[PATCH 08/11] Input: ims-pcu - fix out-of-bounds read in ims_pcu_irq() debug logging

Next message: Dmitry Torokhov: "[PATCH 02/11] Input: ims-pcu - fix use-after-free and double-free in disconnect"
Previous message: Dmitry Torokhov: "[PATCH 04/11] Input: ims-pcu - fix firmware leak in async update"
In reply to: Dmitry Torokhov: "[PATCH 04/11] Input: ims-pcu - fix firmware leak in async update"
Next in thread: Dmitry Torokhov: "[PATCH 02/11] Input: ims-pcu - fix use-after-free and double-free in disconnect"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Dmitry Torokhov

Date: Sat May 23 2026 - 01:08:31 EST

The debug logging in ims_pcu_irq() unconditionally prints data from
pcu->urb_in_buf. However, if the interrupt fired for pcu->urb_ctrl, the
actual data resides in pcu->urb_ctrl_buf. If urb->actual_length for the
control URB exceeds pcu->max_in_size, this leads to an out-of-bounds
read.

Fix this by printing from the correct buffer associated with the URB.

Fixes: 628329d52474 ("Input: add IMS Passenger Control Unit driver")
Cc: stable@xxxxxxxxxxxxxxx
Reported-by: Sashiko bot <sashiko-bot@xxxxxxxxxx>
Assisted-by: Gemini:gemini-3.1-pro
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@xxxxxxxxx>
---
drivers/input/misc/ims-pcu.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/input/misc/ims-pcu.c b/drivers/input/misc/ims-pcu.c
index cdb46b2297a2..23e576500890 100644
--- a/drivers/input/misc/ims-pcu.c
+++ b/drivers/input/misc/ims-pcu.c
@@ -1529,7 +1529,7 @@ static void ims_pcu_irq(struct urb *urb)
}

dev_dbg(pcu->dev, "%s: received %d: %*ph\n", __func__,
- urb->actual_length, urb->actual_length, pcu->urb_in_buf);
+ urb->actual_length, urb->actual_length, urb->transfer_buffer);

if (urb == pcu->urb_in)
ims_pcu_process_data(pcu, urb);
--
2.54.0.746.g67dd491aae-goog