Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 1317481c authored by Andrew Chant's avatar Andrew Chant Committed by Shantanu Jain
Browse files

input: touchscreen: validate bounds of intr_reg_num 



Validate the intr_reg_num value returned by touchscreen
to ensure no out of bounds access can occur.

Bug: 35472278
Signed-off-by: default avatarAndrew Chant <achant@google.com>

Change-Id: Ib2b5a53034fd1306d29a74ff0f2f698f149fc8c3
Git-repo: https://android.googlesource.com/kernel/msm


Git-commit: 70e632224737d448b1b4083af7d6b8fcee02b192
Signed-off-by: default avatarDennis Cagle <dcagle@codeaurora.org>
Signed-off-by: default avatarShantanu Jain <shjain@codeaurora.org>
parent 844aad38

drivers/input/touchscreen/synaptics_i2c_rmi4.c

+27 −4
Original line number Diff line number Diff line
@@ -2085,6 +2085,12 @@ static int synaptics_rmi4_f11_init(struct synaptics_rmi4_data *rmi4_data, 
	rmi4_data->max_touch_width = MAX_F11_TOUCH_WIDTH;



	fhandler->intr_reg_num = (intr_count + 7) / 8;

	if (fhandler->intr_reg_num >= MAX_INTR_REGISTERS) {

		fhandler->intr_reg_num = 0;

		fhandler->num_of_data_sources = 0;

		fhandler->intr_mask = 0;

		return -EINVAL;

	}

	if (fhandler->intr_reg_num != 0)

		fhandler->intr_reg_num -= 1;
@@ -2356,6 +2362,13 @@ static int synaptics_rmi4_f12_init(struct synaptics_rmi4_data *rmi4_data, 
			rmi4_data->num_of_tx);



	fhandler->intr_reg_num = (intr_count + 7) / 8;

	if (fhandler->intr_reg_num >= MAX_INTR_REGISTERS) {

		fhandler->intr_reg_num = 0;

		fhandler->num_of_data_sources = 0;

		fhandler->intr_mask = 0;

		retval = -EINVAL;

		goto free_function_handler_mem;

	}

	if (fhandler->intr_reg_num != 0)

		fhandler->intr_reg_num -= 1;
@@ -2485,6 +2498,13 @@ static int synaptics_rmi4_f1a_init(struct synaptics_rmi4_data *rmi4_data, 
	fhandler->num_of_data_sources = fd->intr_src_count;



	fhandler->intr_reg_num = (intr_count + 7) / 8;

	if (fhandler->intr_reg_num >= MAX_INTR_REGISTERS) {

		fhandler->intr_reg_num = 0;

		fhandler->num_of_data_sources = 0;

		fhandler->intr_mask = 0;

		retval = -EINVAL;

		goto error_exit;

	}

	if (fhandler->intr_reg_num != 0)

		fhandler->intr_reg_num -= 1;
@@ -2835,7 +2855,8 @@ flash_prog_mode: 
	dev_dbg(&rmi4_data->i2c_client->dev,

			"%s: Number of interrupt registers = %d\n",

			__func__, rmi4_data->num_of_intr_regs);



	if (rmi4_data->num_of_intr_regs >= MAX_INTR_REGISTERS)

		return -EINVAL;

	memset(rmi4_data->intr_mask, 0x00, sizeof(rmi4_data->intr_mask));



	/*
@@ -3712,6 +3733,7 @@ err_enable_irq: 
	input_unregister_device(rmi4_data->input_dev);



err_register_input:

err_free_gpios:

	mutex_lock(&rmi->support_fn_list_mutex);

	if (!list_empty(&rmi->support_fn_list)) {

		list_for_each_entry_safe(fhandler, next_fhandler,
@@ -3719,14 +3741,15 @@ err_register_input: 
			if (fhandler->fn_number == SYNAPTICS_RMI4_F1A)

				synaptics_rmi4_f1a_kfree(fhandler);

			else {

				if (fhandler->data != NULL)

					kfree(fhandler->data);

				if (fhandler->extra != NULL)

					kfree(fhandler->extra);

			}

			kfree(fhandler);

		}

	}

	mutex_unlock(&rmi->support_fn_list_mutex);

err_free_gpios:

	if (gpio_is_valid(rmi4_data->board->reset_gpio))

		gpio_free(rmi4_data->board->reset_gpio);

	if (gpio_is_valid(rmi4_data->board->irq_gpio))