Re: [PATCH 2/2] Input: synaptics-rmi4 - use u32 for reg_size to avoid sign extension into item->reg_size

Next message: Li Wang: "Re: [PATCH] fuse: fix kernel NULL pointer dereference in fuse_uring_add_to_pq()"
Previous message: Li Wang: "Re: [PATCH] fuse: fix kernel NULL pointer dereference in fuse_uring_add_to_pq()"
In reply to: Greg Kroah-Hartman: "[PATCH 2/2] Input: synaptics-rmi4 - use u32 for reg_size to avoid sign extension into item-&gt;reg_size"
Next in thread: Greg Kroah-Hartman: "Re: [PATCH 2/2] Input: synaptics-rmi4 - use u32 for reg_size to avoid sign extension into item-&gt;reg_size"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Dmitry Torokhov

Date: Wed Apr 22 2026 - 22:00:56 EST

On Mon, Apr 20, 2026 at 08:59:46PM +0200, Greg Kroah-Hartman wrote:
> rmi_read_register_desc() builds the 4-byte register size from device
> bytes:
>
> reg_size = struct_buf[offset] |
> (struct_buf[offset + 1] << 8) |
> (struct_buf[offset + 2] << 16) |
> (struct_buf[offset + 3] << 24);
>
> struct_buf is u8 *, so each byte is promoted to int before the shift. A
> device that supplies a top byte with bit 7 set (e.g. 00 00 00 00 00 00
> 80 in struct_buf to reach the 4-byte path with offset+3 = 0x80) makes
> (0x80 << 24) overflow into the int sign bit, and the OR result is
> negative. reg_size is then assigned to item->reg_size, which is
> unsigned long, so the negative int sign-extends to a value near
> ULONG_MAX.
>
> After this, bad things happen when numbers start wrapping and buffers
> are allocatged based on those numbers, and then accessed based on those
> buffers assuming to be a sane size (bigger or smaller).
>
> Fix this all up by just properly making reg_size be a u32.

Shouldn't it be replaced with get_unaligned_le32() instead?

Thanks.

--
Dmitry