Received: by 2002:a25:ad19:0:0:0:0:0 with SMTP id y25csp9980545ybi; Wed, 24 Jul 2019 13:28:14 -0700 (PDT) X-Google-Smtp-Source: APXvYqxTR5sMIO3O2tuyL3cSg83vUnLjEDdQK5I7rLQNmwv4YyVlj7E5u4E3hGArtHf0JycmApHD X-Received: by 2002:a17:902:b612:: with SMTP id b18mr61007355pls.8.1564000094596; Wed, 24 Jul 2019 13:28:14 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1564000094; cv=none; d=google.com; s=arc-20160816; b=R62Wf3XwyaCg2wgXwwWY+sFk2mH8n3luESxdr7nThmLzyvmfK7zw+1Fgq6K2dVSSBG w6esGGjJ7yFKig/mo7rJzxyNBS4SZBOphmTx8YenWFmkuD8mLkCoPXyX90jKct2+QxyI PnnhxNQvCwF0kpIKVvRVScaAnTPIDbzSvkD+KUdbb1P7qFNkau02RHTb/OPTQRG04//q lWmL9bBpc7mrKVv56Ms+KrNg3k5FPPykh2Yu2n/b4TROSs/BZtu4QJTBYgUXseelU/mq 7WSRoptdEmL0GiDQmZG7kbP6sMKwmR2KTeiJpLtv7a88tY7kyIfv1QcT37vqcuiKfNPT Trcw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=/oEc9wfvrnWieGrnqqknQa481olbhhSzNG2jo03uW9g=; b=X68Cwp1JgEfFahZklPU7srnH+H2o7UcVX0K8rOD9pIolBB2kAqcx1rdEmMLXKW6QnO XAWZghEBLdARvLWvFeajyuwt5nkRysUMcB/2wAZ8g5xURbanMMEX+6gF1b3Kydlmt4cp tAzOtrR+vbsA2xYVkajsCj9lcIyqx7BTSJcvQ6XhE0DnMYd7eRWqhVlWMPqCCpHoUzzP tGz51byWfQgI9PxSJJUXCx8174PMNFTeEXsa8T2zBdssp+nZnaHGw4mV7hU+iP8quV1I CduC7r8ng0RGN5lJhfsgQylG4j3ty7/76OyYReoHb5GQCnlyRWG0psrfHB5ctC4oxf+a oVmg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=LUq2TF73; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 31si14091953pld.245.2019.07.24.13.28.00; Wed, 24 Jul 2019 13:28:14 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=LUq2TF73; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2390025AbfGXU0v (ORCPT + 99 others); Wed, 24 Jul 2019 16:26:51 -0400 Received: from mail.kernel.org ([198.145.29.99]:36382 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2388522AbfGXTgf (ORCPT ); Wed, 24 Jul 2019 15:36:35 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 49800214AF; Wed, 24 Jul 2019 19:36:34 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1563996994; bh=OgzOyEycRsQ5tZXTbgiVPzNADZxiQiXmkuy7t8sX45E=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=LUq2TF73W6A7a+3p5JH3nKDWF9/xMgPTslBXuZ365tVQdfy8Sc1J6Lu58/LCrpcwt uw/iL/kw7Iq4TmHQOpuUPPdNYRbs6x9E6ZVgV2DTAk0yxP0oho4G5FVEI0RDzWunrk JGNxOHRZvYlo+P1biamDICKg3NpSB11beatBhlAA= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Grant Hernandez , Dmitry Torokhov Subject: [PATCH 5.2 286/413] Input: gtco - bounds check collection indent level Date: Wed, 24 Jul 2019 21:19:37 +0200 Message-Id: <20190724191756.722423802@linuxfoundation.org> X-Mailer: git-send-email 2.22.0 In-Reply-To: <20190724191735.096702571@linuxfoundation.org> References: <20190724191735.096702571@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Grant Hernandez commit 2a017fd82c5402b3c8df5e3d6e5165d9e6147dc1 upstream. The GTCO tablet input driver configures itself from an HID report sent via USB during the initial enumeration process. Some debugging messages are generated during the parsing. A debugging message indentation counter is not bounds checked, leading to the ability for a specially crafted HID report to cause '-' and null bytes be written past the end of the indentation array. As long as the kernel has CONFIG_DYNAMIC_DEBUG enabled, this code will not be optimized out. This was discovered during code review after a previous syzkaller bug was found in this driver. Signed-off-by: Grant Hernandez Cc: stable@vger.kernel.org Signed-off-by: Dmitry Torokhov Signed-off-by: Greg Kroah-Hartman --- drivers/input/tablet/gtco.c | 20 +++++++++++++++++--- 1 file changed, 17 insertions(+), 3 deletions(-) --- a/drivers/input/tablet/gtco.c +++ b/drivers/input/tablet/gtco.c @@ -78,6 +78,7 @@ Scott Hill shill@gtcocalcomp.com /* Max size of a single report */ #define REPORT_MAX_SIZE 10 +#define MAX_COLLECTION_LEVELS 10 /* Bitmask whether pen is in range */ @@ -223,8 +224,7 @@ static void parse_hid_report_descriptor( char maintype = 'x'; char globtype[12]; int indent = 0; - char indentstr[10] = ""; - + char indentstr[MAX_COLLECTION_LEVELS + 1] = { 0 }; dev_dbg(ddev, "======>>>>>>PARSE<<<<<<======\n"); @@ -350,6 +350,13 @@ static void parse_hid_report_descriptor( case TAG_MAIN_COL_START: maintype = 'S'; + if (indent == MAX_COLLECTION_LEVELS) { + dev_err(ddev, "Collection level %d would exceed limit of %d\n", + indent + 1, + MAX_COLLECTION_LEVELS); + break; + } + if (data == 0) { dev_dbg(ddev, "======>>>>>> Physical\n"); strcpy(globtype, "Physical"); @@ -369,8 +376,15 @@ static void parse_hid_report_descriptor( break; case TAG_MAIN_COL_END: - dev_dbg(ddev, "<<<<<<======\n"); maintype = 'E'; + + if (indent == 0) { + dev_err(ddev, "Collection level already at zero\n"); + break; + } + + dev_dbg(ddev, "<<<<<<======\n"); + indent--; for (x = 0; x < indent; x++) indentstr[x] = '-';