[thirdparty/kernel/stable-queue.git] / releases / 4.14.53 / input-elan_i2c_smbus-fix-more-potential-stack-buffer-overflows.patch

From 50fc7b61959af4b95fafce7fe5dd565199e0b61a Mon Sep 17 00:00:00 2001
From: Ben Hutchings <ben.hutchings@codethink.co.uk>
Date: Tue, 19 Jun 2018 11:17:32 -0700
Subject: Input: elan_i2c_smbus - fix more potential stack buffer overflows

From: Ben Hutchings <ben.hutchings@codethink.co.uk>

commit 50fc7b61959af4b95fafce7fe5dd565199e0b61a upstream.

Commit 40f7090bb1b4 ("Input: elan_i2c_smbus - fix corrupted stack")
fixed most of the functions using i2c_smbus_read_block_data() to
allocate a buffer with the maximum block size.  However three
functions were left unchanged:

* In elan_smbus_initialize(), increase the buffer size in the same
  way.
* In elan_smbus_calibrate_result(), the buffer is provided by the
  caller (calibrate_store()), so introduce a bounce buffer.  Also
  name the result buffer size.
* In elan_smbus_get_report(), the buffer is provided by the caller
  but happens to be the right length.  Add a compile-time assertion
  to ensure this remains the case.

Cc: <stable@vger.kernel.org> # 3.19+
Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/input/mouse/elan_i2c.h       |    2 ++
 drivers/input/mouse/elan_i2c_core.c  |    2 +-
 drivers/input/mouse/elan_i2c_smbus.c |   10 ++++++++--
 3 files changed, 11 insertions(+), 3 deletions(-)

--- a/drivers/input/mouse/elan_i2c.h
+++ b/drivers/input/mouse/elan_i2c.h
@@ -27,6 +27,8 @@
 #define ETP_DISABLE_POWER	0x0001
 #define ETP_PRESSURE_OFFSET	25
 
+#define ETP_CALIBRATE_MAX_LEN	3
+
 /* IAP Firmware handling */
 #define ETP_PRODUCT_ID_FORMAT_STRING	"%d.0"
 #define ETP_FW_NAME		"elan_i2c_" ETP_PRODUCT_ID_FORMAT_STRING ".bin"
--- a/drivers/input/mouse/elan_i2c_core.c
+++ b/drivers/input/mouse/elan_i2c_core.c
@@ -610,7 +610,7 @@ static ssize_t calibrate_store(struct de
 	int tries = 20;
 	int retval;
 	int error;
-	u8 val[3];
+	u8 val[ETP_CALIBRATE_MAX_LEN];
 
 	retval = mutex_lock_interruptible(&data->sysfs_mutex);
 	if (retval)
--- a/drivers/input/mouse/elan_i2c_smbus.c
+++ b/drivers/input/mouse/elan_i2c_smbus.c
@@ -56,7 +56,7 @@
 static int elan_smbus_initialize(struct i2c_client *client)
 {
 	u8 check[ETP_SMBUS_HELLOPACKET_LEN] = { 0x55, 0x55, 0x55, 0x55, 0x55 };
-	u8 values[ETP_SMBUS_HELLOPACKET_LEN] = { 0, 0, 0, 0, 0 };
+	u8 values[I2C_SMBUS_BLOCK_MAX] = {0};
 	int len, error;
 
 	/* Get hello packet */
@@ -117,12 +117,16 @@ static int elan_smbus_calibrate(struct i
 static int elan_smbus_calibrate_result(struct i2c_client *client, u8 *val)
 {
 	int error;
+	u8 buf[I2C_SMBUS_BLOCK_MAX] = {0};
+
+	BUILD_BUG_ON(ETP_CALIBRATE_MAX_LEN > sizeof(buf));
 
 	error = i2c_smbus_read_block_data(client,
-					  ETP_SMBUS_CALIBRATE_QUERY, val);
+					  ETP_SMBUS_CALIBRATE_QUERY, buf);
 	if (error < 0)
 		return error;
 
+	memcpy(val, buf, ETP_CALIBRATE_MAX_LEN);
 	return 0;
 }
 
@@ -472,6 +476,8 @@ static int elan_smbus_get_report(struct
 {
 	int len;
 
