[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <f7257221-cbfa-4f51-8ac4-38060bfaf2f4@kernel.org>
Date: Thu, 31 Jul 2025 09:43:38 +0200
From: Jiri Slaby <jirislaby@...nel.org>
To: Qasim Ijaz <qasdev00@...il.com>
Cc: jikos@...nel.org, bentiss@...nel.org, linux-input@...r.kernel.org,
linux-kernel@...r.kernel.org, stable@...r.kernel.org
Subject: Re: [PATCH] HID: multitouch: fix integer overflow in set_abs()
On 24. 07. 25, 17:56, Qasim Ijaz wrote:
> On Thu, Jul 24, 2025 at 08:58:40AM +0200, Jiri Slaby wrote:
>> On 23. 07. 25, 19:36, Qasim Ijaz wrote:
>>> It is possible for a malicious HID device to trigger a signed integer
>>> overflow (undefined behaviour) in set_abs() in the following expression
>>> by supplying bogus logical maximum and minimum values:
>>>
>>> int fuzz = snratio ? (fmax - fmin) / snratio : 0;
>>>
>>> For example, if the logical_maximum is INT_MAX and logical_minimum is -1
>>> then (fmax - fmin) resolves to INT_MAX + 1, which does not fit in a 32-bit
>>> signed int, so the subtraction overflows.
>>
>> The question is if it matters with -fwrapv?
>
> Ah yea thanks for bringing this up Jiri. I think you might be correct,
> after doing some research it looks like the kernel enables -fno‑strict‑overflow
> which implies -fwrapv which leads to wrap around instead of UB If I undestand
> correctly. So with that in mind this patch probably doesn't do anything
> useful, do you agree?
Yes, it correctly wraps around. But the question remains :). Does it
matter or not?
thanks,
--
js
suse labs
Powered by blists - more mailing lists