Received: by 2002:a05:6a10:af89:0:0:0:0 with SMTP id iu9csp3586795pxb; Mon, 24 Jan 2022 12:54:11 -0800 (PST) X-Google-Smtp-Source: ABdhPJwFFFS2l1/I0EptQwG+M2QrnGQ3EZunw1SWZY2af0wVW0jC6PUgJsFcR+0Ko+8TXc1XDXtP X-Received: by 2002:a17:90b:4f4c:: with SMTP id pj12mr125804pjb.102.1643057650818; Mon, 24 Jan 2022 12:54:10 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1643057650; cv=none; d=google.com; s=arc-20160816; b=04gNLED3fJ68iwFIVl8Z91HWttKw9NuDBdTi9/euqvzqXeZrDMa1L9N2GhMFOLjAmD gbiP4fS+ncm/XclaLRvJOyS79q6EZ6tBziENforhZLLSOm7FOEn556G2SOMf190TxKTA HmMmcGKwzI/PQtHJ8tY9VZAz3Binmrh7HpDElGTP67tgaIhVGburI3+rTCjs0vGxwTWF 975ITYhPPjnUB9+gQY4VbLWtXb5vdsVlvToS+PCw3rnFZT8r4439jk/cdAuIl/6DRldS vENKpb7yEF8JDhRJB0lQWz2flRhbgiEvQEtCSVzX69yUiTnavqtH4R7FEqr0x+pqRAqZ 22sw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=QSIah2uHbojxS0r2IDKuHpeYb0mpWs7Q0oo9tykRO8M=; b=L5n8li94gRa4L1FkbWrLn1aUvN/C29VTgNOLAu+DiCF3RYRzPPms7XJbv6OS6OcTkw NlRv6SwlC1G3ieFCNG45uvLGyX7OGu2FpHY3NShvh5n3ltAtc42kC3SvWcDE+PPcRVmu 2puyUlzLk0l2/kaPZ2WhlsWfrxp/l5BOsZ9DeVrQr/NUvy/KwnK3J/EWj1v12t2+45AQ FuvEqX0dtxclhBEz/QL8Y0vzTXJq3FHQFIHTYZAzUP0XbMgee2RQMc4wOHwFpI+SQTVu D4+l1vJwUbJSwy3Nvevp/E2t6dfxIf0A9NeKr9sI9DkHlIOuDESwpWfniRrdOgCPO3E4 susw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=MM5akitk; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id q144si6105287pgq.59.2022.01.24.12.53.56; Mon, 24 Jan 2022 12:54:10 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=MM5akitk; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1356165AbiAXUOu (ORCPT + 99 others); Mon, 24 Jan 2022 15:14:50 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58056 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1352150AbiAXTwn (ORCPT ); Mon, 24 Jan 2022 14:52:43 -0500 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 6535DC061381; Mon, 24 Jan 2022 11:25:38 -0800 (PST) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id E4F3861488; Mon, 24 Jan 2022 19:25:37 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id A55B7C340E5; Mon, 24 Jan 2022 19:25:36 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1643052337; bh=fyqEQBVglc5pdAIBij1r7tV5jKgJ1Mfni7cnBdPz3dg=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=MM5akitkQN9hd2gubWWeA5UMJgbJSY+tyBIExE7cVNYXK+KhRDFRPGOS0hWz/yKf1 mNA85o7ATQPdOpzyC0Ze+Jw+X3j3oH1l4wsSEEI/s0/qSyCgM8Ugg1EE3RjRajqRRF VCzzi6XMok9IQzVCqLLwZw1f2sA6nB5uKmzP2270= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Jason Gerecke , Ping Cheng , Jiri Kosina Subject: [PATCH 5.4 004/320] HID: wacom: Avoid using stale array indicies to read contact count Date: Mon, 24 Jan 2022 19:39:48 +0100 Message-Id: <20220124183953.913080008@linuxfoundation.org> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20220124183953.750177707@linuxfoundation.org> References: <20220124183953.750177707@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Jason Gerecke commit 20f3cf5f860f9f267a6a6e5642d3d0525edb1814 upstream. If we ever see a touch report with contact count data we initialize several variables used to read the contact count in the pre-report phase. These variables are never reset if we process a report which doesn't contain a contact count, however. This can cause the pre- report function to trigger a read of arbitrary memory (e.g. NULL if we're lucky) and potentially crash the driver. This commit restores resetting of the variables back to default "none" values that were used prior to the commit mentioned below. Link: https://github.com/linuxwacom/input-wacom/issues/276 Fixes: 003f50ab673c (HID: wacom: Update last_slot_field during pre_report phase) CC: stable@vger.kernel.org Signed-off-by: Jason Gerecke Reviewed-by: Ping Cheng Signed-off-by: Jiri Kosina Signed-off-by: Greg Kroah-Hartman --- drivers/hid/wacom_wac.c | 4 ++++ 1 file changed, 4 insertions(+) --- a/drivers/hid/wacom_wac.c +++ b/drivers/hid/wacom_wac.c @@ -2654,6 +2654,10 @@ static void wacom_wac_finger_pre_report( hid_data->confidence = true; + hid_data->cc_report = 0; + hid_data->cc_index = -1; + hid_data->cc_value_index = -1; + for (i = 0; i < report->maxfield; i++) { struct hid_field *field = report->field[i]; int j;