From: Hans de Goede <hdegoede@redhat.com>
To: Dmitry Torokhov <dmitry.torokhov@gmail.com>,
Bastien Nocera <hadess@hadess.net>
Cc: Hans de Goede <hdegoede@redhat.com>, linux-input@vger.kernel.org
Subject: [PATCH v3 09/11] Input: goodix - Add minimum firmware size check
Date: Sat, 7 Mar 2020 13:15:03 +0100 [thread overview]
Message-ID: <20200307121505.3707-9-hdegoede@redhat.com> (raw)
In-Reply-To: <20200307121505.3707-1-hdegoede@redhat.com>
Our goodix_check_cfg_* helpers do things like:
int i, raw_cfg_len = cfg->size - 2;
...
if (check_sum != cfg->data[raw_cfg_len]) {
When cfg->size < 2, this will end up indexing the cfg->data array with
a negative value, which will not end well.
To fix this this commit adds a new GOODIX_CONFIG_MIN_LENGTH define and
adds a minimum size check for firmware-config files using this new define.
For consistency this commit also adds a new GOODIX_CONFIG_GT9X_LENGTH for
the length used for recent gt9xx and gt1xxx chips, instead of using
GOODIX_CONFIG_MAX_LENGTH for this, so that if other length defines get
added in the future it will be clear that the MIN and MAX defines should
contain the min and max values of all the other defines.
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
---
Changes in v2:
- New patch in v2 of this patch series
---
drivers/input/touchscreen/goodix.c | 11 +++++++----
1 file changed, 7 insertions(+), 4 deletions(-)
diff --git a/drivers/input/touchscreen/goodix.c b/drivers/input/touchscreen/goodix.c
index eb57c39dc55b..5227223e666b 100644
--- a/drivers/input/touchscreen/goodix.c
+++ b/drivers/input/touchscreen/goodix.c
@@ -39,9 +39,11 @@
#define GOODIX_MAX_CONTACT_SIZE 9
#define GOODIX_MAX_CONTACTS 10
-#define GOODIX_CONFIG_MAX_LENGTH 240
+#define GOODIX_CONFIG_MIN_LENGTH 186
#define GOODIX_CONFIG_911_LENGTH 186
#define GOODIX_CONFIG_967_LENGTH 228
+#define GOODIX_CONFIG_GT9X_LENGTH 240
+#define GOODIX_CONFIG_MAX_LENGTH 240
/* Register defines */
#define GOODIX_REG_COMMAND 0x8040
@@ -109,7 +111,7 @@ static void goodix_calc_cfg_checksum_16(struct goodix_ts_data *ts);
static const struct goodix_chip_data gt1x_chip_data = {
.config_addr = GOODIX_GT1X_REG_CONFIG_DATA,
- .config_len = GOODIX_CONFIG_MAX_LENGTH,
+ .config_len = GOODIX_CONFIG_GT9X_LENGTH,
.check_config = goodix_check_cfg_16,
.calc_config_checksum = goodix_calc_cfg_checksum_16,
};
@@ -130,7 +132,7 @@ static const struct goodix_chip_data gt967_chip_data = {
static const struct goodix_chip_data gt9x_chip_data = {
.config_addr = GOODIX_GT9X_REG_CONFIG_DATA,
- .config_len = GOODIX_CONFIG_MAX_LENGTH,
+ .config_len = GOODIX_CONFIG_GT9X_LENGTH,
.check_config = goodix_check_cfg_8,
.calc_config_checksum = goodix_calc_cfg_checksum_8,
};
@@ -509,7 +511,8 @@ static void goodix_calc_cfg_checksum_16(struct goodix_ts_data *ts)
static int goodix_check_cfg(struct goodix_ts_data *ts,
const struct firmware *cfg)
{
- if (cfg->size > GOODIX_CONFIG_MAX_LENGTH) {
+ if (cfg->size < GOODIX_CONFIG_MIN_LENGTH ||
+ cfg->size > GOODIX_CONFIG_MAX_LENGTH) {
dev_err(&ts->client->dev,
"The length of the config fw is not correct");
return -EINVAL;
--
2.25.1
next prev parent reply other threads:[~2020-03-07 12:15 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-03-07 12:14 [PATCH v3 01/11] Input: goodix - Refactor IRQ pin GPIO accesses Hans de Goede
2020-03-07 12:14 ` [PATCH v3 02/11] Input: goodix - Make loading the config from disk independent from the GPIO setup Hans de Goede
2020-03-07 12:14 ` [PATCH v3 03/11] Input: goodix - Make resetting the controller at probe " Hans de Goede
2020-03-07 12:14 ` [PATCH v3 04/11] Input: goodix - Add support for getting IRQ + reset GPIOs on Cherry Trail devices Hans de Goede
2020-03-09 17:12 ` Bastien Nocera
2020-03-07 12:14 ` [PATCH v3 05/11] Input: goodix - Add support for getting IRQ + reset GPIOs on Bay " Hans de Goede
2020-03-07 12:15 ` [PATCH v3 06/11] Input: goodix - Add support for controlling the IRQ pin through ACPI methods Hans de Goede
2020-03-07 12:15 ` [PATCH v3 07/11] Input: goodix - Move defines to above struct goodix_ts_data declaration Hans de Goede
2020-03-07 12:15 ` [PATCH v3 08/11] Input: goodix - Save a copy of the config from goodix_read_config() Hans de Goede
2020-03-07 12:15 ` Hans de Goede [this message]
2020-03-09 17:13 ` [PATCH v3 09/11] Input: goodix - Add minimum firmware size check Bastien Nocera
2020-03-07 12:15 ` [PATCH v3 10/11] Input: goodix - Make goodix_send_cfg() take a raw buffer as argument Hans de Goede
2020-03-07 12:15 ` [PATCH v3 11/11] Input: goodix - Restore config on resume if necessary Hans de Goede
2020-03-09 17:10 ` [PATCH v3 01/11] Input: goodix - Refactor IRQ pin GPIO accesses Bastien Nocera
2020-03-24 18:51 ` Dmitry Torokhov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200307121505.3707-9-hdegoede@redhat.com \
--to=hdegoede@redhat.com \
--cc=dmitry.torokhov@gmail.com \
--cc=hadess@hadess.net \
--cc=linux-input@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).