Received: by 2002:a25:ad19:0:0:0:0:0 with SMTP id y25csp1145685ybi; Fri, 2 Aug 2019 10:02:58 -0700 (PDT) X-Google-Smtp-Source: APXvYqz+Izz3NzuRYed4csBAcSSS4TKm60tEcGPYKTArQNWn5L787njEpfO56uB6f+pnPcHz5yIm X-Received: by 2002:a62:2aca:: with SMTP id q193mr62013860pfq.209.1564765378180; Fri, 02 Aug 2019 10:02:58 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1564765378; cv=none; d=google.com; s=arc-20160816; b=j6wxgjQ1CQImPXpgc1fuppVz6/D3D3J92+qyo+FGqrvqYsegP2WrAHJbFzwt6J/ug6 2AarYsNPcdLuBC8Vi2bC+JboqQwYWQm2klN15E1neftFJi3mZJ1qge3bvp9FImeOTdSv zZlHYn2Fvb0RrRxx4Uhz/MUTVCDWDobg7Rn+GOrZqThdoRrwgNP3GFaVjbo27szZ6xlW JQEo95LK/RcfeefX28NHaxrdveSG1W9hwcxc07WFYwAiua/5LveqSsOB2FSCaH876Dbf obWTG5G6LLATDp7sJrYDegUL9tpUaz0fL9am1XX2DqsiYNgrb1ee14UpjOdvSGhJJGHe yhHg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=/oEc9wfvrnWieGrnqqknQa481olbhhSzNG2jo03uW9g=; b=pnORT9Pc4L0/gD9BrYodPMnnrSxppPsP2iEGWAc0sAcRMcNVla5BU50nvSCuRkyIT6 2Cbroyiu4AHu1YCDxyKPZyY9X364qxE07ykMo819tFgIGFB/BYVkLJRyQOh2Djoag2Af gTJvwXYcQTYomB9z1Eb2TMWKM9ymbMx4zw6EMtaR/hebbQXn2rNH1nfwP5UE94RVw3Wp Qe3Djb1oRt011g/GhAXaDUX7sZDyjrUtfN+oeIrbyqKdcdpfW5c/L+csDaYWQtX6hULb vKZZTTPQZH8TRBRF63jYIl6WKcA7gkJ1+xHiU1TgyrB+VwEhSetsyTOouTMLPGxP2IFF YwYw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=A3vyW8iK; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id a1si40427928pff.73.2019.08.02.10.02.43; Fri, 02 Aug 2019 10:02:57 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=A3vyW8iK; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2405246AbfHBJo1 (ORCPT + 99 others); Fri, 2 Aug 2019 05:44:27 -0400 Received: from mail.kernel.org ([198.145.29.99]:47742 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2404851AbfHBJoX (ORCPT ); Fri, 2 Aug 2019 05:44:23 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 0FDCD2087E; Fri, 2 Aug 2019 09:44:21 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1564739062; bh=OgzOyEycRsQ5tZXTbgiVPzNADZxiQiXmkuy7t8sX45E=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=A3vyW8iKLVpCmKIdrce19s3/WM9QJJbsq4QddVquNx3BzQSJP6D8+sQyrN+42byzE Y47c7nt3H5RJsaATDHvZptsyyG3/qVIpZ4x7pGXNYtagOwke6eRdAcCOoSpL6zqw3U +zL9iRZXEZB5lk7iRO64ZT0FX8sijg27vO8NADOo= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Grant Hernandez , Dmitry Torokhov Subject: [PATCH 4.9 083/223] Input: gtco - bounds check collection indent level Date: Fri, 2 Aug 2019 11:35:08 +0200 Message-Id: <20190802092244.354372737@linuxfoundation.org> X-Mailer: git-send-email 2.22.0 In-Reply-To: <20190802092238.692035242@linuxfoundation.org> References: <20190802092238.692035242@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Grant Hernandez commit 2a017fd82c5402b3c8df5e3d6e5165d9e6147dc1 upstream. The GTCO tablet input driver configures itself from an HID report sent via USB during the initial enumeration process. Some debugging messages are generated during the parsing. A debugging message indentation counter is not bounds checked, leading to the ability for a specially crafted HID report to cause '-' and null bytes be written past the end of the indentation array. As long as the kernel has CONFIG_DYNAMIC_DEBUG enabled, this code will not be optimized out. This was discovered during code review after a previous syzkaller bug was found in this driver. Signed-off-by: Grant Hernandez Cc: stable@vger.kernel.org Signed-off-by: Dmitry Torokhov Signed-off-by: Greg Kroah-Hartman --- drivers/input/tablet/gtco.c | 20 +++++++++++++++++--- 1 file changed, 17 insertions(+), 3 deletions(-) --- a/drivers/input/tablet/gtco.c +++ b/drivers/input/tablet/gtco.c @@ -78,6 +78,7 @@ Scott Hill shill@gtcocalcomp.com /* Max size of a single report */ #define REPORT_MAX_SIZE 10 +#define MAX_COLLECTION_LEVELS 10 /* Bitmask whether pen is in range */ @@ -223,8 +224,7 @@ static void parse_hid_report_descriptor( char maintype = 'x'; char globtype[12]; int indent = 0; - char indentstr[10] = ""; - + char indentstr[MAX_COLLECTION_LEVELS + 1] = { 0 }; dev_dbg(ddev, "======>>>>>>PARSE<<<<<<======\n"); @@ -350,6 +350,13 @@ static void parse_hid_report_descriptor( case TAG_MAIN_COL_START: maintype = 'S'; + if (indent == MAX_COLLECTION_LEVELS) { + dev_err(ddev, "Collection level %d would exceed limit of %d\n", + indent + 1, + MAX_COLLECTION_LEVELS); + break; + } + if (data == 0) { dev_dbg(ddev, "======>>>>>> Physical\n"); strcpy(globtype, "Physical"); @@ -369,8 +376,15 @@ static void parse_hid_report_descriptor( break; case TAG_MAIN_COL_END: - dev_dbg(ddev, "<<<<<<======\n"); maintype = 'E'; + + if (indent == 0) { + dev_err(ddev, "Collection level already at zero\n"); + break; + } + + dev_dbg(ddev, "<<<<<<======\n"); + indent--; for (x = 0; x < indent; x++) indentstr[x] = '-';