I2C_SMBUS_BLOCK_MAX] = {0}; + + BUILD_BUG_ON(ETP_CALIBRATE_MAX_LEN > sizeof(buf)); error = i2c_smbus_read_block_data(client, - ETP_SMBUS_CALIBRATE_QUERY, val); + ETP_SMBUS_CALIBRATE_QUERY, buf); if (error < 0) return error; + memcpy(val, buf, ETP_CALIBRATE_MAX_LEN); return 0; } @@ -466,6 +470,8 @@ static int elan_smbus_get_report(struct { int len; + BUILD_BUG_ON(I2C_SMBUS_BLOCK_MAX > ETP_SMBUS_REPORT_LEN); + len = i2c_smbus_read_block_data(client, ETP_SMBUS_PACKET_QUERY, &report[ETP_SMBUS_REPORT_OFFSET]);