git.ipfire.org Git - thirdparty/linux.git/commit

author	Bryam Vargas <hexlabsecurity@proton.me>
	Sat, 13 Jun 2026 02:10:33 +0000 (21:10 -0500)
committer	Dmitry Torokhov <dmitry.torokhov@gmail.com>
	Tue, 23 Jun 2026 03:44:12 +0000 (20:44 -0700)
commit	5ed62a96e06be4e94b8296b7932afee550a70e04
tree	48447a3c1cc3b6897628eaad6850fd02d11dbea6	tree \| snapshot
parent	66725039f7090afe14c31bd259e2059a68f04023	commit \| diff

Input: goodix - clamp the device-reported contact count

goodix_ts_read_input_report() copies the number of touch points reported
by the device into an on-stack buffer

u8 point_data[2 + GOODIX_MAX_CONTACT_SIZE * GOODIX_MAX_CONTACTS];

which is sized for at most GOODIX_MAX_CONTACTS (10) contacts. The only
runtime check bounds the per-interrupt count against ts->max_touch_num,
but that value is taken verbatim from a 4-bit field of the device
configuration block and is never clamped:

ts->max_touch_num = ts->config[MAX_CONTACTS_LOC] & 0x0f;

The nibble can be 0..15, so a malfunctioning, malicious or counterfeit
controller (or an attacker tampering with the I2C bus) can advertise up
to 15 contacts. goodix_ts_read_input_report() then accepts a touch_num
of up to 15 and the second goodix_i2c_read() writes
ts->contact_size * (touch_num - 1) bytes past the one-contact header into
point_data - up to 30 bytes (45 with the 9-byte report format) beyond the
92-byte buffer: a stack out-of-bounds write.

Clamp max_touch_num to GOODIX_MAX_CONTACTS, the number of contacts
point_data[] is sized for, when reading it from the configuration.

Fixes: a7ac7c95d468 ("Input: goodix - use max touch number from device config")
Cc: stable@vger.kernel.org
Signed-off-by: Bryam Vargas <hexlabsecurity@proton.me>
Reviewed-by: Hans de Goede <johannes.goede@oss.qualcomm.com>
Link: https://patch.msgid.link/20260612-b4-disp-6844625d-v1-1-df0aed080c9d@proton.me
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>