From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Date: Sun, 26 Apr 2026 05:07:06 +0000 (-0700)
Subject: Input: elan_i2c - validate firmware size before use
X-Git-Tag: v7.1-rc6~5^2~8
X-Git-Url: http://git.ipfire.org/gitweb/index.cgi?a=commitdiff_plain;h=76b0d0baa9ae9c60e726bbe1b6ff0bec2c993634;p=thirdparty%2Fkernel%2Flinux.git

Input: elan_i2c - validate firmware size before use

Ensure that the firmware file is large enough to contain the expected
number of pages and the signature (which resides at the end of the
firmware blob) before accessing them to prevent potential out-of-bounds
reads.

Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/ae2dOgiFvXRm4BHo@google.com
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
---

diff --git a/drivers/input/mouse/elan_i2c_core.c b/drivers/input/mouse/elan_i2c_core.c
index 7475803c6ce4..5cba02a156ce 100644
--- a/drivers/input/mouse/elan_i2c_core.c
+++ b/drivers/input/mouse/elan_i2c_core.c
@@ -648,6 +648,11 @@ static ssize_t elan_sysfs_update_fw(struct device *dev,
 		return error;
 	}
 
+	if (fw->size < data->fw_signature_address + sizeof(signature)) {
+		dev_err(dev, "firmware file too small\n");
+		return -EBADF;
+	}
+
 	/* Firmware file must match signature data */
 	fw_signature = &fw->data[data->fw_signature_address];
 	if (memcmp(fw_signature, signature, sizeof(signature)) != 0) {