From nobody Sat Feb 7 18:21:14 2026 Received: from mail-qt1-f174.google.com (mail-qt1-f174.google.com [209.85.160.174]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id A07C318FC97 for ; Sun, 21 Dec 2025 21:15:47 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.160.174 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1766351751; cv=none; b=u7QhaXgBruaaUrX8NtHsArM9V1x2xNXiDPKpf75Z7bVgRgMsbC61VkVMiCuDBT8p8qOagw/dAyJ+/vP5Zy8a8+evQy3YjxgLXt7cwaj4qbUtEt7LKuoU6CuoGkbxIfltFhC6pAYt9vAh9UjoURwguUTHgX71MIhQVECUGbdMk0g= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1766351751; c=relaxed/simple; bh=cK9VDthKEP85Yf5cgkjsEpMQtHs5d8sYy+NPhbuVDpk=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=K/RcMw1YPRa1pBnDkmN8QSgaJxETYB6Z/uiYyL8DqWNW2cwO8lpqwFeBrpXP7e9xJY3KbjdhLIgCyGhfpDi53h/fe5ihrd+YuB0eDpO4KNLMDwmpJUiFDctQu7kGHlj8XAXJ+UYqtLc7A6gsHMaVBNrVv9vbbCUayjz15F/15n4= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=PQPX2nd1; arc=none smtp.client-ip=209.85.160.174 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="PQPX2nd1" Received: by mail-qt1-f174.google.com with SMTP id d75a77b69052e-4f1b147eaa9so28148831cf.3 for ; Sun, 21 Dec 2025 13:15:47 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1766351746; x=1766956546; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=cMeyc05Ar0suF7nZCq4FUAPSW++iMC3FHYjYL4WSg3I=; b=PQPX2nd1OzGsBlUMeogYBu19ipGbbHavp5miEIs3js1hPuPJS0oYhsYq3Ui+mWOt31 w2UMNiTPxs/T821MMK7yrHZi2oLNlbQv6SZUd+e0nQxWSytlS6j3C/cUCGGRCwdeNIps bIvAY5JTTpWgvHNfguxS9q6kY+36n8y2knrU5KnPGu0/L+HL88DJdVG70fHmdsHKVbGh ADx7V5vd4v9gXsDG65kNN7MgIlRRIHYz38rbmQKu4h3Z456Ur9AN6PNAjLKANVDWkDnZ E1K6Lst76zqFO48TG7ZIEUcU4TYcsq1P9rI7UPBcu93Bc76i97d/y6mabqMyr2wFaoSy ImDg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1766351746; x=1766956546; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=cMeyc05Ar0suF7nZCq4FUAPSW++iMC3FHYjYL4WSg3I=; b=BmNG5Sqv40WnCIbt25GSe90qq01EFxJm+Clx9+eXCb4LLXyRgs7TrfJgNWYVNnkYQI YLjLpaMVkmHnWkEDSxk50id6PCtXc0AeqqMZoIozUTzR+l7Ji/ZynX7/QwJcG/NpUsx5 y25gJ6fCBEZgZQKK0L1r21mcfPHxAfPVoFLJmFy/wwrtUduUkHEA1KPBlemjBJY4ZtC+ GM5aCL2o9EOJTZoHjV4SQNtBhHKQI35585KGf8qH7MDUNrq05RdMdL8JfCZVJNwnqefh j8Jpen6Fkoos6YLu9PSk3d5tsxP6ZW9wg2c6tsTT7ItdQTcbzu4VL2RcgeAPAwjGZdur ZAow== X-Forwarded-Encrypted: i=1; AJvYcCVXQvfF8p6ba+yDoAAwOpxPTQaUHTyWDmLzUPkxUdE/U5Z1tORW6IThdkFAvbMOMHvHf2vMOiG42FbXKe4=@vger.kernel.org X-Gm-Message-State: AOJu0Yyc7naGeARU7gygOsLzn/Wde6122+UMQzWCHYtjcVLfUxvxga4e +2LBBf+jBrQP/W3DErrdNtiiFA2Hrb6yuLsTcIr6zfMvkHsB79eqwQn542/POg== X-Gm-Gg: AY/fxX47L4ltx4UIqsz6uc1NxYYVKnwiiY2JfeIJ27pvbF4l09a7muLNQhj5G4rcshV SQhQ7R4nPOmxjyouZVXbzbCp8uG7jBKnHR+LMpgcubxS79zqKvQ116RfLllktdMfI+lISZSVk4G HN/pybdVPzQERcO9WMWXekFbhPtC8Yr4Waebl6dSLkD3XXPfHlXSpPS4oMWnMFrd1jPnVgdlOtF GsNnCPM2ZusOSKQEtkCiWs7+HPfMuCRo4iSOCs+oyk6ZNLeVgu2kkmONJYjp4saqjjoQH5BR5cn vEVJ2pFUeRz3EQ5+i5kcuzTgG8gt0xACGpLqFaLosg+dflcqfhM/zrbsnkPF+iF4YdikGdOwpG5 qQVe462dExcDh1Y6OtpzVQSWJPZwWW2VgBghvuiR8qkC2mU1gxYd1KRmR5+HWkVdx188BVI2VVA IcvycJude/rgR6MOHVnf+iDn4siRR4zid2d8pA0dEP1C3EkuPUTmw6vwRJyvQHRfqBvZFsSiQUV UbbrcizJV8tJJz00zTJeJZ/UQBtD6wNXMNZdiDC7A== X-Google-Smtp-Source: AGHT+IGcWFUWxZvqD2/2PfGbwStyDPuwe0e8EZKb+bt69Gmb1mZB06E0fLkwJAVqHleaCi6hFoIXhg== X-Received: by 2002:a05:622a:4013:b0:4e8:aa15:c96d with SMTP id