[PATCH 2/2] Input: synaptics-rmi4 - use u32 for reg_size to avoid sign extension into item->reg_size

[Greg Kroah-Hartman]

rmi_read_register_desc() builds the 4-byte register size from device
bytes:

	reg_size = struct_buf[offset] |
		   (struct_buf[offset + 1] << 8) |
		   (struct_buf[offset + 2] << 16) |
		   (struct_buf[offset + 3] << 24);

struct_buf is u8 *, so each byte is promoted to int before the shift.  A
device that supplies a top byte with bit 7 set (e.g. 00 00 00 00 00 00
80 in struct_buf to reach the 4-byte path with offset+3 = 0x80) makes
(0x80 << 24) overflow into the int sign bit, and the OR result is
negative.  reg_size is then assigned to item->reg_size, which is
unsigned long, so the negative int sign-extends to a value near
ULONG_MAX.

After this, bad things happen when numbers start wrapping and buffers
are allocatged based on those numbers, and then accessed based on those
buffers assuming to be a sane size (bigger or smaller).

Fix this all up by just properly making reg_size be a u32.

Cc: Dmitry Torokhov <dmitry.torokhov@xxxxxxxxx>
Fixes: b43d2c1e9353 ("Input: synaptics-rmi4 - add support for F12")
Cc: stable <stable@xxxxxxxxxx>
Assisted-by: gkh_clanker_t1000
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
 drivers/input/rmi4/rmi_driver.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/input/rmi4/rmi_driver.c b/drivers/input/rmi4/rmi_driver.c
index 9143f11e42a3..801096c7235e 100644
--- a/drivers/input/rmi4/rmi_driver.c
+++ b/drivers/input/rmi4/rmi_driver.c
@@ -643,7 +643,7 @@ int rmi_read_register_desc(struct rmi_device *d, u16 addr,
 	reg = find_first_bit(rdesc->presense_map, RMI_REG_DESC_PRESENSE_BITS);
 	for (i = 0; i < rdesc->num_registers; i++) {
 		struct rmi_register_desc_item *item = &rdesc->registers[i];
-		int reg_size;
+		u32 reg_size;
 
 		if (offset >= rdesc->struct_size)
 			goto malformed;
-- 
2.53.0