Received: by 2002:a05:6a10:af89:0:0:0:0 with SMTP id iu9csp3608149pxb; Mon, 24 Jan 2022 13:25:04 -0800 (PST) X-Google-Smtp-Source: ABdhPJwXgtBkgiYAdAwMlfI9gndF5qrkNXqjDg22q8pi8MpWWZxkGvXClRIS5olrzLIFETA4W11z X-Received: by 2002:a17:903:2109:b0:14b:38b9:e9be with SMTP id o9-20020a170903210900b0014b38b9e9bemr9602420ple.17.1643059504406; Mon, 24 Jan 2022 13:25:04 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1643059504; cv=none; d=google.com; s=arc-20160816; b=vIqlFu4IMbgATFelxe9JXEp735M5j5E2revkaYz6c/6cGhzvoHUoLLEFKVXeeoEvZC XD2EA8r9JyOy9Z8ekRh9dZkjSoqtxJb+UqRZwLpdqNL9GI71fh0qpg5MDrz1ZM9jhiiB n9mGO+ZNm78EFfAXZHvZusGOVhD2lJFj/+Ntz4c4ElrjFLMSUVAPqNwy0BXmJ+s0AEB8 Vbobs/+zyfPY0jkDV2pXnz34NsQd7BxNCjnQ+2MS93QvywACAmXvQCgvST5IIiu+JX6u +k4twYo9ehQjB7p4nHGLToR6Jc5thnxDM0YUJGGoxlB9iHdx3eP6pg8TtrnnKpkUBkTd a2Rg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=v1ZWuCDYp/DzT6l6zC9VP/PXaSLZgetKlhUT60Lz9dg=; b=NknANXPZUJQCto17KaBu7HOADbOuQqXyvq9AR8JLWDFEECLhXSEYhEnHawP/OCxsln A1I95Sm2pVoGc1IXHEYtjr0fZeM2g9jbkwjKW/IXZpikuuH3fW5flhV8zX5IBAbyVOme 21nNKVr2oAW8+CbU5uNggStcwVRaDyVomee7OdqLFWMyf3HHub32Ife29YTEvOGM0I7L 8rRKqJ2/lzgAY+aoATh3oYtkZLWqaF1djiWVJTHTLMu5v8rGKDng9wXxyaSM56E0a/2g ZfY+jBQ0y8fyouLai+vFsoqzuykKMoxWV57rzptG5lFDMKg7ecAs+B2P91XOzHJuHjxq OBRQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b="GZa4/994"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id f17si14678612pfj.217.2022.01.24.13.24.52; Mon, 24 Jan 2022 13:25:04 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b="GZa4/994"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1443050AbiAXU4N (ORCPT + 99 others); Mon, 24 Jan 2022 15:56:13 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:38722 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1385491AbiAXUd3 (ORCPT ); Mon, 24 Jan 2022 15:33:29 -0500 Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 34EF0C061366; Mon, 24 Jan 2022 11:13:18 -0800 (PST) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id E5700B811F9; Mon, 24 Jan 2022 19:13:16 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 088EDC340E5; Mon, 24 Jan 2022 19:13:14 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1643051595; bh=2Vc5uuT2sZZYyfYgafyeNPF3odAtR3w3IPP05lx1XxE=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=GZa4/994ccEa2soU0uAa7Ga+JachJxQlACjTn721WM3PrZkPId3+FnRpiWBYplR0Y /j6XU44HBBvolVk1423uJ5XH+yythLQQDtPLo1y0jiZwB7tsClPbQp+1KU8c4qfczU RqEIfEXW1jsW5z4JqTFv6NleQswx5NqCNA/F+/aQ= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Jason Gerecke , Ping Cheng , Jiri Kosina Subject: [PATCH 4.19 025/239] HID: wacom: Avoid using stale array indicies to read contact count Date: Mon, 24 Jan 2022 19:41:03 +0100 Message-Id: <20220124183943.920097912@linuxfoundation.org> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20220124183943.102762895@linuxfoundation.org> References: <20220124183943.102762895@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Jason Gerecke commit 20f3cf5f860f9f267a6a6e5642d3d0525edb1814 upstream. If we ever see a touch report with contact count data we initialize several variables used to read the contact count in the pre-report phase. These variables are never reset if we process a report which doesn't contain a contact count, however. This can cause the pre- report function to trigger a read of arbitrary memory (e.g. NULL if we're lucky) and potentially crash the driver. This commit restores resetting of the variables back to default "none" values that were used prior to the commit mentioned below. Link: https://github.com/linuxwacom/input-wacom/issues/276 Fixes: 003f50ab673c (HID: wacom: Update last_slot_field during pre_report phase) CC: stable@vger.kernel.org Signed-off-by: Jason Gerecke Reviewed-by: Ping Cheng Signed-off-by: Jiri Kosina Signed-off-by: Greg Kroah-Hartman --- drivers/hid/wacom_wac.c | 4 ++++ 1 file changed, 4 insertions(+) --- a/drivers/hid/wacom_wac.c +++ b/drivers/hid/wacom_wac.c @@ -2610,6 +2610,10 @@ static void wacom_wac_finger_pre_report( hid_data->confidence = true; + hid_data->cc_report = 0; + hid_data->cc_index = -1; + hid_data->cc_value_index = -1; + for (i = 0; i < report->maxfield; i++) { struct hid_field *field = report->field[i]; int j;