| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <aIJXqs-U8vDpYv0S@gmail.com>
Date: Thu, 24 Jul 2025 16:56:26 +0100
From: Qasim Ijaz <qasdev00@...il.com>
To: Jiri Slaby <jirislaby@...nel.org>
Cc: jikos@...nel.org, bentiss@...nel.org, linux-input@...r.kernel.org,
linux-kernel@...r.kernel.org, stable@...r.kernel.org
Subject: Re: [PATCH] HID: multitouch: fix integer overflow in set_abs()
On Thu, Jul 24, 2025 at 08:58:40AM +0200, Jiri Slaby wrote:
> On 23. 07. 25, 19:36, Qasim Ijaz wrote:
> > It is possible for a malicious HID device to trigger a signed integer
> > overflow (undefined behaviour) in set_abs() in the following expression
> > by supplying bogus logical maximum and minimum values:
> >
> > int fuzz = snratio ? (fmax - fmin) / snratio : 0;
> >
> > For example, if the logical_maximum is INT_MAX and logical_minimum is -1
> > then (fmax - fmin) resolves to INT_MAX + 1, which does not fit in a 32-bit
> > signed int, so the subtraction overflows.
>
> The question is if it matters with -fwrapv?
Ah yea thanks for bringing this up Jiri. I think you might be correct,
after doing some research it looks like the kernel enables -fno‑strict‑overflow
which implies -fwrapv which leads to wrap around instead of UB If I undestand
correctly. So with that in mind this patch probably doesn't do anything
useful, do you agree?
Thanks
qasim.
>
> > Fix this by computing the
> > difference in a 64 bit context.
> >
> > Fixes: 5519cab477b6 ("HID: hid-multitouch: support for PixCir-based panels")
> > Cc: stable@...r.kernel.org
> > Signed-off-by: Qasim Ijaz <qasdev00@...il.com>
> > ---
> > drivers/hid/hid-multitouch.c | 3 ++-
> > 1 file changed, 2 insertions(+), 1 deletion(-)
> >
> > diff --git a/drivers/hid/hid-multitouch.c b/drivers/hid/hid-multitouch.c
> > index 22c6314a8843..687638ed6d0f 100644
> > --- a/drivers/hid/hid-multitouch.c
> > +++ b/drivers/hid/hid-multitouch.c
> > @@ -540,7 +540,8 @@ static void set_abs(struct input_dev *input, unsigned int code,
> > {
> > int fmin = field->logical_minimum;
> > int fmax = field->logical_maximum;
> > - int fuzz = snratio ? (fmax - fmin) / snratio : 0;
> > + s64 diff = (s64)fmax - (s64)fmin;
> > + int fuzz = snratio ? (int)div_s64(diff, snratio) : 0;
> > input_set_abs_params(input, code, fmin, fmax, fuzz, 0);
> > input_abs_set_res(input, code, hidinput_calc_abs_res(field, code));
> > }
>
> --
> js
> suse labs
>
Powered by blists - more mailing lists