kernel/linux.git/drivers/input/tablet, branch v3.16.76 Linux kernel stable tree (mirror) https://git.radix-linux.su/kernel/linux.git/atom?h=v3.16.76 2019-08-13T11:39:25+00:00 Input: gtco - bounds check collection indent level 2019-08-13T11:39:25+00:00 Grant Hernandez granthernandez@google.com 2019-07-13T08:00:12+00:00 urn:sha1:754d0ca82fed0ad682e875bea824c348d597ca28 commit 2a017fd82c5402b3c8df5e3d6e5165d9e6147dc1 upstream. The GTCO tablet input driver configures itself from an HID report sent via USB during the initial enumeration process. Some debugging messages are generated during the parsing. A debugging message indentation counter is not bounds checked, leading to the ability for a specially crafted HID report to cause '-' and null bytes be written past the end of the indentation array. As long as the kernel has CONFIG_DYNAMIC_DEBUG enabled, this code will not be optimized out. This was discovered during code review after a previous syzkaller bug was found in this driver. Signed-off-by: Grant Hernandez <granthernandez@google.com> Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com> Signed-off-by: Ben Hutchings <ben@decadent.org.uk> Input: gtco - fix potential out-of-bound access 2017-11-26T13:50:39+00:00 Dmitry Torokhov dmitry.torokhov@gmail.com 2017-10-23T23:46:00+00:00 urn:sha1:9d399eba105c6e311db9ec78ce62579ffc403c0d commit a50829479f58416a013a4ccca791336af3c584c7 upstream. parse_hid_report_descriptor() has a while (i < length) loop, which only guarantees that there's at least 1 byte in the buffer, but the loop body can read multiple bytes which causes out-of-bounds access. Reported-by: Andrey Konovalov <andreyknvl@google.com> Reviewed-by: Andrey Konovalov <andreyknvl@google.com> Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com> Signed-off-by: Ben Hutchings <ben@decadent.org.uk> Input: kbtab - validate number of endpoints before using them 2017-07-18T17:40:17+00:00 Johan Hovold johan@kernel.org 2017-03-16T18:41:55+00:00 urn:sha1:2832ef5728054747ac49c538974d585377b58622 commit cb1b494663e037253337623bf1ef2df727883cb7 upstream. Make sure to check the number of endpoints to avoid dereferencing a NULL-pointer should a malicious device lack endpoints. Signed-off-by: Johan Hovold <johan@kernel.org> Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com> Signed-off-by: Ben Hutchings <ben@decadent.org.uk> Input: hanwang - validate number of endpoints before using them 2017-07-18T17:40:17+00:00 Johan Hovold johan@kernel.org 2017-03-16T18:39:29+00:00 urn:sha1:40fa8aa89a646583b20fea95191dc649ed8361cc commit ba340d7b83703768ce566f53f857543359aa1b98 upstream. Make sure to check the number of endpoints to avoid dereferencing a NULL-pointer should a malicious device lack endpoints. Fixes: bba5394ad3bd ("Input: add support for Hanwang tablets") Signed-off-by: Johan Hovold <johan@kernel.org> Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com> Signed-off-by: Ben Hutchings <ben@decadent.org.uk> Input: gtco - fix crash on detecting device without endpoints 2016-06-15T20:29:21+00:00 Vladis Dronov vdronov@redhat.com 2016-03-31T17:53:42+00:00 urn:sha1:772703cadb1bf378bcd5ae87db4c150da37351b6 commit 162f98dea487206d9ab79fc12ed64700667a894d upstream. The gtco driver expects at least one valid endpoint. If given malicious descriptors that specify 0 for the number of endpoints, it will crash in the probe function. Ensure there is at least one endpoint on the interface before using it. Also let's fix a minor coding style issue. The full correct report of this issue can be found in the public Red Hat Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1283385 