Re: [PATCH] Input: ims-pcu - bound frame parser write index against read_buf size

Next message: Alexander Koskovich: "[PATCH RFC 0/2] pinctrl: qcom: eliza: Couple misc fixes"
Previous message: Greg Kroah-Hartman: "Re: [PATCH 2/2] Input: synaptics-rmi4 - use u32 for reg_size to avoid sign extension into item-&gt;reg_size"
In reply to: Dmitry Torokhov: "Re: [PATCH] Input: ims-pcu - bound frame parser write index against read_buf size"
Next in thread: Dmitry Torokhov: "Re: [PATCH] Input: ims-pcu - bound frame parser write index against read_buf size"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Greg Kroah-Hartman

Date: Thu Apr 23 2026 - 00:52:35 EST

On Wed, Apr 22, 2026 at 06:36:24PM -0700, Dmitry Torokhov wrote:
> Hi Greg,
>
> On Mon, Apr 20, 2026 at 09:05:31PM +0200, Greg Kroah-Hartman wrote:
> > ims_pcu_process_data() implements a STX/DLE/ETX byte-stuffing parser
> > that accumulates frame payload into pcu->read_buf[] using the running
> > index pcu->read_pos. read_buf is IMS_PCU_BUF_SIZE (128) bytes and
> > read_pos is u8 but of course, we don't check the index before actually
> > writing the data :(
> >
> > Fix this up by properly rejecting the frame at the first attempt to
> > write past read_buf and resync on the next STX, mirroring how the parser
> > handles short and bad-checksum frames on ETX.
> >
> > Cc: Dmitry Torokhov <dmitry.torokhov@xxxxxxxxx>
> > Fixes: 628329d52474 ("Input: add IMS Passenger Control Unit driver")
> > Cc: stable <stable@xxxxxxxxxx>
> > Assisted-by: gkh_clanker_t1000
> > Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
>
> I already have a patch for this, thanks.

Ah, missed that, sorry, I was working against Linus's tree. I am
guessing you are referring to commit 875115b82c29 ("Input: ims-pcu - fix
heap-buffer-overflow in ims_pcu_process_data()")? If so, why wasn't
that tagged for stable inclusion?

thanks,

greg k-h