| Message ID | 20241017080104.1817636-1-shipeiqu@sjtu.edu.cn |
|---|---|
| State | New |
| Headers | show |
| Series | [v2] Input/mouse: cyapa - fix potential buffer overflow in cyapa_gen3.c | expand |
diff --git a/drivers/input/mouse/cyapa_gen3.c b/drivers/input/mouse/cyapa_gen3.c index fc3fb954523b..6297d1376bbe 100644 --- a/drivers/input/mouse/cyapa_gen3.c +++ b/drivers/input/mouse/cyapa_gen3.c @@ -31,7 +31,7 @@ /* Macro for register map group offset. */ #define PRODUCT_ID_SIZE 16 -#define QUERY_DATA_SIZE 27 +#define QUERY_DATA_SIZE 32 #define REG_PROTOCOL_GEN_QUERY_OFFSET 20 #define REG_OFFSET_DATA_BASE 0x0000 @@ -114,6 +114,8 @@ struct cyapa_reg_data { u8 finger_btn; /* CYAPA reports up to 5 touches per packet. */ struct cyapa_touch touches[5]; + /* padding up to size I2C_SMBUS_BLOCK_MAX. */ + u8 padding[5]; } __packed; struct gen3_write_block_cmd {
The i2c_smbus_read_block_data function receives up to I2C_SMBUS_BLOCK_MAX bytes, which is defined as 32. This exceeds the size of the struct cyapa_reg_data, which will be provided to cyapa_read_block as an input buffer and finally reach i2c_smbus_read_block_data. When the cyapa module is enabled (CONFIG_MOUSE_CYAPA=m), this bug could result in potential denial-of-service for invalid or malicious I2C data. Pad the size of the cyapa_reg_data structure from 27 to I2C_SMBUS_BLOCK_MAX=32 bytes to address this issue. Signed-off-by: itewqq <shipeiqu@sjtu.edu.cn> --- drivers/input/mouse/cyapa_gen3.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-)