Received: by 2002:a05:6a10:af89:0:0:0:0 with SMTP id iu9csp3621955pxb; Mon, 24 Jan 2022 13:43:29 -0800 (PST) X-Google-Smtp-Source: ABdhPJyQ8LWeYT/3DpLYy25FrcCz+4RwKQffrG8VwLYCX5Yfy5UseloWlUGnsq5TS/Wtap8iGaKd X-Received: by 2002:a63:d2:: with SMTP id 201mr13387525pga.56.1643060609739; Mon, 24 Jan 2022 13:43:29 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1643060609; cv=none; d=google.com; s=arc-20160816; b=qc2WfDvGWsRHZwd0dfnpad0egYp02BrgCQQLYoFBtYio+po1LJ5tweF2ERT3dh9EVr JFblz8QFk7vlVcWAa6LNd67qtsXGh/SFJITjxzZeMopOJ70jD0eHDeJ61DDHyFZ9U/v7 jAmzR9xiPDoKVTyGXekN8T/Mux/hd2QWsek84Ie9s1hS0gPZVnytXm8jnJQrFUKmMjv/ RCyhSN0L8BGWwMWgB4tUOHCuxe+Hfd8K+Krif4ICEq+CU/ago9Y658mL3By8EUchOzGJ CurPUS13CnSykeSBsko31670DSe/+PDPIly1vJQfwrelhFJxwCHEO9MOk9fO+M3h9Yt+ y+0A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=XLM284CpinLqMw+loNiNLRSxeoHeDVlQ5ptkjf6EKxY=; b=CebnoFpF/2nIBdh1nYzFfVxFYrZMpLmQ+tBOr4hTCMvY8Pp88bHcGMZepira9ieuDv rtY0g+wmOrJwoeM6xoehBl16WQhNdTfJ3NNk9fc++to7FuZVpx/ou5RSht25HnMR2NAw jva+0Bx+426pvqBE7NvNaUVIxMkFrdNQw/uDf5/2POVktji71kMSZ/aQMDme3rMBLkZO c44vcOg0wIW4jy+qY6xzzuAlTykBIS0vNoS2DP5QiiEHVvS+He+QgPXlXDb419FwRn4N XtP2jiotU2q8KadWA2w6WOCtjg/uGH9bNvg6HIWZvi0mWqokKD9TP6pCv+n8JTIybYlZ ZgQw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=DMkw0M7g; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id y25si16790705pfa.360.2022.01.24.13.43.15; Mon, 24 Jan 2022 13:43:29 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=DMkw0M7g; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1451476AbiAXVXB (ORCPT + 99 others); Mon, 24 Jan 2022 16:23:01 -0500 Received: from ams.source.kernel.org ([145.40.68.75]:49244 "EHLO ams.source.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1343492AbiAXUxR (ORCPT ); Mon, 24 Jan 2022 15:53:17 -0500 Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 95640B81257; Mon, 24 Jan 2022 20:53:15 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id AF322C340E8; Mon, 24 Jan 2022 20:53:13 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1643057594; bh=5cGp+aSWnuWz15OHFFkJuyGsVGAc0ab+PsZw/z1KGJQ=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=DMkw0M7gtU25qhm7E9pYAj7SJCrzGrZvmBRAPC2gUNbH7K9xNpVzFAATf9EZxmsqa PcQHtNPpdIcdcTesUhNSIPPmr3QI8eg3vIRfC0OLmRC7DC++Mmo7+Rznt0uQ5d9uWJ QQyaKQzZHJ/oM6YZI/3ddYecZtCZ1EcsnYuygdYA= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Jason Gerecke , Ping Cheng , Jiri Kosina Subject: [PATCH 5.16 0007/1039] HID: wacom: Avoid using stale array indicies to read contact count Date: Mon, 24 Jan 2022 19:29:56 +0100 Message-Id: <20220124184125.387877794@linuxfoundation.org> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20220124184125.121143506@linuxfoundation.org> References: <20220124184125.121143506@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Jason Gerecke commit 20f3cf5f860f9f267a6a6e5642d3d0525edb1814 upstream. If we ever see a touch report with contact count data we initialize several variables used to read the contact count in the pre-report phase. These variables are never reset if we process a report which doesn't contain a contact count, however. This can cause the pre- report function to trigger a read of arbitrary memory (e.g. NULL if we're lucky) and potentially crash the driver. This commit restores resetting of the variables back to default "none" values that were used prior to the commit mentioned below. Link: https://github.com/linuxwacom/input-wacom/issues/276 Fixes: 003f50ab673c (HID: wacom: Update last_slot_field during pre_report phase) CC: stable@vger.kernel.org Signed-off-by: Jason Gerecke Reviewed-by: Ping Cheng Signed-off-by: Jiri Kosina Signed-off-by: Greg Kroah-Hartman --- drivers/hid/wacom_wac.c | 4 ++++ 1 file changed, 4 insertions(+) --- a/drivers/hid/wacom_wac.c +++ b/drivers/hid/wacom_wac.c @@ -2682,6 +2682,10 @@ static void wacom_wac_finger_pre_report( hid_data->confidence = true; + hid_data->cc_report = 0; + hid_data->cc_index = -1; + hid_data->cc_value_index = -1; + for (i = 0; i < report->maxfield; i++) { struct hid_field *field = report->field[i]; int j;