Received: by 2002:a25:ad19:0:0:0:0:0 with SMTP id y25csp1034609ybi; Fri, 2 Aug 2019 08:17:01 -0700 (PDT) X-Google-Smtp-Source: APXvYqzywpfSQfGXPkZPLrj6tr75EFIbnls6U1X/wzQ1GDoskpBRTv73KjIPcOmepv6SID82Il9c X-Received: by 2002:a17:902:2fe2:: with SMTP id t89mr3002699plb.108.1564759021540; Fri, 02 Aug 2019 08:17:01 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1564759021; cv=none; d=google.com; s=arc-20160816; b=0/azGZ6/F5B8zZ4bPRhqp4xiF1DlTWrnDUevS+WVQ8IZ+CzsIchKnDtsL/Pn9McZpq aprvln3mySE725wgRfrhB4Z5xLyPDmClRYpMIAq4OIdkDFW0DONI8NTHC3ho0T7jXrMt ZaAuW05CCWvD2gyKlToag5F/EqsnYH6blrDJH2kLYW5wUKRYY15ZUjVe0tcz1zwsPPAH QmsDDZLPAeLxpAgGUe/WIyOBgqcHlZStHtcyeOPOjFZI51EeblJ/9uPZdgS/NXXyWAfA yX/LQEY1n7ZIO6HLAQM1gOLPjKx5umF9Y6cMfkdyPb7aR+NOvwPK/VL5ctxfsOPFsisp pHPw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=A/jgRWztY1X+/D1pxx8TBU83iRVOXKohF0vDNK4kUvU=; b=yACEIXzm0Ja9o+V+NZdYQECcMHMXDGRO9AST+rpGdAwjAUuqQnsMHbMKH4Fx+VA9XT 6EiQexeZ2bsHNTiOzF0YJlzTIAg5qfxZy+MO4iD0vQgc/j9hYRJav7oiVxXza4u+6ZPO WbhkNItkg3sfbnTi84yeFOZwAavFjwfhqrD/7/vsdxbsrcyA7g+wGc9wivC4eS+O0l+B BRr9hUy6kG45hjh1vOtqOvwVAHzqKCkMT7QrrY8Ue5tGUGMGTV/Q1FidoAISTkKgrPrX dbgTaNA8uK6/uYiKMce5QmnoErLEHt55P6rvufI5fp8rZCwZkn9FEh7xOLLtlQRpDLxB BX3A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=hMOxl+Nh; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id t6si6522936pjv.14.2019.08.02.08.15.57; Fri, 02 Aug 2019 08:17:01 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=hMOxl+Nh; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2404765AbfHBJcv (ORCPT + 99 others); Fri, 2 Aug 2019 05:32:51 -0400 Received: from mail.kernel.org ([198.145.29.99]:59872 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2391265AbfHBJcp (ORCPT ); Fri, 2 Aug 2019 05:32:45 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id D884F217D7; Fri, 2 Aug 2019 09:32:43 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1564738364; bh=wCN9HXtJSNEkJX/RR8719ZXt4WF6bm9SR0FQgJQhU0k=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=hMOxl+NhvjH2aRpo49u5cD1Sn1WlU4wtfbn4BlxUxMMEDJN+B4i1h2RoPU6BjS5zy v4lExqwQHGMHdzINHw43vg26vYauUJadw8hA0Yr2Uk/ZPZkdaOsFEEg4rzUtBBp7AY SrpaMNCdlUViH9k51uR1Ia8uveo2Qrk6522/hDEQ= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Grant Hernandez , Dmitry Torokhov Subject: [PATCH 4.4 058/158] Input: gtco - bounds check collection indent level Date: Fri, 2 Aug 2019 11:27:59 +0200 Message-Id: <20190802092215.847417263@linuxfoundation.org> X-Mailer: git-send-email 2.22.0 In-Reply-To: <20190802092203.671944552@linuxfoundation.org> References: <20190802092203.671944552@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Grant Hernandez commit 2a017fd82c5402b3c8df5e3d6e5165d9e6147dc1 upstream. The GTCO tablet input driver configures itself from an HID report sent via USB during the initial enumeration process. Some debugging messages are generated during the parsing. A debugging message indentation counter is not bounds checked, leading to the ability for a specially crafted HID report to cause '-' and null bytes be written past the end of the indentation array. As long as the kernel has CONFIG_DYNAMIC_DEBUG enabled, this code will not be optimized out. This was discovered during code review after a previous syzkaller bug was found in this driver. Signed-off-by: Grant Hernandez Cc: stable@vger.kernel.org Signed-off-by: Dmitry Torokhov Signed-off-by: Greg Kroah-Hartman --- drivers/input/tablet/gtco.c | 20 +++++++++++++++++--- 1 file changed, 17 insertions(+), 3 deletions(-) --- a/drivers/input/tablet/gtco.c +++ b/drivers/input/tablet/gtco.c @@ -78,6 +78,7 @@ Scott Hill shill@gtcocalcomp.com /* Max size of a single report */ #define REPORT_MAX_SIZE 10 +#define MAX_COLLECTION_LEVELS 10 /* Bitmask whether pen is in range */ @@ -224,8 +225,7 @@ static void parse_hid_report_descriptor( char maintype = 'x'; char globtype[12]; int indent = 0; - char indentstr[10] = ""; - + char indentstr[MAX_COLLECTION_LEVELS + 1] = { 0 }; dev_dbg(ddev, "======>>>>>>PARSE<<<<<<======\n"); @@ -351,6 +351,13 @@ static void parse_hid_report_descriptor( case TAG_MAIN_COL_START: maintype = 'S'; + if (indent == MAX_COLLECTION_LEVELS) { + dev_err(ddev, "Collection level %d would exceed limit of %d\n", + indent + 1, + MAX_COLLECTION_LEVELS); + break; + } + if (data == 0) { dev_dbg(ddev, "======>>>>>> Physical\n"); strcpy(globtype, "Physical"); @@ -370,8 +377,15 @@ static void parse_hid_report_descriptor( break; case TAG_MAIN_COL_END: - dev_dbg(ddev, "<<<<<<======\n"); maintype = 'E'; + + if (indent == 0) { + dev_err(ddev, "Collection level already at zero\n"); + break; + } + + dev_dbg(ddev, "<<<<<<======\n"); + indent--; for (x = 0; x < indent; x++) indentstr[x] = '-';