Re: [PATCH] Input: synaptics-rmi4 - bound the F54 report size to the allocated buffer

[Dmitry Torokhov]

Hi Bryam,

On Sat, Jun 13, 2026 at 11:01:16PM -0500, Bryam Vargas via B4 Relay wrote:
> From: Bryam Vargas <hexlabsecurity@xxxxxxxxx>
> 
> rmi_f54_work() reads a diagnostics report from the device into
> f54->report_data, sizing the transfer with rmi_f54_get_report_size():
> 
> 	report_size = rmi_f54_get_report_size(f54);
> 	...
> 	for (i = 0; i < report_size; i += F54_REPORT_DATA_SIZE) {
> 		int size = min(F54_REPORT_DATA_SIZE, report_size - i);
> 		...
> 		rmi_read_block(.., f54->report_data + i, size);
> 	}
> 
> report_data is allocated once at probe from F54's own electrode counts
> (array3_size(f54->num_tx_electrodes, f54->num_rx_electrodes, sizeof(u16))),
> but rmi_f54_get_report_size() computes the size from
> drv_data->num_*_electrodes when those are set, i.e. from the F55
> function's electrode counts. Both counts come straight from device
> queries (F54 and F55 each report up to 255 electrodes) and nothing
> constrains the F55 counts to the F54 ones.
> 
> A malicious or malfunctioning RMI4 device that reports larger F55
> electrode counts than its F54 counts makes report_size exceed the
> allocation, so the read loop writes past report_data (and the V4L2
> dequeue memcpy() then reads past it). On conforming hardware the F55
> configured electrodes are a subset of the F54 physical electrodes, so
> report_size never exceeds the buffer and well-behaved devices are
> unaffected.
> 
> Record the allocation size and reject a report that does not fit,
> mirroring the existing zero-size check.
> 
> Fixes: c762cc68b6a1 ("Input: synaptics-rmi4 - propagate correct number of rx and tx electrodes to F54")
> Cc: stable@xxxxxxxxxxxxxxx
> Signed-off-by: Bryam Vargas <hexlabsecurity@xxxxxxxxx>

Thanks for the patch. It makes sense, but there are more changes needed
in F54. I incorporated it in the series I just posted, would appreviate
if you could review it.

Thanks.

-- 
Dmitry