Received: by 10.223.164.221 with SMTP id h29csp288378wrb; Fri, 3 Nov 2017 14:36:46 -0700 (PDT) X-Google-Smtp-Source: ABhQp+Tf8kIIx/5XOFOA/uERq9muA90VnAETD1LqpFRmngtEpQgsUnbLwui/u7iXHlI1ezX1mOr+ X-Received: by 10.99.96.208 with SMTP id u199mr8494220pgb.323.1509745006619; Fri, 03 Nov 2017 14:36:46 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1509745006; cv=none; d=google.com; s=arc-20160816; b=TlHBlCablfCCIEkE3VS2Ih4Nsb1Sf2IP/SFvYnsMPnaNQkGHxhUHDYAtZwGKqTQvA0 C/gESjWAdvHWothaKfYZmlJ/Ng72K0ZNGhXvf0Phx+91QxC+moOqFIYOGv2WnUfl1s3d J+MuHaYi9a0h3fXjeiqKQ98/PSRjHqKhYqlFXDbrf6b+2FyiTWPrW5Aa1l0MacPeyuFB 86RyUodhXYmwaEVVB1y0QJiovf1GX6gdQT3HpYFpBDtiJO/JXkvr5b8VcSAR1JZKSFqh tSX9Fi65+/tTzEqJK0AwU4LCuBSISvoTsx2KIQNoNm9CUD+m6RRQHr8K2VAyuFglPd8w 0/XQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:to:references:in-reply-to:message-id:date :subject:cc:from:dkim-signature:arc-authentication-results; bh=med+o59q18RJ6KQ+yF9B9TXDRwot9/WTS/Wzhq/t6V4=; b=w9xNqNPwOgccZPy/k2AVKd4tY9xitdkwKJpjYjT6tQlnxmVK+/QFNBkGTL6Y/3wp1r C+NBqUtOrYQbkEU4CW8q/c0FuVH+wubevnHTOWylxeVmcyYdevfoh4UEv5RrXNv6sTmL bU3ARdkmD6XkMxTT1+gbE9bYJCwzc0mdJcL/6S8tRT6jrLIO3j6nD/g52ab2BvZXMDIG DseCXsp+muEKBUbttf9Hsj14N3kihVCzW0yS7CreXi8RzFjVKvShqJ+laac/hwp0ZOQH ju0P1mPcLpoIbnBOI3mJzrVEurRi8+MWSbjztTCdjo2iipQBOmSJtc2ULV05PXOfLsdw 8WoA== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@gmail.com header.s=20161025 header.b=P/QmMQX6; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id s16si5377827plp.187.2017.11.03.14.36.34; Fri, 03 Nov 2017 14:36:46 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=fail header.i=@gmail.com header.s=20161025 header.b=P/QmMQX6; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1755868AbdKCVev (ORCPT + 92 others); Fri, 3 Nov 2017 17:34:51 -0400 Received: from mail-pg0-f67.google.com ([74.125.83.67]:44942 "EHLO mail-pg0-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750772AbdKCVes (ORCPT ); Fri, 3 Nov 2017 17:34:48 -0400 Received: by mail-pg0-f67.google.com with SMTP id j3so3528830pga.1; Fri, 03 Nov 2017 14:34:48 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=med+o59q18RJ6KQ+yF9B9TXDRwot9/WTS/Wzhq/t6V4=; b=P/QmMQX6P4J8I+3g5VQ90+rQN5fEfFLaF9JC8Nr2VDBHcYFiDsEQ0bYPaB79h9inMF gaATNYwtFMxbDMkzgPXhlj3hQQnYI+ZZKop8DhkPRYQ5mpFj2udCx79eT6mG0aAOwUNJ GOa5VxiqK/V/U4HYF0ZNu5TrKrGrayexMi9qEDv5ruFsDMtm1IkQnO5owNDSHn0pFYyY 83DduS1FCcPwsWXgQlU8I27CfZmdmbM6zCZaHrYNQVdRt3jFBmqy3yGUjokUL73DqMJa mTZzvDJoWpNq2Cc6PNMC5pY8xeoefRCA3EeB87F1GpbL1/CaUMek8fQ1RilEAUxzu0hN 13Sw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=med+o59q18RJ6KQ+yF9B9TXDRwot9/WTS/Wzhq/t6V4=; b=HtuAVGfjRjKxbeDji3QuZfqLceKlGZyjA68/qhjDnV+1LC/jY9QV/xewbGbZ/OvUaU SUYT6I/sB2QLcTZeWoDI6YvUK6vpxXebYGTZA2ynB+mdWlf9OOP9Uym9euz9ZVpe9ehh hkrzAwKu+AmWegbk8wCS+//wHf7UmN69E/qWisU6nxElEwWxkkUG+2pvEl9Ecnem3FlV 9htECnsBKsI3KQGQYYN4pHuuXReuzfwj3KeOEZxd1MLDPlYQC+Rm0qf3j5sMHbSpk2xe QPZziSz4UgxPUPjpEMajZod1J43E/nkyIZJp7RdTI/1Gk6A+9l/vi2fGv5MiR6tC1aU6 zOZw== X-Gm-Message-State: AMCzsaWcST1AdK/uFbzR6DilRqYYtw/6MZ6QtFdxunAYjAJzUIRAdLW+ oH6vYdPrlRD6vd4m53+9/bGaLA== X-Received: by 10.98.71.194 with SMTP id p63mr9143849pfi.26.1509744887972; Fri, 03 Nov 2017 14:34:47 -0700 (PDT) Received: from vince-laptop.corp.lucid.lcl (67-207-127-54.static.wiline.com. [67.207.127.54]) by smtp.googlemail.com with ESMTPSA id p83sm13771258pfd.61.2017.11.03.14.34.46 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Fri, 03 Nov 2017 14:34:47 -0700 (PDT) From: Vince Kim Cc: Vince Kim , Ferruh Yigit , Dmitry Torokhov , linux-input@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH v2] Input: cyttsp4 - Fix error on calculating memory size passed to krealloc. Date: Fri, 3 Nov 2017 14:34:16 -0700 Message-Id: <1509744856-3950-1-git-send-email-vince.k.kim@gmail.com> X-Mailer: git-send-email 2.7.4 In-Reply-To: <20171103190939.eibdhyg4kqapzdkn@dtor-ws> References: <20171103190939.eibdhyg4kqapzdkn@dtor-ws> To: unlisted-recipients:; (no To-header on input) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org There are several places to perform subtraction to calculate buffer size such as: si->si_ofs.cydata_size = si->si_ofs.test_ofs - si->si_ofs.cydata_ofs; ... p = krealloc(si->si_ptrs.cydata, si->si_ofs.cydata_size, GFP_KERNEL); Actually, data types of above variables during subtraction are size_t, so it is unsigned. That means if second operand(si->si_ofs.cydata_ofs) is greater than the first operand(si->si_ofs.test_ofs), then resulting si->si_ofs.cydata_size could result in an unsigned integer wrap which is not desiarable. The properway to correct this problem is to perform a test of both operands to avoid having unsigned wrap. Signed-off-by: Vince Kim --- Cahnges in v2: - added missing opening curly brace at if statement drivers/input/touchscreen/cyttsp4_core.c | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/drivers/input/touchscreen/cyttsp4_core.c b/drivers/input/touchscreen/cyttsp4_core.c index beaf61c..e4a3743 100644 --- a/drivers/input/touchscreen/cyttsp4_core.c +++ b/drivers/input/touchscreen/cyttsp4_core.c @@ -201,6 +201,11 @@ static int cyttsp4_si_get_cydata(struct cyttsp4 *cd) void *p; int rc; + if (si->si_ofs.test_ofs <= si->si_ofs.cydata_ofs) { + dev_err(cd->dev, "%s: invalid offset test_ofs:%zd, cydata_ofs:%zd \n", __func__, si->si_ofs.test_ofs, si->si_ofs.cydata_ofs); + return -EINVAL; + } + si->si_ofs.cydata_size = si->si_ofs.test_ofs - si->si_ofs.cydata_ofs; dev_dbg(cd->dev, "%s: cydata size: %zd\n", __func__, si->si_ofs.cydata_size); @@ -270,6 +275,11 @@ static int cyttsp4_si_get_test_data(struct cyttsp4 *cd) void *p; int rc; + if (si->si_ofs.pcfg_ofs <= si->si_ofs.test_ofs) { + dev_err(cd->dev, "%s: invalid offset pcfg_ofs:%zd, test_ofs:%zd \n", __func__, si->si_ofs.pcfg_ofs, si->si_ofs.test_ofs); + return -EINVAL; + } + si->si_ofs.test_size = si->si_ofs.pcfg_ofs - si->si_ofs.test_ofs; p = krealloc(si->si_ptrs.test, si->si_ofs.test_size, GFP_KERNEL); @@ -321,6 +331,11 @@ static int cyttsp4_si_get_pcfg_data(struct cyttsp4 *cd) void *p; int rc; + if (si->si_ofs.opcfg_ofs <= si->si_ofs.pcfg_ofs) { + dev_err(cd->dev, "%s: invalid offset opcfg_ofs:%zd, pcfg_ofs:%zd \n", __func__, si->si_ofs.opcfg_ofs, si->si_ofs.pcfg_ofs); + return -EINVAL; + } + si->si_ofs.pcfg_size = si->si_ofs.opcfg_ofs - si->si_ofs.pcfg_ofs; p = krealloc(si->si_ptrs.pcfg, si->si_ofs.pcfg_size, GFP_KERNEL); @@ -367,6 +382,11 @@ static int cyttsp4_si_get_opcfg_data(struct cyttsp4 *cd) void *p; int rc; + if (si->si_ofs.ddata_ofs <= si->si_ofs.opcfg_ofs) { + dev_err(cd->dev, "%s: invalid offset ddata_ofs:%zd, opcfg_ofs:%zd \n", __func__, si->si_ofs.ddata_ofs, si->si_ofs.opcfg_ofs); + return -EINVAL; + } + si->si_ofs.opcfg_size = si->si_ofs.ddata_ofs - si->si_ofs.opcfg_ofs; p = krealloc(si->si_ptrs.opcfg, si->si_ofs.opcfg_size, GFP_KERNEL); -- 2.7.4 From 1583073183294400198@xxx Fri Nov 03 19:10:35 +0000 2017 X-GM-THRID: 1582802387898464132 X-Gmail-Labels: Inbox,Category Forums,HistoricalUnread