Received: by 2002:a25:ad19:0:0:0:0:0 with SMTP id y25csp3784834ybi; Mon, 29 Jul 2019 12:34:10 -0700 (PDT) X-Google-Smtp-Source: APXvYqwOak77ragAirmFm1nUZdTyn3FWRz9K8Ex+1CWHS67n00tKpp2yJPhG6rSCN1mnWxKCtit7 X-Received: by 2002:a17:90a:19d:: with SMTP id 29mr115890178pjc.71.1564428850612; Mon, 29 Jul 2019 12:34:10 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1564428850; cv=none; d=google.com; s=arc-20160816; b=INWXJjRgiSKc3chXvlWycGXtGWj0T/HTSF5his27wgNwMwcW3cDafZ6S9pLmY+4OtN /DoJQV0Z9loldlGuvc/+d4FoRbJVN9zJAdeCT4Qe80Tmgib5OAWdsmqsqWe1I6yYrfAZ kNF9G3lMGszc67E6V9ufig5lysIOy6DApFMV3DUTeTW8QlF9QH/nYi2Zh1WFe0eEDf+6 xwXTd///FmZFc00uUrLPf6DBzkfLiOArHZkOLxqRZu+g2nddGxZYYll5A/4HPgbd+oVu YiTMuxaCXBI/q927Wb/jYCc4zi05PiOy9as8d6TzVb5H7HUZvwljvUnNMRTDXlVMYk4O OjkQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=/oEc9wfvrnWieGrnqqknQa481olbhhSzNG2jo03uW9g=; b=bCB0gNSa1Gd0wlO/fwuWrQBEmZ2V75YsTtV+gINWeXRKEwm25tMJgVTouRixscc6E1 YRO2vVLkLwcpsyT797dbjtIHKLLhkQV6+W4NCX/40bsxCAYEqzJKrN4uhOzgxEGug3Zf wh2l2JjT5mh024fRm5EQRwMJciW75O4K81TVaQYhrxEvhA/wAm+0JhCCEvBP5C7PV8ZZ krt1xHKDZI6RWqBmLYIqCqra8pWF9PaRGy9slhq/7liqSrK/4EAAdYZ0kVuc9/0TOP1A 9uxjaqVq5liH0Jc9Cn7vuslxNkrayjqiDG5njomF6Mc/2HK99aHwoHhGpNVev7TEC3T3 G4lQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=yB1sy4SU; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id bc7si27138832plb.55.2019.07.29.12.33.55; Mon, 29 Jul 2019 12:34:10 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=yB1sy4SU; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2387862AbfG2TaC (ORCPT + 99 others); Mon, 29 Jul 2019 15:30:02 -0400 Received: from mail.kernel.org ([198.145.29.99]:42726 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2387396AbfG2TaB (ORCPT ); Mon, 29 Jul 2019 15:30:01 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 71E822070B; Mon, 29 Jul 2019 19:30:00 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1564428601; bh=OgzOyEycRsQ5tZXTbgiVPzNADZxiQiXmkuy7t8sX45E=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=yB1sy4SUOYjATmcD9KmdLvxBfd5ngRW39P5lFa7AS2fn9OM26W5/m/jmxFETNiFdq ckp0UV/5vJeO5z5NPRsoRr04rWYlLLiJAWVfM32dNd8I3xn857DxKd9kWJomgEUivg vwLDK9B49I+Arw8NOuRH93czJuoABDIxVizJnl3w= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Grant Hernandez , Dmitry Torokhov Subject: [PATCH 4.14 127/293] Input: gtco - bounds check collection indent level Date: Mon, 29 Jul 2019 21:20:18 +0200 Message-Id: <20190729190834.317657678@linuxfoundation.org> X-Mailer: git-send-email 2.22.0 In-Reply-To: <20190729190820.321094988@linuxfoundation.org> References: <20190729190820.321094988@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Grant Hernandez commit 2a017fd82c5402b3c8df5e3d6e5165d9e6147dc1 upstream. The GTCO tablet input driver configures itself from an HID report sent via USB during the initial enumeration process. Some debugging messages are generated during the parsing. A debugging message indentation counter is not bounds checked, leading to the ability for a specially crafted HID report to cause '-' and null bytes be written past the end of the indentation array. As long as the kernel has CONFIG_DYNAMIC_DEBUG enabled, this code will not be optimized out. This was discovered during code review after a previous syzkaller bug was found in this driver. Signed-off-by: Grant Hernandez Cc: stable@vger.kernel.org Signed-off-by: Dmitry Torokhov Signed-off-by: Greg Kroah-Hartman --- drivers/input/tablet/gtco.c | 20 +++++++++++++++++--- 1 file changed, 17 insertions(+), 3 deletions(-) --- a/drivers/input/tablet/gtco.c +++ b/drivers/input/tablet/gtco.c @@ -78,6 +78,7 @@ Scott Hill shill@gtcocalcomp.com /* Max size of a single report */ #define REPORT_MAX_SIZE 10 +#define MAX_COLLECTION_LEVELS 10 /* Bitmask whether pen is in range */ @@ -223,8 +224,7 @@ static void parse_hid_report_descriptor( char maintype = 'x'; char globtype[12]; int indent = 0; - char indentstr[10] = ""; - + char indentstr[MAX_COLLECTION_LEVELS + 1] = { 0 }; dev_dbg(ddev, "======>>>>>>PARSE<<<<<<======\n"); @@ -350,6 +350,13 @@ static void parse_hid_report_descriptor( case TAG_MAIN_COL_START: maintype = 'S'; + if (indent == MAX_COLLECTION_LEVELS) { + dev_err(ddev, "Collection level %d would exceed limit of %d\n", + indent + 1, + MAX_COLLECTION_LEVELS); + break; + } + if (data == 0) { dev_dbg(ddev, "======>>>>>> Physical\n"); strcpy(globtype, "Physical"); @@ -369,8 +376,15 @@ static void parse_hid_report_descriptor( break; case TAG_MAIN_COL_END: - dev_dbg(ddev, "<<<<<<======\n"); maintype = 'E'; + + if (indent == 0) { + dev_err(ddev, "Collection level already at zero\n"); + break; + } + + dev_dbg(ddev, "<<<<<<======\n"); + indent--; for (x = 0; x < indent; x++) indentstr[x] = '-';