git.proxmox.com Git - mirror_ubuntu-bionic-kernel.git/commit

Input: elan_i2c_smbus - fix more potential stack buffer overflows

BugLink: http://bugs.launchpad.net/bugs/1807469
commit 50fc7b61959af4b95fafce7fe5dd565199e0b61a upstream.

Commit 40f7090bb1b4 ("Input: elan_i2c_smbus - fix corrupted stack")
fixed most of the functions using i2c_smbus_read_block_data() to
allocate a buffer with the maximum block size.  However three
functions were left unchanged:

* In elan_smbus_initialize(), increase the buffer size in the same
  way.
* In elan_smbus_calibrate_result(), the buffer is provided by the
  caller (calibrate_store()), so introduce a bounce buffer.  Also
  name the result buffer size.
* In elan_smbus_get_report(), the buffer is provided by the caller
  but happens to be the right length.  Add a compile-time assertion
  to ensure this remains the case.

Cc: <stable@vger.kernel.org> # 3.19+
Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
Signed-off-by: Khalid Elmously <khalid.elmously@canonical.com>

author	Ben Hutchings <ben.hutchings@codethink.co.uk>
	Tue, 19 Jun 2018 18:17:32 +0000 (11:17 -0700)
committer	Kleber Sacilotto de Souza <kleber.souza@canonical.com>
	Mon, 14 Jan 2019 09:28:55 +0000 (09:28 +0000)
commit	51f13a3d7a0092979c62ab617d81f8683e717f1b
tree	4c096c7753d968e82ef2832b52061c832a410224	tree
parent	e3ffba9538f2cdf564042fe096a1c36b3c3a6cc2	commit \| diff

drivers/input/mouse/elan_i2c.h		diff \| blob \| blame \| history
drivers/input/mouse/elan_i2c_core.c		diff \| blob \| blame \| history
drivers/input/mouse/elan_i2c_smbus.c		diff \| blob \| blame \| history