+	BUILD_BUG_ON(I2C_SMBUS_BLOCK_MAX > ETP_SMBUS_REPORT_LEN);
+
 	len = i2c_smbus_read_block_data(client,
 					ETP_SMBUS_PACKET_QUERY,
 					&report[ETP_SMBUS_REPORT_OFFSET]);
Commit	Line	Data
0f714131 GKH	1	From 50fc7b61959af4b95fafce7fe5dd565199e0b61a Mon Sep 17 00:00:00 2001
	2	From: Ben Hutchings <ben.hutchings@codethink.co.uk>
	3	Date: Tue, 19 Jun 2018 11:17:32 -0700
	4	Subject: Input: elan_i2c_smbus - fix more potential stack buffer overflows
	5
	6	From: Ben Hutchings <ben.hutchings@codethink.co.uk>
	7
	8	commit 50fc7b61959af4b95fafce7fe5dd565199e0b61a upstream.
	9
	10	Commit 40f7090bb1b4 ("Input: elan_i2c_smbus - fix corrupted stack")
	11	fixed most of the functions using i2c_smbus_read_block_data() to
	12	allocate a buffer with the maximum block size. However three
	13	functions were left unchanged:
	14
	15	* In elan_smbus_initialize(), increase the buffer size in the same
	16	way.
	17	* In elan_smbus_calibrate_result(), the buffer is provided by the
	18	caller (calibrate_store()), so introduce a bounce buffer. Also
	19	name the result buffer size.
	20	* In elan_smbus_get_report(), the buffer is provided by the caller
	21	but happens to be the right length. Add a compile-time assertion
	22	to ensure this remains the case.
	23
	24	Cc: <stable@vger.kernel.org> # 3.19+
	25	Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
	26	Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
	27	Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
	28	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	29
	30	---
	31	drivers/input/mouse/elan_i2c.h \| 2 ++
	32	drivers/input/mouse/elan_i2c_core.c \| 2 +-
	33	drivers/input/mouse/elan_i2c_smbus.c \| 10 ++++++++--
	34	3 files changed, 11 insertions(+), 3 deletions(-)
	35
	36	--- a/drivers/input/mouse/elan_i2c.h
	37	+++ b/drivers/input/mouse/elan_i2c.h
	38	@@ -27,6 +27,8 @@
	39	#define ETP_DISABLE_POWER 0x0001
	40	#define ETP_PRESSURE_OFFSET 25
	41
	42	+#define ETP_CALIBRATE_MAX_LEN 3
	43	+
	44	/* IAP Firmware handling */
	45	#define ETP_PRODUCT_ID_FORMAT_STRING "%d.0"
	46	#define ETP_FW_NAME "elan_i2c_" ETP_PRODUCT_ID_FORMAT_STRING ".bin"
	47	--- a/drivers/input/mouse/elan_i2c_core.c
	48	+++ b/drivers/input/mouse/elan_i2c_core.c
	49	@@ -610,7 +610,7 @@ static ssize_t calibrate_store(struct de
	50	int tries = 20;
	51	int retval;
	52	int error;
	53	- u8 val[3];
	54	+ u8 val[ETP_CALIBRATE_MAX_LEN];
	55
	56	retval = mutex_lock_interruptible(&data->sysfs_mutex);
	57	if (retval)
	58	--- a/drivers/input/mouse/elan_i2c_smbus.c
	59	+++ b/drivers/input/mouse/elan_i2c_smbus.c
	60	@@ -56,7 +56,7 @@
	61	static int elan_smbus_initialize(struct i2c_client *client)
	62	{
	63	u8 check[ETP_SMBUS_HELLOPACKET_LEN] = { 0x55, 0x55, 0x55, 0x55, 0x55 };
	64	- u8 values[ETP_SMBUS_HELLOPACKET_LEN] = { 0, 0, 0, 0, 0 };
65	+ u8 values[I2C_SMBUS_BLOCK_MAX] = {0};
66	int len, error;
67
68	/* Get hello packet */
69	@@ -117,12 +117,16 @@ static int elan_smbus_calibrate(struct i
70	static int elan_smbus_calibrate_result(struct i2c_client client, u8 val)
71	{
72	int error;
73	+ u8 buf[I2C_SMBUS_BLOCK_MAX] = {0};
74	+
75	+ BUILD_BUG_ON(ETP_CALIBRATE_MAX_LEN > sizeof(buf));
76
77	error = i2c_smbus_read_block_data(client,
78	- ETP_SMBUS_CALIBRATE_QUERY, val);
79	+ ETP_SMBUS_CALIBRATE_QUERY, buf);
80	if (error < 0)
81	return error;
82
83	+ memcpy(val, buf, ETP_CALIBRATE_MAX_LEN);
84	return 0;
85	}
86
87	@@ -472,6 +476,8 @@ static int elan_smbus_get_report(struct
88	{
89	int len;
90
91	+ BUILD_BUG_ON(I2C_SMBUS_BLOCK_MAX > ETP_SMBUS_REPORT_LEN);
92	+
93	len = i2c_smbus_read_block_data(client,
94	ETP_SMBUS_PACKET_QUERY,
95	&report[ETP_SMBUS_REPORT_OFFSET]);