lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-Id: <E64899AA-23A5-49D7-8C91-B94A095290E0@crocodile.org>
Date:	Fri, 5 Mar 2010 11:47:14 -0800
From:	Vadim Zaliva <lord@...codile.org>
To:	Johannes Berg <johannes@...solutions.net>
Cc:	linux-kernel@...r.kernel.org
Subject: [PATCH 1/1] integer overflow issue in 'appletouch' driver

This small patch is fixing an integer overflow issue in 'appletouch' driver.

In particular, reading data from Geyser 2 touchpads used on post Oct
2005 Apple PowerBooks the driver was casting X and Y coordinates
values to 'signed char'. Testing on one of such PowerBooks I have
noticed that touchpad always generates positive values, but some of
them are greater that 127, and thus, when cast to 'signed char' being
interpreted as a negative.

Such bigger values have been observed infrequently, closer to the
edges of a touchpad, so the problem was not very visible. 
Nevertheless, the patch would potentially improve touchpad
driver accuracy.


diff -uNr linux-source-2.6.31.orig/drivers/input/mouse/appletouch.c linux-source-2.6.31/drivers/input/mouse/appletouch.c
--- linux-source-2.6.31.orig/drivers/input/mouse/appletouch.c	2009-09-09 15:13:59.000000000 -0700
+++ linux-source-2.6.31/drivers/input/mouse/appletouch.c	2010-03-05 11:05:11.921394055 -0800
@@ -205,8 +205,8 @@
 	bool			overflow_warned;
 	int			x_old;		/* last reported x/y, */
 	int			y_old;		/* used for smoothing */
-	signed char		xy_cur[ATP_XSENSORS + ATP_YSENSORS];
-	signed char		xy_old[ATP_XSENSORS + ATP_YSENSORS];
+	u8		    xy_cur[ATP_XSENSORS + ATP_YSENSORS];
+	u8		    xy_old[ATP_XSENSORS + ATP_YSENSORS];
 	int			xy_acc[ATP_XSENSORS + ATP_YSENSORS];
 	int			idlecount;	/* number of empty packets */
 	struct work_struct	work;
@@ -531,7 +531,7 @@
 
 	for (i = 0; i < ATP_XSENSORS + ATP_YSENSORS; i++) {
 		/* accumulate the change */
-		signed char change = dev->xy_old[i] - dev->xy_cur[i];
+		int change = dev->xy_old[i] - dev->xy_cur[i];
 		dev->xy_acc[i] -= change;
 
 		/* prevent down drifting */


--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