Reported-by: Ralf Spenneberg <ralf@spenneberg.net> Signed-off-by: Vladis Dronov <vdronov@redhat.com> Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com> Signed-off-by: Ben Hutchings <ben@decadent.org.uk> Input: aiptek - fix crash on detecting device without endpoints 2016-03-24T10:01:16+00:00 Vladis Dronov vdronov@redhat.com 2015-12-01T21:09:17+00:00 urn:sha1:24b12688c53a46545a723cf084e25afde2ba39f3 commit 8e20cf2bce122ce9262d6034ee5d5b76fbb92f96 upstream. The aiptek driver crashes in aiptek_probe() when a specially crafted USB device without endpoints is detected. This fix adds a check that the device has proper configuration expected by the driver. Also an error return value is changed to more matching one in one of the error paths. Reported-by: Ralf Spenneberg <ralf@spenneberg.net> Signed-off-by: Vladis Dronov <vdronov@redhat.com> Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com> Cc: Moritz Muehlenhoff <jmm@inutil.org> Signed-off-by: Luis Henriques <luis.henriques@canonical.com> HID: wacom: Report ABS_MISC event for Cintiq Companion Hybrid 2015-03-03T14:40:05+00:00 Jason Gerecke killertofu@gmail.com 2015-01-22T23:53:28+00:00 urn:sha1:4b75fa0b2727529b6e40294f294f890241d94c4b commit 33e5df0e0e32027866e9fb00451952998fc957f2 upstream. It appears that the Cintiq Companion Hybrid does not send an ABS_MISC event to userspace when any of its ExpressKeys are pressed. This is not strictly necessary now that the pad exists on its own device, but should be fixed for consistency's sake. Traditionally both the stylus and pad shared the same device node, and xf86-input-wacom would use ABS_MISC for disambiguation. Not sending this causes the Hybrid to behave incorrectly with xf86-input-wacom beginning with its 8f44f3 commit. Signed-off-by: Jason Gerecke <killertofu@gmail.com> Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com> Signed-off-by: Jiri Kosina <jkosina@suse.cz> [killertofu@gmail.com: ported to drivers/input/tablet/wacom_wac.c] Signed-off-by: Jason Gerecke <killertofu@gmail.com> Signed-off-by: Luis Henriques <luis.henriques@canonical.com> Input: wacom - cleanup multitouch code when touch_max is 2 2014-06-15T07:28:38+00:00 Ping Cheng pinglinux@gmail.com 2014-06-13T20:37:33+00:00 urn:sha1:d7da3a3ccdeb64ceedb51b0a3377ba56cc2999fa Historically we dealt with touch_max equals to 2 differently from other MT devices. Now we use input_mt_*() to process all MT events, as long as touch_max is greater than 1. So, there is no need to take (touch_max == 2) as a special case any more. Signed-off-by: Ping Cheng <pingc@wacom.com> Reviewed-by: Jason Gerecke <killertofu@gmail.com> Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com> Input: wacom - process outbound for newer Cintiqs 2014-05-29T07:09:16+00:00 Ping Cheng pinglinux@gmail.com 2014-05-29T07:08:41+00:00 urn:sha1:ac414da37f88ddbc04617d883539113f27c75f56 New Cintiq tablets have a 200 tablet counts outside of screen area. Add x/y_min for ABS_X/Y to pass this information to userland. Signed-off-by: Ping Cheng <pingc@wacom.com> Reviewed-by: Jason Gerecke <killertofu@gmail.com> Tested-by: Jason Gerecke <killertofu@gmail.com> Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com> Input: wacom - set stylus_in_proximity when pen is in range 2014-05-29T07:09:16+00:00 Ping Cheng pinglinux@gmail.com 2014-05-29T07:08:20+00:00 urn:sha1:805a876af7261cbe11498ae544add0bc8ad74192 Signed-off-by: Ping Cheng <pingc@wacom.com> Reviewed-by: Jason Gerecke <killertofu@gmail.com> Tested-by: Jason Gerecke <killertofu@gmail.com> Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>