From: Dmitry Torokhov Date: Mon, 23 Oct 2017 23:46:00 +0000 (-0700) Subject: Input: gtco - fix potential out-of-bound access X-Git-Tag: v4.1.12-124.31.3~845 X-Git-Url: https://www.infradead.org/git/?a=commitdiff_plain;h=19ac87afee84c597b11c3158bd6a6ebbbeff817f;p=users%2Fjedix%2Flinux-maple.git Input: gtco - fix potential out-of-bound access parse_hid_report_descriptor() has a while (i < length) loop, which only guarantees that there's at least 1 byte in the buffer, but the loop body can read multiple bytes which causes out-of-bounds access. Reported-by: Andrey Konovalov Reviewed-by: Andrey Konovalov Cc: stable@vger.kernel.org Signed-off-by: Dmitry Torokhov (cherry picked from commit a50829479f58416a013a4ccca791336af3c584c7) Orabug: 27869844 CVE: CVE-2017-16643 Signed-off-by: Tim Tianyang Chen Reviewed-by: Brian Maly Signed-off-by: Brian Maly --- diff --git a/drivers/input/tablet/gtco.c b/drivers/input/tablet/gtco.c index 7c18249d6c8e..8b68a210277b 100644 --- a/drivers/input/tablet/gtco.c +++ b/drivers/input/tablet/gtco.c @@ -231,13 +231,17 @@ static void parse_hid_report_descriptor(struct gtco *device, char * report, /* Walk this report and pull out the info we need */ while (i < length) { - prefix = report[i]; - - /* Skip over prefix */ - i++; + prefix = report[i++]; /* Determine data size and save the data in the proper variable */ - size = PREF_SIZE(prefix); + size = (1U << PREF_SIZE(prefix)) >> 1; + if (i + size > length) { + dev_err(ddev, + "Not enough data (need %d, have %d)\n", + i + size, length); + break; + } + switch (size) { case 1: data = report[i]; @@ -245,8 +249,7 @@ static void parse_hid_report_descriptor(struct gtco *device, char * report, case 2: data16 = get_unaligned_le16(&report[i]); break; - case 3: - size = 4; + case 4: data32 = get_unaligned_le32(&report[i]); break; }