Received: by 2002:a05:6a10:af89:0:0:0:0 with SMTP id iu9csp3978940pxb; Tue, 25 Jan 2022 00:31:13 -0800 (PST) X-Google-Smtp-Source: ABdhPJz6igdk4o0hC3ImXJ9vkXAlQe3plfstmrE/IuaAge2L/WGEwkLwngRK93MaASvb3zOtQJsK X-Received: by 2002:a17:907:961c:: with SMTP id gb28mr9393064ejc.519.1643099472976; Tue, 25 Jan 2022 00:31:12 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1643099472; cv=none; d=google.com; s=arc-20160816; b=rCc2AI/FH3VOouVVKtGMPREEbzED/vnxkeH9rDxrTIs5uL19mq1CygyUSdNVkYiBGj 7I2i+HF/yaK3gIDyUZo0ckpGaqNXlMyfGgCxYfZsFK8wBReumAbJb+qE7CF7NkPQWW/F A0BpShcXhYlfTc8jqRq4GBR6GDSgL6xO7rXaJ2S8cfj4D6M3swFkePQcS5CV76ogDTiC 2E4Ykuqh/xFA3MvmX8prsxuSLvspPIW7rs5eY9P9AypXH4zgHbUikAXoPRjUWrxYG/Rb QWRuqvDhJBtR4MeAABa4N0JzxGiHmu/JWd4UHRuMFyX3coGW8ThwEnpNpQ/NWAWsaRyR nEwA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=QSIah2uHbojxS0r2IDKuHpeYb0mpWs7Q0oo9tykRO8M=; b=v8ZU77lTc64o+kfInFCQh5ShrJ/zupAjfu7atiJ4R1WYwp9Lgvi51/B3KeEDQN+oe3 CSm6y8u4+/DzCD7ccF+SKooi8fik4c4UDAMtIsva4BI6jAEGlQQVLT9G4a/Ab4wOzE+y D3vYMyqMn52DsYQXZSChS2PKhsknSe0Y5n6ULuURwHhv28D/ifnJ1FNAshnLe8ybrtch kLjmdojyeTFVeblsInL+aHIIX9bAdV8yx3bg+Vxbfj+3jFqr+4EphdTK9M2x+llEP85R qol7QBmRJE8qXxR6n8SWdprH4veU3ClwrGDM1oL5eoMS5DFpfZ29eDOjFgezl6N9Jq44 T7YA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=wiaKvf1t; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id p12si8768032ejy.969.2022.01.25.00.30.48; Tue, 25 Jan 2022 00:31:12 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=wiaKvf1t; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2374687AbiAYCet (ORCPT + 99 others); Mon, 24 Jan 2022 21:34:49 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:38772 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1384357AbiAXU3e (ORCPT ); Mon, 24 Jan 2022 15:29:34 -0500 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id F2954C07A960; Mon, 24 Jan 2022 11:42:34 -0800 (PST) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 945E26141C; Mon, 24 Jan 2022 19:42:29 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 754A7C340E5; Mon, 24 Jan 2022 19:42:28 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1643053349; bh=fyqEQBVglc5pdAIBij1r7tV5jKgJ1Mfni7cnBdPz3dg=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=wiaKvf1t0nxCb+sJR0nDCqee/WBID/zwdnKZwybUP5Q9eAmNMtxbpDSl1wQp+LrVu zlfwNJXhDCBoyfRzwSTQ03LRn8W5E8eVgzKCvBzHpmRHtGcUajBKY9Z0LIfbRf7h2H SBoL/fWN6BBbs8w8r39NAx652Z5RdKDAI9UjAczw= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Jason Gerecke , Ping Cheng , Jiri Kosina Subject: [PATCH 5.10 005/563] HID: wacom: Avoid using stale array indicies to read contact count Date: Mon, 24 Jan 2022 19:36:10 +0100 Message-Id: <20220124184024.594123453@linuxfoundation.org> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20220124184024.407936072@linuxfoundation.org> References: <20220124184024.407936072@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Jason Gerecke commit 20f3cf5f860f9f267a6a6e5642d3d0525edb1814 upstream. If we ever see a touch report with contact count data we initialize several variables used to read the contact count in the pre-report phase. These variables are never reset if we process a report which doesn't contain a contact count, however. This can cause the pre- report function to trigger a read of arbitrary memory (e.g. NULL if we're lucky) and potentially crash the driver. This commit restores resetting of the variables back to default "none" values that were used prior to the commit mentioned below. Link: https://github.com/linuxwacom/input-wacom/issues/276 Fixes: 003f50ab673c (HID: wacom: Update last_slot_field during pre_report phase) CC: stable@vger.kernel.org Signed-off-by: Jason Gerecke Reviewed-by: Ping Cheng Signed-off-by: Jiri Kosina Signed-off-by: Greg Kroah-Hartman --- drivers/hid/wacom_wac.c | 4 ++++ 1 file changed, 4 insertions(+) --- a/drivers/hid/wacom_wac.c +++ b/drivers/hid/wacom_wac.c @@ -2654,6 +2654,10 @@ static void wacom_wac_finger_pre_report( hid_data->confidence = true; + hid_data->cc_report = 0; + hid_data->cc_index = -1; + hid_data->cc_value_index = -1; + for (i = 0; i < report->maxfield; i++) { struct hid_field *field = report->field[i]; int j;