[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-Id: <20200530073935.17874-1-baijiaju1990@gmail.com>
Date: Sat, 30 May 2020 15:39:35 +0800
From: Jia-Ju Bai <baijiaju1990@...il.com>
To: dmitry.torokhov@...il.com, johan@...nel.org, vdronov@...hat.com,
tglx@...utronix.de, gregkh@...uxfoundation.org
Cc: linux-input@...r.kernel.org, linux-kernel@...r.kernel.org,
Jia-Ju Bai <baijiaju1990@...il.com>
Subject: [PATCH] input: tablet: aiptek: fix possible buffer overflow caused by bad DMA value in aiptek_irq()
The value aiptek->data is stored in DMA memory, and it is assigned to
data. Thus in the code:
macro = get_unaligned_le16(data + 1);
The value of marco can be modified by malicious hardware.
In this case, buffer overflow may occur when the code
"macroKeyEvents[macro - 1]" and "macroKeyEvents[macro]" is executed.
To fix these possible bugs, macro is checked before being used.
Signed-off-by: Jia-Ju Bai <baijiaju1990@...il.com>
---
drivers/input/tablet/aiptek.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/drivers/input/tablet/aiptek.c b/drivers/input/tablet/aiptek.c
index e08b0ef078e8..e353e538fb51 100644
--- a/drivers/input/tablet/aiptek.c
+++ b/drivers/input/tablet/aiptek.c
@@ -737,11 +737,11 @@ static void aiptek_irq(struct urb *urb)
*/
else if (data[0] == 6) {
macro = get_unaligned_le16(data + 1);
- if (macro > 0) {
+ if (macro > 0 && macro < 34) {
input_report_key(inputdev, macroKeyEvents[macro - 1],
0);
}
- if (macro < 25) {
+ if (marco > 0 && macro < 25) {
input_report_key(inputdev, macroKeyEvents[macro + 1],
0);
}
@@ -760,7 +760,8 @@ static void aiptek_irq(struct urb *urb)
aiptek->curSetting.toolMode;
}
- input_report_key(inputdev, macroKeyEvents[macro], 1);
+ if (macro > 0 && macro < 33)
+ input_report_key(inputdev, macroKeyEvents[macro], 1);
input_report_abs(inputdev, ABS_MISC,
1 | AIPTEK_REPORT_TOOL_UNKNOWN);
input_sync(inputdev);
--
2.17.1
Powered by blists - more mailing lists