Received: by 2002:a05:6a10:af89:0:0:0:0 with SMTP id iu9csp3552600pxb; Mon, 24 Jan 2022 12:03:55 -0800 (PST) X-Google-Smtp-Source: ABdhPJzA2DIhSWoecQES618u2Ju20kBKm9p+sJc/V2OgGgqlwPHZyRgzDrFCB1SPDSXxhdsm+lil X-Received: by 2002:a63:7c10:: with SMTP id x16mr12930986pgc.128.1643054635333; Mon, 24 Jan 2022 12:03:55 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1643054635; cv=none; d=google.com; s=arc-20160816; b=FaiuBRalEJ0TbcTplsiVCOXFqj0eGW25LOscBnBmnt4fYDztzTHAjSNODvlafL5TOq iD6wGRha2BKE78r8bi+XI5nNXFPvxkVHUTlOJ1JC0ydkgKq5HQ/HuGc1ps1ETrkDrlTO IroZIl6cRhhtNERlHPVZ3RYoU9od+/WW+4FRdG63ux6e0FMZ7Hlnky6v0M9Y3AEvMoqk QX5H/2wfC233f9cGIz7x+1hyIKtHB/RFikRFw0b5qu6zZ/y4mUgMKgbjTsIfOuQ/Mn++ UQ2vmEtZAIBpR9zlruEaj0T0wNEZcGSLdIMYjgyeMgD+WCYevPVfB+F8qnOd8kgQ9vVQ g/ow== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=zz3nlRMFxp5Pcj/7jrgUL56XkgAt2GOJbMx13X/AYy4=; b=HnnIv+ZkEEiSbnKcwpYAl8NwbU/zUOHSFWaQYu9T/g9dK0KCftdxvOmVmlq2lIP3h6 Ip4Kb/btKx8cmLqoUsZJdt2K6e9Ge7DY1MDEf0TvheTV7mQNVYTxeIDIlFEicJghOObm yBdTzN18MXywqGqjrJBfCSbX7V6HJTm5cq552xpWK97yXfUH3nUFlBNzJOlkk6t9RzdG 4yt/MXph8aAvfg4n7Tw78ZPjOdN08BMsgO4+k1EjljAz08OxoawAD2QDmwh814ncayY8 tG/VzwdTYj/fc3clt983DKN1O31yvjbh7C1hK8qnIonWOg3kaBtOR1dS7eLXvymSbu75 QkUA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=voJd23qb; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id g10si2651964pfj.219.2022.01.24.12.03.42; Mon, 24 Jan 2022 12:03:55 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=voJd23qb; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1345330AbiAXTDU (ORCPT + 99 others); Mon, 24 Jan 2022 14:03:20 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:44194 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S245492AbiAXS7K (ORCPT ); Mon, 24 Jan 2022 13:59:10 -0500 Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 2CAE6C061259; Mon, 24 Jan 2022 10:56:20 -0800 (PST) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id E790DB81233; Mon, 24 Jan 2022 18:56:18 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 04AF4C340E5; Mon, 24 Jan 2022 18:56:16 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1643050577; bh=0llLWABPLExHlQs4euURpnH0F+1WsUmniWIHam1or1M=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=voJd23qb9H7g8ubTybR22rQdDpO85IuuN6kPh9YgLXQxQkxS/KlOH2IB2WSMUM0Wj 5NgrMjMylpZ4B9mX8+CIWwbJCR4P6XDNoIsWwLCJTphfERg+mbLMq5SY4X5CAPPh8y KxCmKQUXjONZ8KUtIyfIKiJeYETSZNYVAVZPmMK4= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Jason Gerecke , Ping Cheng , Jiri Kosina Subject: [PATCH 4.9 014/157] HID: wacom: Avoid using stale array indicies to read contact count Date: Mon, 24 Jan 2022 19:41:44 +0100 Message-Id: <20220124183933.243616752@linuxfoundation.org> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20220124183932.787526760@linuxfoundation.org> References: <20220124183932.787526760@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Jason Gerecke commit 20f3cf5f860f9f267a6a6e5642d3d0525edb1814 upstream. If we ever see a touch report with contact count data we initialize several variables used to read the contact count in the pre-report phase. These variables are never reset if we process a report which doesn't contain a contact count, however. This can cause the pre- report function to trigger a read of arbitrary memory (e.g. NULL if we're lucky) and potentially crash the driver. This commit restores resetting of the variables back to default "none" values that were used prior to the commit mentioned below. Link: https://github.com/linuxwacom/input-wacom/issues/276 Fixes: 003f50ab673c (HID: wacom: Update last_slot_field during pre_report phase) CC: stable@vger.kernel.org Signed-off-by: Jason Gerecke Reviewed-by: Ping Cheng Signed-off-by: Jiri Kosina Signed-off-by: Greg Kroah-Hartman --- drivers/hid/wacom_wac.c | 4 ++++ 1 file changed, 4 insertions(+) --- a/drivers/hid/wacom_wac.c +++ b/drivers/hid/wacom_wac.c @@ -1693,6 +1693,10 @@ static void wacom_wac_finger_pre_report( struct hid_data* hid_data = &wacom_wac->hid_data; int i; + hid_data->cc_report = 0; + hid_data->cc_index = -1; + hid_data->cc_value_index = -1; + for (i = 0; i < report->maxfield; i++) { struct hid_field *field = report->field[i]; int j;