]>
Commit | Line | Data |
---|---|---|
0f714131 GKH |
1 | From 50fc7b61959af4b95fafce7fe5dd565199e0b61a Mon Sep 17 00:00:00 2001 |
2 | From: Ben Hutchings <ben.hutchings@codethink.co.uk> | |
3 | Date: Tue, 19 Jun 2018 11:17:32 -0700 | |
4 | Subject: Input: elan_i2c_smbus - fix more potential stack buffer overflows | |
5 | ||
6 | From: Ben Hutchings <ben.hutchings@codethink.co.uk> | |
7 | ||
8 | commit 50fc7b61959af4b95fafce7fe5dd565199e0b61a upstream. | |
9 | ||
10 | Commit 40f7090bb1b4 ("Input: elan_i2c_smbus - fix corrupted stack") | |
11 | fixed most of the functions using i2c_smbus_read_block_data() to | |
12 | allocate a buffer with the maximum block size. However three | |
13 | functions were left unchanged: | |
14 | ||
15 | * In elan_smbus_initialize(), increase the buffer size in the same | |
16 | way. | |
17 | * In elan_smbus_calibrate_result(), the buffer is provided by the | |
18 | caller (calibrate_store()), so introduce a bounce buffer. Also | |
19 | name the result buffer size. | |
20 | * In elan_smbus_get_report(), the buffer is provided by the caller | |
21 | but happens to be the right length. Add a compile-time assertion | |
22 | to ensure this remains the case. | |
23 | ||
24 | Cc: <stable@vger.kernel.org> # 3.19+ | |
25 | Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk> | |
26 | Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com> | |
27 | Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com> | |
28 | Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> | |
29 | ||
30 | --- | |
31 | drivers/input/mouse/elan_i2c.h | 2 ++ | |
32 | drivers/input/mouse/elan_i2c_core.c | 2 +- | |
33 | drivers/input/mouse/elan_i2c_smbus.c | 10 ++++++++-- | |
34 | 3 files changed, 11 insertions(+), 3 deletions(-) | |
35 | ||
36 | --- a/drivers/input/mouse/elan_i2c.h | |
37 | +++ b/drivers/input/mouse/elan_i2c.h | |
38 | @@ -27,6 +27,8 @@ | |
39 | #define ETP_DISABLE_POWER 0x0001 | |
40 | #define ETP_PRESSURE_OFFSET 25 | |
41 | ||
42 | +#define ETP_CALIBRATE_MAX_LEN 3 | |
43 | + | |
44 | /* IAP Firmware handling */ | |
45 | #define ETP_PRODUCT_ID_FORMAT_STRING "%d.0" | |
46 | #define ETP_FW_NAME "elan_i2c_" ETP_PRODUCT_ID_FORMAT_STRING ".bin" | |
47 | --- a/drivers/input/mouse/elan_i2c_core.c | |
48 | +++ b/drivers/input/mouse/elan_i2c_core.c | |
49 | @@ -610,7 +610,7 @@ static ssize_t calibrate_store(struct de | |
50 | int tries = 20; | |
51 | int retval; | |
52 | int error; | |
53 | - u8 val[3]; | |
54 | + u8 val[ETP_CALIBRATE_MAX_LEN]; | |
55 | ||
56 | retval = mutex_lock_interruptible(&data->sysfs_mutex); | |
57 | if (retval) | |
58 | --- a/drivers/input/mouse/elan_i2c_smbus.c | |
59 | +++ b/drivers/input/mouse/elan_i2c_smbus.c | |
60 | @@ -56,7 +56,7 @@ | |
61 | static int elan_smbus_initialize(struct i2c_client *client) | |
62 | { | |
63 | u8 check[ETP_SMBUS_HELLOPACKET_LEN] = { 0x55, 0x55, 0x55, 0x55, 0x55 }; | |
64 | - u8 values[ETP_SMBUS_HELLOPACKET_LEN] = { 0, 0, 0, 0, 0 }; | |
65 | + u8 values[I2C_SMBUS_BLOCK_MAX] = {0}; | |
66 | int len, error; | |
67 | ||
68 | /* Get hello packet */ | |
69 | @@ -117,12 +117,16 @@ static int elan_smbus_calibrate(struct i | |
70 | static int elan_smbus_calibrate_result(struct i2c_client *client, u8 *val) | |
71 | { | |
72 | int error; | |
73 | + u8 buf[I2C_SMBUS_BLOCK_MAX] = {0}; | |
74 | + | |
75 | + BUILD_BUG_ON(ETP_CALIBRATE_MAX_LEN > sizeof(buf)); | |
76 | ||
77 | error = i2c_smbus_read_block_data(client, | |
78 | - ETP_SMBUS_CALIBRATE_QUERY, val); | |
79 | + ETP_SMBUS_CALIBRATE_QUERY, buf); | |
80 | if (error < 0) | |
81 | return error; | |
82 | ||
83 | + memcpy(val, buf, ETP_CALIBRATE_MAX_LEN); | |
84 | return 0; | |
85 | } | |
86 | ||
87 | @@ -472,6 +476,8 @@ static int elan_smbus_get_report(struct | |
88 | { | |
89 | int len; | |
90 | ||
91 | + BUILD_BUG_ON(I2C_SMBUS_BLOCK_MAX > ETP_SMBUS_REPORT_LEN); | |
92 | + | |
93 | len = i2c_smbus_read_block_data(client, | |
94 | ETP_SMBUS_PACKET_QUERY, | |
95 | &report[ETP_SMBUS_REPORT_OFFSET]); |