]> git.ipfire.org Git - thirdparty/kernel/linux.git/commitdiff
HID: picolcd: prevent NULL pointer dereference in picolcd_send_and_wait()
authorGeorgiy Osokin <g.osokin@auroraos.dev>
Sun, 17 May 2026 12:06:39 +0000 (15:06 +0300)
committerJiri Kosina <jkosina@suse.com>
Mon, 29 Jun 2026 08:46:13 +0000 (10:46 +0200)
In picolcd_send_and_wait(), an integer overflow of the signed loop counter
'k' can theoretically lead to a NULL pointer dereference of 'raw_data'.
If the loop executes more than INT_MAX times, 'k' becomes negative,
making the condition 'k < size' true even when 'size' is 0.

Change the type of 'k' to 'unsigned int' to prevent the overflow and
eliminate the out-of-bounds access.

Found by Linux Verification Center (linuxtesting.org) with the Svace static
analysis tool.

[jkosina@suse.com: extended hash length]
Fixes: fabdbf2fd22fa17 ("HID: picoLCD: split driver code")
Signed-off-by: Georgiy Osokin <g.osokin@auroraos.dev>
Signed-off-by: Jiri Kosina <jkosina@suse.com>
drivers/hid/hid-picolcd_core.c

index 2cc01e1bc1a844b7458622adaf8ec7159c98183c..d73e97c8b853e97acd7293eac8d830fdd7c43f6b 100644 (file)
@@ -72,7 +72,8 @@ struct picolcd_pending *picolcd_send_and_wait(struct hid_device *hdev,
        struct picolcd_pending *work;
        struct hid_report *report = picolcd_out_report(report_id, hdev);
        unsigned long flags;
-       int i, j, k;
+       int i, j;
+       unsigned int k;
 
        if (!report || !data)
                return NULL;