Received: by 10.223.164.221 with SMTP id h29csp202098wrb; Tue, 31 Oct 2017 12:26:25 -0700 (PDT) X-Google-Smtp-Source: ABhQp+Rmeyx4t0B3j1kOWaccSym9jPmHRvgGYb1Eq/t/MWgMjjloxd7odzk8vqp7uuY9Bmg6EpqT X-Received: by 10.98.13.8 with SMTP id v8mr3147672pfi.180.1509477985542; Tue, 31 Oct 2017 12:26:25 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1509477985; cv=none; d=google.com; s=arc-20160816; b=K5OPiNXo6Z0ooszuRpNBRhINKwTCdXUGHunu+xmVYqLpwlt8ksbJ97OQoRQyi48jYf VOzY6jPNcVVVlQTZGB5NhZ+J0CsQAqetZCvNeEO0iraEY7Ok/9WCKgd2OyQpRqm/Ene+ oZqDaIJU7YXZuUUAkO/vvFOYMlXYdEeC7SgE1W29Jl1/7hG38gwPAw6lsG+vCZPIg9Js zzc3MsfU3objI6VUzJoegc2chOhOR7mKDwCuZlBWxWJ/3aknvpfEfLyJb0u8xUJn8UTL eDzAqqdv32LfODJZf0EAR8l63NPO3gnGo6cq4QjUqcxsndQoD7dA/paXaAAgb1FSs6Yy doNw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:to:message-id:date:subject:cc:from :dkim-signature:arc-authentication-results; bh=lKIErh68zCABIDx6pirlN6e/In71FtfHndMMdlMFDBA=; b=YEwY8C+c6P8/DhSDKulngctT3Tt2fkcmZxv9eweALU8cl1e/Al+/j3orLC4YeMAPB1 R/XC8quaoVXVZGQ0r/AcrqS8vTK9oxY0DZhH1t3Og2YEaQNfeMolMAspbH+xe+gk5mG7 OUTdSP2yjoM8qf9tLHt/iIzguZtvw6iN/tSajLdlZpVE0un0Vaah+7qXYjHgjfVCQnM9 r+DhFqhfASgltY4WpQxAmJyoQrqB2u8F/bQb0/2wF0J8kEHLrmjoqhzgkeFgRHzQavhU FxmjdZseSVWZJNl69H6VhrOFOyGBIX3/PSVGCHpzrzWIHSQ0vsiu7ZHJCdHapBKcoEV9 0Gyw== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@gmail.com header.s=20161025 header.b=R7EggxSI; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id t23si2360071pgo.645.2017.10.31.12.26.11; Tue, 31 Oct 2017 12:26:25 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=fail header.i=@gmail.com header.s=20161025 header.b=R7EggxSI; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932751AbdJaTZS (ORCPT + 99 others); Tue, 31 Oct 2017 15:25:18 -0400 Received: from mail-pg0-f68.google.com ([74.125.83.68]:56691 "EHLO mail-pg0-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752908AbdJaTZQ (ORCPT ); Tue, 31 Oct 2017 15:25:16 -0400 Received: by mail-pg0-f68.google.com with SMTP id m18so39342pgd.13; Tue, 31 Oct 2017 12:25:16 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id; bh=lKIErh68zCABIDx6pirlN6e/In71FtfHndMMdlMFDBA=; b=R7EggxSIFiuymkTTJDvL0XdjMSR36NUS/Vpdzxsf0by74yLfrOlEep51wE8cSmCILL FgLYZyKX7rqJkXygOZk5dktTLgOHigYEzfWGErd+pGwNdi9qgVLegbugVSAisTHv5pbK F4UWP6N7uyAgs92Qpni+4N3bkxDRKrO+N1fh7iADnf+3sWECVEgOLm57SiRyqyZWEeY/ 6iWjBoGXv9BLpRyOmYSxtuTvnQlO2S+B+o88LFHpH0dEO/ErSelnafn3BC/AR39AU+ld QmimMnrGrN+JGPGSg/f87IXtSjmKKT4ZBiq53L+LmuM1Q/S4gC0tReG8ce5R3/Kx6zXl coFA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=lKIErh68zCABIDx6pirlN6e/In71FtfHndMMdlMFDBA=; b=h8ugPfuzqLdCIsIKa3QbqzXwLezLa8NysAiTbIQDTkm/98hV1RlD8akRFCeiCfOUEG OEzTrtsrN407uLRLOYPeAhQz8oQ8POHDRAD1AgP8e/3l7JYwX+BnvVQBSCGGoWUTl2no gOUA0o+lEBAoIwuLuRD++ictHWGKH0MmxRZ6160OEG8HvaXc1PikzJy5mhpn2eXmKdSg Iu1hxHFIzyNxrWGW/wl7ud/s902JKDU8jQ34fitz4mKdP9Eu3c80Ry/eo9HYi2p4xyHe aYbsjNdcReRnUAPmYBegZy8VN743B/HUZDPzVRemZoJWl7W/SEwmzZBCJg13krm1taOj MkPg== X-Gm-Message-State: AMCzsaXOAW5Z0C5K5Q3lvlgQsra64D43H9XLjCpYleQbEpa+RbogwaT9 HcCu3qR7yob+tvZ6gtYlU5w= X-Received: by 10.98.55.133 with SMTP id e127mr3181702pfa.130.1509477915662; Tue, 31 Oct 2017 12:25:15 -0700 (PDT) Received: from vince-laptop.corp.lucid.lcl (67-207-127-54.static.wiline.com. [67.207.127.54]) by smtp.googlemail.com with ESMTPSA id d12sm4791227pfl.140.2017.10.31.12.25.14 