Skip to content

Commit a4891f1

Browse files
ndyerdtor
ndyer
authored and
dtor
committed
Input: atmel_mxt_ts - zero terminate config firmware file
We use sscanf to parse the configuration file, so it's necessary to zero terminate the configuration otherwise a truncated file can cause the parser to run off into uninitialised memory. Signed-off-by: Nick Dyer <[email protected]> Signed-off-by: Dmitry Torokhov <[email protected]>
1 parent f865df7 commit a4891f1

File tree

1 file changed

+24
-10
lines changed

1 file changed

+24
-10
lines changed

drivers/input/touchscreen/atmel_mxt_ts.c

Lines changed: 24 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -279,7 +279,7 @@ enum mxt_suspend_mode {
279279

280280
/* Config update context */
281281
struct mxt_cfg {
282-
const u8 *raw;
282+
u8 *raw;
283283
size_t raw_size;
284284
off_t raw_pos;
285285

@@ -1451,14 +1451,19 @@ static int mxt_update_cfg(struct mxt_data *data, const struct firmware *fw)
14511451
u32 info_crc, config_crc, calculated_crc;
14521452
u16 crc_start = 0;
14531453

1454-
cfg.raw = fw->data;
1454+
/* Make zero terminated copy of the OBP_RAW file */
1455+
cfg.raw = kmemdup_nul(fw->data, fw->size, GFP_KERNEL);
1456+
if (!cfg.raw)
1457+
return -ENOMEM;
1458+
14551459
cfg.raw_size = fw->size;
14561460

14571461
mxt_update_crc(data, MXT_COMMAND_REPORTALL, 1);
14581462

14591463
if (strncmp(cfg.raw, MXT_CFG_MAGIC, strlen(MXT_CFG_MAGIC))) {
14601464
dev_err(dev, "Unrecognised config file\n");
1461-
return -EINVAL;
1465+
ret = -EINVAL;
1466+
goto release_raw;
14621467
}
14631468

14641469
cfg.raw_pos = strlen(MXT_CFG_MAGIC);
@@ -1470,34 +1475,39 @@ static int mxt_update_cfg(struct mxt_data *data, const struct firmware *fw)
14701475
&offset);
14711476
if (ret != 1) {
14721477
dev_err(dev, "Bad format\n");
1473-
return -EINVAL;
1478+
ret = -EINVAL;
1479+
goto release_raw;
14741480
}
14751481

14761482
cfg.raw_pos += offset;
14771483
}
14781484

14791485
if (cfg.info.family_id != data->info->family_id) {
14801486
dev_err(dev, "Family ID mismatch!\n");
1481-
return -EINVAL;
1487+
ret = -EINVAL;
1488+
goto release_raw;
14821489
}
14831490

14841491
if (cfg.info.variant_id != data->info->variant_id) {
14851492
dev_err(dev, "Variant ID mismatch!\n");
1486-
return -EINVAL;
1493+
ret = -EINVAL;
1494+
goto release_raw;
14871495
}
14881496

14891497
/* Read CRCs */
14901498
ret = sscanf(cfg.raw + cfg.raw_pos, "%x%n", &info_crc, &offset);
14911499
if (ret != 1) {
14921500
dev_err(dev, "Bad format: failed to parse Info CRC\n");
1493-
return -EINVAL;
1501+
ret = -EINVAL;
1502+
goto release_raw;
14941503
}
14951504
cfg.raw_pos += offset;
14961505

14971506
ret = sscanf(cfg.raw + cfg.raw_pos, "%x%n", &config_crc, &offset);
14981507
if (ret != 1) {
14991508
dev_err(dev, "Bad format: failed to parse Config CRC\n");
1500-
return -EINVAL;
1509+
ret = -EINVAL;
1510+
goto release_raw;
15011511
}
15021512
cfg.raw_pos += offset;
15031513

@@ -1530,8 +1540,10 @@ static int mxt_update_cfg(struct mxt_data *data, const struct firmware *fw)
15301540
MXT_INFO_CHECKSUM_SIZE;
15311541
cfg.mem_size = data->mem_size - cfg.start_ofs;
15321542
cfg.mem = kzalloc(cfg.mem_size, GFP_KERNEL);
1533-
if (!cfg.mem)
1534-
return -ENOMEM;
1543+
if (!cfg.mem) {
1544+
ret = -ENOMEM;
1545+
goto release_raw;
1546+
}
15351547

15361548
ret = mxt_prepare_cfg_mem(data, &cfg);
15371549
if (ret)
@@ -1570,6 +1582,8 @@ static int mxt_update_cfg(struct mxt_data *data, const struct firmware *fw)
15701582
/* T7 config may have changed */
15711583
mxt_init_t7_power_cfg(data);
15721584

1585+
release_raw:
1586+
kfree(cfg.raw);
15731587
release_mem:
15741588
kfree(cfg.mem);
15751589
return ret;

0 commit comments

Comments
 (0)