Re: [PATCH] HID: picolcd: prevent NULL pointer dereference in picolcd_send_and_wait()
From: Sergey Shtylyov
Date: Mon Jun 29 2026 - 09:29:01 EST
On 6/29/26 11:46 AM, Jiri Kosina wrote:
>> In picolcd_send_and_wait(), an integer overflow of the signed loop counter
>> 'k' can theoretically lead to a NULL pointer dereference of 'raw_data'.
>> If the loop executes more than INT_MAX times, 'k' becomes negative,
>> making the condition 'k < size' true even when 'size' is 0.
>>
>> Change the type of 'k' to 'unsigned int' to prevent the overflow and
>> eliminate the out-of-bounds access.
>>
>> Found by Linux Verification Center (linuxtesting.org) with the Svace static
>> analysis tool.
>>
>> Fixes: fabdbf2 ("HID: picoLCD: split driver code")
>
> Next time, please make the shas of commits a little bit longer to avoid
> uncertainity.
>
>> Signed-off-by: Georgiy Osokin <g.osokin@xxxxxxxxxxxx>
>
> Applied, thanks!
Hm, I think we (with the help of Sashiko [1]) arrived to the conclusion
that an overflow should never happen with the current ranges of the loop
counters. We have re-resolved this issue as false positive internally...
[1] https://lore.kernel.org/all/20260517125108.BC3FDC2BCB0@xxxxxxxxxxxxxxx/
> --
> Jiri Kosina
> SUSE Labs
MBR, Sergey