diff mbox series

HID: wacom: Avoid using stale array indicies to read contact count

Message ID 20220118223841.45870-1-jason.gerecke@wacom.com (mailing list archive)
State Mainlined
Commit 20f3cf5f860f9f267a6a6e5642d3d0525edb1814
Delegated to: Jiri Kosina
Headers show
Series HID: wacom: Avoid using stale array indicies to read contact count | expand

Commit Message

Gerecke, Jason Jan. 18, 2022, 10:38 p.m. UTC
If we ever see a touch report with contact count data we initialize
several variables used to read the contact count in the pre-report
phase. These variables are never reset if we process a report which
doesn't contain a contact count, however. This can cause the pre-
report function to trigger a read of arbitrary memory (e.g. NULL
if we're lucky) and potentially crash the driver.

This commit restores resetting of the variables back to default
"none" values that were used prior to the commit mentioned
below.

Link: https://github.com/linuxwacom/input-wacom/issues/276
Fixes: 003f50ab673c (HID: wacom: Update last_slot_field during pre_report phase)
CC: stable@vger.kernel.org
Signed-off-by: Jason Gerecke <jason.gerecke@wacom.com>
Reviewed-by: Ping Cheng <ping.cheng@wacom.com>
---
 drivers/hid/wacom_wac.c | 4 ++++
 1 file changed, 4 insertions(+)

Comments

Jiri Kosina Jan. 21, 2022, 2:11 p.m. UTC | #1
On Tue, 18 Jan 2022, Jason Gerecke wrote:

> If we ever see a touch report with contact count data we initialize
> several variables used to read the contact count in the pre-report
> phase. These variables are never reset if we process a report which
> doesn't contain a contact count, however. This can cause the pre-
> report function to trigger a read of arbitrary memory (e.g. NULL
> if we're lucky) and potentially crash the driver.
> 
> This commit restores resetting of the variables back to default
> "none" values that were used prior to the commit mentioned
> below.
> 
> Link: https://github.com/linuxwacom/input-wacom/issues/276
> Fixes: 003f50ab673c (HID: wacom: Update last_slot_field during pre_report phase)
> CC: stable@vger.kernel.org
> Signed-off-by: Jason Gerecke <jason.gerecke@wacom.com>
> Reviewed-by: Ping Cheng <ping.cheng@wacom.com>

Applied, thank you.
diff mbox series

Patch

diff --git a/drivers/hid/wacom_wac.c b/drivers/hid/wacom_wac.c
index 92b52b1de526..a7176fc0635d 100644
--- a/drivers/hid/wacom_wac.c
+++ b/drivers/hid/wacom_wac.c
@@ -2682,6 +2682,10 @@  static void wacom_wac_finger_pre_report(struct hid_device *hdev,
 
 	hid_data->confidence = true;
 
+	hid_data->cc_report = 0;
+	hid_data->cc_index = -1;
+	hid_data->cc_value_index = -1;
+
 	for (i = 0; i < report->maxfield; i++) {
 		struct hid_field *field = report->field[i];
 		int j;