[PATCH] Input/mouse: cyapa - fix stack overflow bug in cyapa_gen3_get_query_data

From: itewqq
Date: Sat Oct 12 2024 - 06:16:45 EST

Next message: Zhangfei Gao: "Re: [PATCH v3 03/11] iommufd: Introduce IOMMUFD_OBJ_VIOMMU and its related struct"
Previous message: Akihiko Odaki: "Re: [PATCH RFC v5 06/10] tun: Introduce virtio-net hash reporting feature"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

The i2c_smbus_read_block_data function receives up to I2C_SMBUS_BLOCK_MAX
bytes. which is typically 32. This exceeds the size of the local variable
(u8 query_data[QUERY_DATA_SIZE]) in cyapa_gen3_get_query_data, which is
provided to cyapa_read_block and finally reach i2c_smbus_read_block_data.
When the cyapa module is enabled (CONFIG_MOUSE_CYAPA=m), this bug could
cause denial-of-service (or potentially code execution). For example, by a
physical attacker who can hijack I2C communications or plant malicious
firmware in the Cyapa peripheral. To fix this bug, this patch change the
size of query_data from QUERY_DATA_SIZE to I2C_SMBUS_BLOCK_MAX.

Signed-off-by: itewqq <shipeiqu@xxxxxxxxxxx>
---
drivers/input/mouse/cyapa_gen3.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/input/mouse/cyapa_gen3.c b/drivers/input/mouse/cyapa_gen3.c
index fc3fb954523b..6a5ffff51922 100644
--- a/drivers/input/mouse/cyapa_gen3.c
+++ b/drivers/input/mouse/cyapa_gen3.c
@@ -980,7 +980,7 @@ static int cyapa_gen3_set_proximity(struct cyapa *cyapa, bool enable)

static int cyapa_gen3_get_query_data(struct cyapa *cyapa)
{
- u8 query_data[QUERY_DATA_SIZE];
+ u8 query_data[I2C_SMBUS_BLOCK_MAX];
int ret;

if (cyapa->state != CYAPA_STATE_OP)
--
2.30.2

Next message: Zhangfei Gao: "Re: [PATCH v3 03/11] iommufd: Introduce IOMMUFD_OBJ_VIOMMU and its related struct"
Previous message: Akihiko Odaki: "Re: [PATCH RFC v5 06/10] tun: Introduce virtio-net hash reporting feature"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]