lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-Id: <20250329002042.36967-1-qasdev00@gmail.com>
Date: Sat, 29 Mar 2025 00:20:42 +0000
From: Qasim Ijaz <qasdev00@...il.com>
To: ping.cheng@...om.com,
	jason.gerecke@...om.com,
	jikos@...nel.org,
	bentiss@...nel.org
Cc: linux-input@...r.kernel.org,
	linux-kernel@...r.kernel.org
Subject: [PATCH] HID: wacom: fix memory leak on size mismatch in wacom_wac_queue_flush()

In wacom_wac_queue_flush() the code allocates zero initialised 
buffer which it uses as a storage buffer for copying data from 
a fifo via kfifo_out(). The kfifo_out() function returns the 
number of elements it has copied. The code checks if the number 
of copied elements does not equal the size of the fifo record, 
if it does not it simply skips the entry and continues to the
next iteration. However it does not release the storage buffer 
leading to a memory leak.
 
Fix the memory leak by freeing the buffer on size mismatch.

Fixes: 5e013ad20689 ("HID: wacom: Remove static WACOM_PKGLEN_MAX limit")
Signed-off-by: Qasim Ijaz <qasdev00@...il.com>
---
 drivers/hid/wacom_sys.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/hid/wacom_sys.c b/drivers/hid/wacom_sys.c
index 666b7eb0fdfe..3e4f823f8ee8 100644
--- a/drivers/hid/wacom_sys.c
+++ b/drivers/hid/wacom_sys.c
@@ -87,6 +87,7 @@ static void wacom_wac_queue_flush(struct hid_device *hdev,
 			// to flush seems reasonable enough, however.
 			hid_warn(hdev, "%s: removed fifo entry with unexpected size\n",
 				 __func__);
+			kfree(buf);
 			continue;
 		}
 		err = hid_report_raw_event(hdev, HID_INPUT_REPORT, buf, size, false);
-- 
2.39.5


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