d75a77b69052e-4f4abdb59d6mr145282381cf.55.1766351746326; Sun, 21 Dec 2025 13:15:46 -0800 (PST) Received: from seungjin-HP-ENVY-Desktop-TE02-0xxx.dartmouth.edu ([129.170.197.82]) by smtp.gmail.com with ESMTPSA id d75a77b69052e-4f4ac62e1e7sm62970691cf.21.2025.12.21.13.15.44 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 21 Dec 2025 13:15:45 -0800 (PST) From: pip-izony To: Dmitry Torokhov Cc: Seungjin Bae , Kyungtae Kim , Sanghoon Choi , Dan Carpenter , linux-input@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH v3] Input: ims-pcu - fix heap-buffer-overflow in ims_pcu_process_data() Date: Sun, 21 Dec 2025 16:14:42 -0500 Message-ID: <20251221211442.841549-2-eeodqql09@gmail.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20251220002447.392843-4-eeodqql09@gmail.com> References: <20251220002447.392843-4-eeodqql09@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Seungjin Bae The `ims_pcu_process_data()` processes incoming URB data byte by byte. However, it fails to check if the `read_pos` index exceeds IMS_PCU_BUF_SIZE. If a malicious USB device sends a packet larger than IMS_PCU_BUF_SIZE, `read_pos` will increment indefinitely. Moreover, since `read_pos` is located immediately after `read_buf`, the attacker can overwrite `read_pos` itself to arbitrarily control the index. This manipulated `read_pos` is subsequently used in `ims_pcu_handle_response()` to copy data into `cmd_buf`, leading to a heap buffer overflow. Specifically, an attacker can overwrite the `cmd_done.wait.head` located at offset 136 relative to `cmd_buf` in the `ims_pcu_handle_response()`. Consequently, when the driver calls `complete(&pcu->cmd_done)`, it triggers a control flow hijack by using the manipulated pointer. Fix this by adding a bounds check for `read_pos` before writing to `read_buf`. If the packet is too long, discard it, log a warning, and reset the parser state. Fixes: 628329d524743 ("Input: add IMS Passenger Control Unit driver") Co-developed-by: Sanghoon Choi Signed-off-by: Sanghoon Choi Signed-off-by: Seungjin Bae --- v1 -> v2: Add warning and reset the state of the parser for bad packet v2 -> v3: Add co-author information drivers/input/misc/ims-pcu.c | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/drivers/input/misc/ims-pcu.c b/drivers/input/misc/ims-pcu.c index 4581f1c53644..c98ef71c841e 100644 --- a/drivers/input/misc/ims-pcu.c +++ b/drivers/input/misc/ims-pcu.c @@ -450,6 +450,16 @@ static void ims_pcu_process_data(struct ims_pcu *pcu, = struct urb *urb) continue; =20 if (pcu->have_dle) { + if (pcu->read_pos >=3D IMS_PCU_BUF_SIZE) { + dev_warn(pcu->dev, + "Packet too long (%d bytes), discarding\n", + pcu->read_pos); + pcu->have_stx =3D false; + pcu->have_dle =3D false; + pcu->read_pos =3D 0; + continue; + } + pcu->have_dle =3D false; pcu->read_buf[pcu->read_pos++] =3D data; pcu->check_sum +=3D data; @@ -491,6 +501,16 @@ static void ims_pcu_process_data(struct ims_pcu *pcu, = struct urb *urb) break; =20 default: + if (pcu->read_pos >=3D IMS_PCU_BUF_SIZE) { + dev_warn(pcu->dev, + "Packet too long (%d bytes), discarding\n", + pcu->read_pos); + pcu->have_stx =3D false; + pcu->have_dle =3D false; + pcu->read_pos =3D 0; + continue; + } + pcu->read_buf[pcu->read_pos++] =3D data; pcu->check_sum +=3D data; break; --=20 2.43.0