Commit 2bad8630 authored by Grant Hernandez's avatar Grant Hernandez Committed by Stefan Bader

Input: gtco - bounds check collection indent level

BugLink: https://bugs.launchpad.net/bugs/1840081

commit 2a017fd8 upstream.

The GTCO tablet input driver configures itself from an HID report sent
via USB during the initial enumeration process. Some debugging messages
are generated during the parsing. A debugging message indentation
counter is not bounds checked, leading to the ability for a specially
crafted HID report to cause '-' and null bytes be written past the end
of the indentation array. As long as the kernel has CONFIG_DYNAMIC_DEBUG
enabled, this code will not be optimized out.  This was discovered
during code review after a previous syzkaller bug was found in this
driver.
Signed-off-by: default avatarGrant Hernandez <granthernandez@google.com>
Cc: stable@vger.kernel.org
Signed-off-by: default avatarDmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: default avatarConnor Kuehl <connor.kuehl@canonical.com>
Signed-off-by: default avatarKleber Sacilotto de Souza <kleber.souza@canonical.com>
parent 1273f72c
...@@ -78,6 +78,7 @@ Scott Hill shill@gtcocalcomp.com ...@@ -78,6 +78,7 @@ Scott Hill shill@gtcocalcomp.com
/* Max size of a single report */ /* Max size of a single report */
#define REPORT_MAX_SIZE 10 #define REPORT_MAX_SIZE 10
#define MAX_COLLECTION_LEVELS 10
/* Bitmask whether pen is in range */ /* Bitmask whether pen is in range */
...@@ -224,8 +225,7 @@ static void parse_hid_report_descriptor(struct gtco *device, char * report, ...@@ -224,8 +225,7 @@ static void parse_hid_report_descriptor(struct gtco *device, char * report,
char maintype = 'x'; char maintype = 'x';
char globtype[12]; char globtype[12];
int indent = 0; int indent = 0;
char indentstr[10] = ""; char indentstr[MAX_COLLECTION_LEVELS + 1] = { 0 };
dev_dbg(ddev, "======>>>>>>PARSE<<<<<<======\n"); dev_dbg(ddev, "======>>>>>>PARSE<<<<<<======\n");
...@@ -351,6 +351,13 @@ static void parse_hid_report_descriptor(struct gtco *device, char * report, ...@@ -351,6 +351,13 @@ static void parse_hid_report_descriptor(struct gtco *device, char * report,
case TAG_MAIN_COL_START: case TAG_MAIN_COL_START:
maintype = 'S'; maintype = 'S';
if (indent == MAX_COLLECTION_LEVELS) {
dev_err(ddev, "Collection level %d would exceed limit of %d\n",
indent + 1,
MAX_COLLECTION_LEVELS);
break;
}
if (data == 0) { if (data == 0) {
dev_dbg(ddev, "======>>>>>> Physical\n"); dev_dbg(ddev, "======>>>>>> Physical\n");
strcpy(globtype, "Physical"); strcpy(globtype, "Physical");
...@@ -370,8 +377,15 @@ static void parse_hid_report_descriptor(struct gtco *device, char * report, ...@@ -370,8 +377,15 @@ static void parse_hid_report_descriptor(struct gtco *device, char * report,
break; break;
case TAG_MAIN_COL_END: case TAG_MAIN_COL_END:
dev_dbg(ddev, "<<<<<<======\n");
maintype = 'E'; maintype = 'E';
if (indent == 0) {
dev_err(ddev, "Collection level already at zero\n");
break;
}
dev_dbg(ddev, "<<<<<<======\n");
indent--; indent--;
for (x = 0; x < indent; x++) for (x = 0; x < indent; x++)
indentstr[x] = '-'; indentstr[x] = '-';
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment