lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <IA1PR11MB60982E414B3B5226331C018BF422A@IA1PR11MB6098.namprd11.prod.outlook.com>
Date: Tue, 5 Aug 2025 02:15:07 +0000
From: "Xu, Even" <even.xu@...el.com>
To: "Aaron, Ma" <aaron.ma@...onical.com>, "Sun, Xinpeng"
	<xinpeng.sun@...el.com>, "jikos@...nel.org" <jikos@...nel.org>,
	"bentiss@...nel.org" <bentiss@...nel.org>, "linux-input@...r.kernel.org"
	<linux-input@...r.kernel.org>, "linux-kernel@...r.kernel.org"
	<linux-kernel@...r.kernel.org>, "Aaron, Ma" <aaron.ma@...onical.com>
Subject: RE: [PATCH 2/2] HID: intel-thc-hid: intel-thc: Fix incorrect pointer
 arithmetic in I2C regs save



> -----Original Message-----
> From: Aaron Ma <aaron.ma@...onical.com>
> Sent: Sunday, August 3, 2025 2:57 PM
> To: Xu, Even <even.xu@...el.com>; Sun, Xinpeng <xinpeng.sun@...el.com>;
> jikos@...nel.org; bentiss@...nel.org; linux-input@...r.kernel.org; linux-
> kernel@...r.kernel.org; Aaron, Ma <aaron.ma@...onical.com>
> Subject: [PATCH 2/2] HID: intel-thc-hid: intel-thc: Fix incorrect pointer arithmetic
> in I2C regs save
> 
> Improper use of secondary pointer (&dev->i2c_subip_regs) caused kernel crash
> and out-of-bounds error:
> 
>  BUG: KASAN: slab-out-of-bounds in _regmap_bulk_read+0x449/0x510  Write of
> size 4 at addr ffff888136005dc0 by task kworker/u33:5/5107
> 
>  CPU: 3 UID: 0 PID: 5107 Comm: kworker/u33:5 Not tainted 6.16.0+ #3
> PREEMPT(voluntary)
>  Workqueue: async async_run_entry_fn
>  Call Trace:
>   <TASK>
>   dump_stack_lvl+0x76/0xa0
>   print_report+0xd1/0x660
>   ? __pfx__raw_spin_lock_irqsave+0x10/0x10
>   ? kasan_complete_mode_report_info+0x26/0x200
>   kasan_report+0xe1/0x120
>   ? _regmap_bulk_read+0x449/0x510
>   ? _regmap_bulk_read+0x449/0x510
>   __asan_report_store4_noabort+0x17/0x30
>   _regmap_bulk_read+0x449/0x510
>   ? __pfx__regmap_bulk_read+0x10/0x10
>   regmap_bulk_read+0x270/0x3d0
>   pio_complete+0x1ee/0x2c0 [intel_thc]
>   ? __pfx_pio_complete+0x10/0x10 [intel_thc]
>   ? __pfx_pio_wait+0x10/0x10 [intel_thc]
>   ? regmap_update_bits_base+0x13b/0x1f0
>   thc_i2c_subip_pio_read+0x117/0x270 [intel_thc]
>   thc_i2c_subip_regs_save+0xc2/0x140 [intel_thc]
>   ? __pfx_thc_i2c_subip_regs_save+0x10/0x10 [intel_thc] [...]  The buggy address
> belongs to the object at ffff888136005d00
>   which belongs to the cache kmalloc-rnd-12-192 of size 192  The buggy address is
> located 0 bytes to the right of
>   allocated 192-byte region [ffff888136005d00, ffff888136005dc0)
> 
> Replaced with direct array indexing (&dev->i2c_subip_regs[i]) to ensure safe
> memory access.
> 
> Fixes: 4228966def884 ("HID: intel-thc-hid: intel-thc: Add THC I2C config
> interfaces")
> Signed-off-by: Aaron Ma <aaron.ma@...onical.com>
> ---
>  drivers/hid/intel-thc-hid/intel-thc/intel-thc-dev.c | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/hid/intel-thc-hid/intel-thc/intel-thc-dev.c b/drivers/hid/intel-
> thc-hid/intel-thc/intel-thc-dev.c
> index c105df7f6c873..4698722e0d0a6 100644
> --- a/drivers/hid/intel-thc-hid/intel-thc/intel-thc-dev.c
> +++ b/drivers/hid/intel-thc-hid/intel-thc/intel-thc-dev.c
> @@ -1539,7 +1539,7 @@ int thc_i2c_subip_regs_save(struct thc_device *dev)
> 
>  	for (int i = 0; i < ARRAY_SIZE(i2c_subip_regs); i++) {
>  		ret = thc_i2c_subip_pio_read(dev, i2c_subip_regs[i],
> -					     &read_size, (u32 *)&dev-
> >i2c_subip_regs + i);
> +					     &read_size, &dev-
> >i2c_subip_regs[i]);
>  		if (ret < 0)
>  			return ret;
>  	}
> @@ -1562,7 +1562,7 @@ int thc_i2c_subip_regs_restore(struct thc_device
> *dev)
> 
>  	for (int i = 0; i < ARRAY_SIZE(i2c_subip_regs); i++) {
>  		ret = thc_i2c_subip_pio_write(dev, i2c_subip_regs[i],
> -					      write_size, (u32 *)&dev-
> >i2c_subip_regs + i);
> +					      write_size, &dev-
> >i2c_subip_regs[i]);
>  		if (ret < 0)
>  			return ret;
>  	}

Thanks for the fix!

Reviewed-by: Even Xu <even.xu@...el.com>
Tested-by: Even Xu <even.xu@...el.com>

> --
> 2.43.0


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