Re: [PATCH 2/2] Input: synaptics-rmi4 - use u32 for reg_size to avoid sign extension into item->reg_size

Next message: Greg Kroah-Hartman: "Re: [PATCH] Input: ims-pcu - bound frame parser write index against read_buf size"
Previous message: Alexander Koskovich: "[PATCH v3 4/4] pinctrl: qcom: eliza: Split QUP1_SE4 lanes"
In reply to: Dmitry Torokhov: "Re: [PATCH 2/2] Input: synaptics-rmi4 - use u32 for reg_size to avoid sign extension into item-&gt;reg_size"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Greg Kroah-Hartman

Date: Thu Apr 23 2026 - 00:51:30 EST

On Wed, Apr 22, 2026 at 06:59:31PM -0700, Dmitry Torokhov wrote:
> On Mon, Apr 20, 2026 at 08:59:46PM +0200, Greg Kroah-Hartman wrote:
> > rmi_read_register_desc() builds the 4-byte register size from device
> > bytes:
> >
> > reg_size = struct_buf[offset] |
> > (struct_buf[offset + 1] << 8) |
> > (struct_buf[offset + 2] << 16) |
> > (struct_buf[offset + 3] << 24);
> >
> > struct_buf is u8 *, so each byte is promoted to int before the shift. A
> > device that supplies a top byte with bit 7 set (e.g. 00 00 00 00 00 00
> > 80 in struct_buf to reach the 4-byte path with offset+3 = 0x80) makes
> > (0x80 << 24) overflow into the int sign bit, and the OR result is
> > negative. reg_size is then assigned to item->reg_size, which is
> > unsigned long, so the negative int sign-extends to a value near
> > ULONG_MAX.
> >
> > After this, bad things happen when numbers start wrapping and buffers
> > are allocatged based on those numbers, and then accessed based on those
> > buffers assuming to be a sane size (bigger or smaller).
> >
> > Fix this all up by just properly making reg_size be a u32.
>
> Shouldn't it be replaced with get_unaligned_le32() instead?

Sure, be glad to do that instead, this was just a "simpler" solution :)

I'll respin that after -rc1 is out.

thanks,

greg k-h