It is possible for a malicious HID device to trigger a signed integer overflow (undefined behaviour) in set_abs() in the following expression by supplying bogus logical maximum and minimum values: int fuzz = snratio ? (fmax - fmin) / snratio : 0;
For example, if the logical_maximum is INT_MAX and logical_minimum is -1 then (fmax - fmin) resolves to INT_MAX + 1, which does not fit in a 32-bit signed int, so the subtraction overflows. Fix this by computing the difference in a 64 bit context.
Fixes: 5519cab477b6 ("HID: hid-multitouch: support for PixCir-based panels") Cc: stable@vger.kernel.org Signed-off-by: Qasim Ijaz qasdev00@gmail.com --- drivers/hid/hid-multitouch.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/hid/hid-multitouch.c b/drivers/hid/hid-multitouch.c index 22c6314a8843..687638ed6d0f 100644 --- a/drivers/hid/hid-multitouch.c +++ b/drivers/hid/hid-multitouch.c @@ -540,7 +540,8 @@ static void set_abs(struct input_dev *input, unsigned int code, { int fmin = field->logical_minimum; int fmax = field->logical_maximum; - int fuzz = snratio ? (fmax - fmin) / snratio : 0; + s64 diff = (s64)fmax - (s64)fmin; + int fuzz = snratio ? (int)div_s64(diff, snratio) : 0; input_set_abs_params(input, code, fmin, fmax, fuzz, 0); input_abs_set_res(input, code, hidinput_calc_abs_res(field, code)); }