Received: by 2002:a05:6a10:af89:0:0:0:0 with SMTP id iu9csp3644721pxb; Mon, 24 Jan 2022 14:16:58 -0800 (PST) X-Google-Smtp-Source: ABdhPJwD/lA3aqCgpyi6PyFBCpPiE+K2S2r8xpCqFzpTkIuhcu80bU+erluT/O/iCPE5tbWQ3lY0 X-Received: by 2002:a17:90b:1c12:: with SMTP id oc18mr411666pjb.172.1643062618652; Mon, 24 Jan 2022 14:16:58 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1643062618; cv=none; d=google.com; s=arc-20160816; b=LzowpVnIsAZ+EkdaoF4SooKTzLV7gKXoNZeFHgplgk0v6V2eRWvmAkuAsc2PQmyclL gq9t8hMBVywIRy1AanXdouqS5SDUiB0DHXh5b9nzkShBOCVTvZ5wQ5MJ645xpKqWp6nL ajHW9tgkOhZm1Uc/dUQ2nBTcd778p3wNM8iTfMEayCYc2B/QfQ0P+Z+iEVgAOFsL+N7d 8V9o5w2YQToGD0qexLzriGDrPwoPt5iWZcTDr+vN9Md4WBf+9Ayh6r5ZhzQw25wACRYi M+62hYF2eLn90eFWZYNqyWjtuUCrLt6b6LigJ79WJwLY09reb3r6aKwhoPYC2u+EhFHa J4VA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=XLM284CpinLqMw+loNiNLRSxeoHeDVlQ5ptkjf6EKxY=; b=CwYpDJlUIzhGmUygGgFaelir9ZdvEeQpaLEQZ4XiuqAqf9jJAjUDsZb53WLRHfCZE1 /f1jtFpCIAbQxmB+FPWVnmLDA4t41EAJ3ri4iAO/Hl7coy2hi8y7HpumPfOhKZTDRE5B yFQt5527M4x8Zzkx9PtiOaDYH4GQnTmTMR3AmWty1fFENrPjlPDgqlPeMmto8Sgrlolh PxdS1YM+b3kxQe31TzmhUbMsLNqOwOk1girKGBDkca95LhRWRPSh8MNAQn9a3eGnC3aV yY0lkiZGclD+jKzerv/56V48LKn0kmMebPpO1xhWNfEvkJ2tU3sJuILc2zqQxS2MYFKo 0StQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=RmBJ1MYV; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id z13si5765816pfj.269.2022.01.24.14.16.45; Mon, 24 Jan 2022 14:16:58 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=RmBJ1MYV; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1580105AbiAXWIX (ORCPT + 99 others); Mon, 24 Jan 2022 17:08:23 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:49906 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1449132AbiAXVO5 (ORCPT ); Mon, 24 Jan 2022 16:14:57 -0500 Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C5F01C06E013; Mon, 24 Jan 2022 12:11:21 -0800 (PST) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 69726B8122D; Mon, 24 Jan 2022 20:11:21 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 86951C340E5; Mon, 24 Jan 2022 20:11:19 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1643055080; bh=5cGp+aSWnuWz15OHFFkJuyGsVGAc0ab+PsZw/z1KGJQ=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=RmBJ1MYVbJoTpHMZk2IRrO4jfhldXQEnh1oE03HSnIEULmdoiO2zgy6zakwkZH4Z/ ulaRJxVADCOW+JeEXfnx+FqEmhVuvvyO8KhK/Vu9yH59qN2O3CdjvV4PyGYXpYENh6 WXrqxK+yeAsoVOP+n5j847CPSIFvmjWqOQN4aQVI= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Jason Gerecke , Ping Cheng , Jiri Kosina Subject: [PATCH 5.15 007/846] HID: wacom: Avoid using stale array indicies to read contact count Date: Mon, 24 Jan 2022 19:32:04 +0100 Message-Id: <20220124184101.152949416@linuxfoundation.org> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20220124184100.867127425@linuxfoundation.org> References: <20220124184100.867127425@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Jason Gerecke commit 20f3cf5f860f9f267a6a6e5642d3d0525edb1814 upstream. If we ever see a touch report with contact count data we initialize several variables used to read the contact count in the pre-report phase. These variables are never reset if we process a report which doesn't contain a contact count, however. This can cause the pre- report function to trigger a read of arbitrary memory (e.g. NULL if we're lucky) and potentially crash the driver. This commit restores resetting of the variables back to default "none" values that were used prior to the commit mentioned below. Link: https://github.com/linuxwacom/input-wacom/issues/276 Fixes: 003f50ab673c (HID: wacom: Update last_slot_field during pre_report phase) CC: stable@vger.kernel.org Signed-off-by: Jason Gerecke Reviewed-by: Ping Cheng Signed-off-by: Jiri Kosina Signed-off-by: Greg Kroah-Hartman --- drivers/hid/wacom_wac.c | 4 ++++ 1 file changed, 4 insertions(+) --- a/drivers/hid/wacom_wac.c +++ b/drivers/hid/wacom_wac.c @@ -2682,6 +2682,10 @@ static void wacom_wac_finger_pre_report( hid_data->confidence = true; + hid_data->cc_report = 0; + hid_data->cc_index = -1; + hid_data->cc_value_index = -1; + for (i = 0; i < report->maxfield; i++) { struct hid_field *field = report->field[i]; int j;