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Tue, 31 Oct 2017 12:25:15 -0700 (PDT) From: Vince Kim Cc: Vince Kim , Ferruh Yigit , Dmitry Torokhov , linux-input@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH] Input: cyttsp4 - Fix error on calculating memory size passed to krealloc. Date: Tue, 31 Oct 2017 12:19:58 -0700 Message-Id: <1509477598-7010-1-git-send-email-vince.k.kim@gmail.com> X-Mailer: git-send-email 2.7.4 To: unlisted-recipients:; (no To-header on input) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org There are several places to perform subtraction to calculate buffer size such as: si->si_ofs.cydata_size = si->si_ofs.test_ofs - si->si_ofs.cydata_ofs; ... p = krealloc(si->si_ptrs.cydata, si->si_ofs.cydata_size, GFP_KERNEL); Actually, data types of above variables during subtraction are size_t, so it is unsigned. That means if second operand(si->si_ofs.cydata_ofs) is greater than the first operand(si->si_ofs.test_ofs), then resulting si->si_ofs.cydata_size could result in an unsigned integer wrap which is not desiarable. The properway to correct this problem is to perform a test of both operands to avoid having unsigned wrap. --- drivers/input/touchscreen/cyttsp4_core.c | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/drivers/input/touchscreen/cyttsp4_core.c b/drivers/input/touchscreen/cyttsp4_core.c index beaf61c..eecc7f1 100644 --- a/drivers/input/touchscreen/cyttsp4_core.c +++ b/drivers/input/touchscreen/cyttsp4_core.c @@ -201,6 +201,11 @@ static int cyttsp4_si_get_cydata(struct cyttsp4 *cd) void *p; int rc; + if (si->si_ofs.test_ofs <= si->si_ofs.cydata_ofs) + dev_err(cd->dev, "%s: invalid offset test_ofs:%zd, cydata_ofs:%zd \n", __func__, si->si_ofs.test_ofs, si->si_ofs.cydata_ofs); + return -EINVAL; + } + si->si_ofs.cydata_size = si->si_ofs.test_ofs - si->si_ofs.cydata_ofs; dev_dbg(cd->dev, "%s: cydata size: %zd\n", __func__, si->si_ofs.cydata_size); @@ -270,6 +275,11 @@ static int cyttsp4_si_get_test_data(struct cyttsp4 *cd) void *p; int rc; + if (si->si_ofs.pcfg_ofs <= si->si_ofs.test_ofs) + dev_err(cd->dev, "%s: invalid offset pcfg_ofs:%zd, test_ofs:%zd \n", __func__, si->si_ofs.pcfg_ofs, si->si_ofs.test_ofs); + return -EINVAL; + } + si->si_ofs.test_size = si->si_ofs.pcfg_ofs - si->si_ofs.test_ofs; p = krealloc(si->si_ptrs.test, si->si_ofs.test_size, GFP_KERNEL); @@ -321,6 +331,11 @@ static int cyttsp4_si_get_pcfg_data(struct cyttsp4 *cd) void *p; int rc; + if (si->si_ofs.opcfg_ofs <= si->si_ofs.pcfg_ofs) + dev_err(cd->dev, "%s: invalid offset opcfg_ofs:%zd, pcfg_ofs:%zd \n", __func__, si->si_ofs.opcfg_ofs, si->si_ofs.pcfg_ofs); + return -EINVAL; + } + si->si_ofs.pcfg_size = si->si_ofs.opcfg_ofs - si->si_ofs.pcfg_ofs; p = krealloc(si->si_ptrs.pcfg, si->si_ofs.pcfg_size, GFP_KERNEL); @@ -367,6 +382,11 @@ static int cyttsp4_si_get_opcfg_data(struct cyttsp4 *cd) void *p; int rc; + if (si->si_ofs.ddata_ofs <= si->si_ofs.opcfg_ofs) + dev_err(cd->dev, "%s: invalid offset ddata_ofs:%zd, opcfg_ofs:%zd \n", __func__, si->si_ofs.ddata_ofs, si->si_ofs.opcfg_ofs); + return -EINVAL; + } + si->si_ofs.opcfg_size = si->si_ofs.ddata_ofs - si->si_ofs.opcfg_ofs; p = krealloc(si->si_ptrs.opcfg, si->si_ofs.opcfg_size, GFP_KERNEL); -- 2.7.4 From 1583077186578633979@xxx Fri Nov 03 20:14:13 +0000 2017 X-GM-THRID: 1581708451081468770 X-Gmail-Labels: Inbox,Category Forums,HistoricalUnread