diff mbox

[1/2] Input: cyttsp - fix memcpy size param

Message ID 1368192769-24067-1-git-send-email-fery@cypress.com (mailing list archive)
State New, archived
Headers show

Commit Message

Ferruh Yigit May 10, 2013, 1:32 p.m. UTC 
memcpy param is wrong because of offset in bl_cmd, this may corrupt the
stack which may cause a crash.

Tested-by: Ferruh Yigit <fery@cypress.com> on TMA300-DVK
Signed-off-by: Ferruh Yigit <fery@cypress.com>
---
 drivers/input/touchscreen/cyttsp_core.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--
1.7.9.5

This message and any attachments may contain Cypress (or its subsidiaries) confidential information. If it has been received in error, please advise the sender and immediately delete this message.
--
To unsubscribe from this list: send the line "unsubscribe linux-input" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Comments

Javier Martinez Canillas May 10, 2013, 1:56 p.m. UTC | #1 
Hi Ferruh,

On Fri, May 10, 2013 at 3:32 PM, Ferruh Yigit <fery@cypress.com> wrote:
> memcpy param is wrong because of offset in bl_cmd, this may corrupt the
> stack which may cause a crash.
>
> Tested-by: Ferruh Yigit <fery@cypress.com> on TMA300-DVK
> Signed-off-by: Ferruh Yigit <fery@cypress.com>

Nice catch, thanks for fixing it

Acked-by: Javier Martinez Canillas <javier@dowhile0.org>

> ---
>  drivers/input/touchscreen/cyttsp_core.c |    2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/input/touchscreen/cyttsp_core.c b/drivers/input/touchscreen/cyttsp_core.c
> index 8e60437..97ba891 100644
> --- a/drivers/input/touchscreen/cyttsp_core.c
> +++ b/drivers/input/touchscreen/cyttsp_core.c
> @@ -133,7 +133,7 @@ static int cyttsp_exit_bl_mode(struct cyttsp *ts)
>         memcpy(bl_cmd, bl_command, sizeof(bl_command));
>         if (ts->pdata->bl_keys)
>                 memcpy(&bl_cmd[sizeof(bl_command) - CY_NUM_BL_KEYS],
> -                       ts->pdata->bl_keys, sizeof(bl_command));
> +                       ts->pdata->bl_keys, CY_NUM_BL_KEYS);
>
>         error = ttsp_write_block_data(ts, CY_REG_BASE,
>                                       sizeof(bl_cmd), bl_cmd);
> --
> 1.7.9.5
>
> This message and any attachments may contain Cypress (or its subsidiaries) confidential information. If it has been received in error, please advise the sender and immediately delete this message.

In the future can you please drop this footer? It has no point to
state the above when you send emails to a public mailing list.

Best regards,
Javier
--
To unsubscribe from this list: send the line "unsubscribe linux-input" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Djalal Harouni June 17, 2013, 9:38 p.m. UTC | #2 
(Cc'ed Kees and Greg)

Hi Dmitry,

On Fri, May 10, 2013 at 04:32:48PM +0300, Ferruh Yigit wrote:
> memcpy param is wrong because of offset in bl_cmd, this may corrupt the
> stack which may cause a crash.
> 
> Tested-by: Ferruh Yigit <fery@cypress.com> on TMA300-DVK
> Signed-off-by: Ferruh Yigit <fery@cypress.com>
> ---
>  drivers/input/touchscreen/cyttsp_core.c |    2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/drivers/input/touchscreen/cyttsp_core.c b/drivers/input/touchscreen/cyttsp_core.c
> index 8e60437..97ba891 100644
> --- a/drivers/input/touchscreen/cyttsp_core.c
> +++ b/drivers/input/touchscreen/cyttsp_core.c
> @@ -133,7 +133,7 @@ static int cyttsp_exit_bl_mode(struct cyttsp *ts)
>         memcpy(bl_cmd, bl_command, sizeof(bl_command));
>         if (ts->pdata->bl_keys)
>                 memcpy(&bl_cmd[sizeof(bl_command) - CY_NUM_BL_KEYS],
> -                       ts->pdata->bl_keys, sizeof(bl_command));
> +                       ts->pdata->bl_keys, CY_NUM_BL_KEYS);
> 
>         error = ttsp_write_block_data(ts, CY_REG_BASE,
>                                       sizeof(bl_cmd), bl_cmd);
> --
> 1.7.9.5
I was going to send a patch and found that it was just fixed in todays
next-20130617

Anyway, will this overflow fix go for the next -rc?

Thanks in advance Dmitry!
Greg Kroah-Hartman June 17, 2013, 9:44 p.m. UTC | #3 
On Mon, Jun 17, 2013 at 10:38:59PM +0100, Djalal Harouni wrote:
> (Cc'ed Kees and Greg)

Why me?

confused...

--
To unsubscribe from this list: send the line "unsubscribe linux-input" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
diff mbox

Patch

diff --git a/drivers/input/touchscreen/cyttsp_core.c b/drivers/input/touchscreen/cyttsp_core.c
index 8e60437..97ba891 100644
--- a/drivers/input/touchscreen/cyttsp_core.c
+++ b/drivers/input/touchscreen/cyttsp_core.c
@@ -133,7 +133,7 @@  static int cyttsp_exit_bl_mode(struct cyttsp *ts)
        memcpy(bl_cmd, bl_command, sizeof(bl_command));
        if (ts->pdata->bl_keys)
                memcpy(&bl_cmd[sizeof(bl_command) - CY_NUM_BL_KEYS],
-                       ts->pdata->bl_keys, sizeof(bl_command));
+                       ts->pdata->bl_keys, CY_NUM_BL_KEYS);

        error = ttsp_write_block_data(ts, CY_REG_BASE,
                                      sizeof(bl_cmd), bl_cmd);