| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <IA1PR11MB60982E414B3B5226331C018BF422A@IA1PR11MB6098.namprd11.prod.outlook.com>
Date: Tue, 5 Aug 2025 02:15:07 +0000
From: "Xu, Even" <even.xu@...el.com>
To: "Aaron, Ma" <aaron.ma@...onical.com>, "Sun, Xinpeng"
<xinpeng.sun@...el.com>, "jikos@...nel.org" <jikos@...nel.org>,
"bentiss@...nel.org" <bentiss@...nel.org>, "linux-input@...r.kernel.org"
<linux-input@...r.kernel.org>, "linux-kernel@...r.kernel.org"
<linux-kernel@...r.kernel.org>, "Aaron, Ma" <aaron.ma@...onical.com>
Subject: RE: [PATCH 2/2] HID: intel-thc-hid: intel-thc: Fix incorrect pointer
arithmetic in I2C regs save
> -----Original Message-----
> From: Aaron Ma <aaron.ma@...onical.com>
> Sent: Sunday, August 3, 2025 2:57 PM
> To: Xu, Even <even.xu@...el.com>; Sun, Xinpeng <xinpeng.sun@...el.com>;
> jikos@...nel.org; bentiss@...nel.org; linux-input@...r.kernel.org; linux-
> kernel@...r.kernel.org; Aaron, Ma <aaron.ma@...onical.com>
> Subject: [PATCH 2/2] HID: intel-thc-hid: intel-thc: Fix incorrect pointer arithmetic
> in I2C regs save
>
> Improper use of secondary pointer (&dev->i2c_subip_regs) caused kernel crash
> and out-of-bounds error:
>
> BUG: KASAN: slab-out-of-bounds in _regmap_bulk_read+0x449/0x510 Write of
> size 4 at addr ffff888136005dc0 by task kworker/u33:5/5107
>
> CPU: 3 UID: 0 PID: 5107 Comm: kworker/u33:5 Not tainted 6.16.0+ #3
> PREEMPT(voluntary)
> Workqueue: async async_run_entry_fn
> Call Trace:
> <TASK>
> dump_stack_lvl+0x76/0xa0
> print_report+0xd1/0x660
> ? __pfx__raw_spin_lock_irqsave+0x10/0x10
> ? kasan_complete_mode_report_info+0x26/0x200
> kasan_report+0xe1/0x120
> ? _regmap_bulk_read+0x449/0x510
> ? _regmap_bulk_read+0x449/0x510
> __asan_report_store4_noabort+0x17/0x30
> _regmap_bulk_read+0x449/0x510
> ? __pfx__regmap_bulk_read+0x10/0x10
> regmap_bulk_read+0x270/0x3d0
> pio_complete+0x1ee/0x2c0 [intel_thc]
> ? __pfx_pio_complete+0x10/0x10 [intel_thc]
> ? __pfx_pio_wait+0x10/0x10 [intel_thc]
> ? regmap_update_bits_base+0x13b/0x1f0
> thc_i2c_subip_pio_read+0x117/0x270 [intel_thc]
> thc_i2c_subip_regs_save+0xc2/0x140 [intel_thc]
> ? __pfx_thc_i2c_subip_regs_save+0x10/0x10 [intel_thc] [...] The buggy address
> belongs to the object at ffff888136005d00
> which belongs to the cache kmalloc-rnd-12-192 of size 192 The buggy address is
> located 0 bytes to the right of
> allocated 192-byte region [ffff888136005d00, ffff888136005dc0)
>
> Replaced with direct array indexing (&dev->i2c_subip_regs[i]) to ensure safe
> memory access.
>
> Fixes: 4228966def884 ("HID: intel-thc-hid: intel-thc: Add THC I2C config
> interfaces")
> Signed-off-by: Aaron Ma <aaron.ma@...onical.com>
> ---
> drivers/hid/intel-thc-hid/intel-thc/intel-thc-dev.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/hid/intel-thc-hid/intel-thc/intel-thc-dev.c b/drivers/hid/intel-
> thc-hid/intel-thc/intel-thc-dev.c
> index c105df7f6c873..4698722e0d0a6 100644
> --- a/drivers/hid/intel-thc-hid/intel-thc/intel-thc-dev.c
> +++ b/drivers/hid/intel-thc-hid/intel-thc/intel-thc-dev.c
> @@ -1539,7 +1539,7 @@ int thc_i2c_subip_regs_save(struct thc_device *dev)
>
> for (int i = 0; i < ARRAY_SIZE(i2c_subip_regs); i++) {
> ret = thc_i2c_subip_pio_read(dev, i2c_subip_regs[i],
> - &read_size, (u32 *)&dev-
> >i2c_subip_regs + i);
> + &read_size, &dev-
> >i2c_subip_regs[i]);
> if (ret < 0)
> return ret;
> }
> @@ -1562,7 +1562,7 @@ int thc_i2c_subip_regs_restore(struct thc_device
> *dev)
>
> for (int i = 0; i < ARRAY_SIZE(i2c_subip_regs); i++) {
> ret = thc_i2c_subip_pio_write(dev, i2c_subip_regs[i],
> - write_size, (u32 *)&dev-
> >i2c_subip_regs + i);
> + write_size, &dev-
> >i2c_subip_regs[i]);
> if (ret < 0)
> return ret;
> }
Thanks for the fix!
Reviewed-by: Even Xu <even.xu@...el.com>
Tested-by: Even Xu <even.xu@...el.com>
> --
> 2.43.0
Powered by blists - more mailing lists