mirror of https://lore.kernel.org/lkml/
 help / color / mirror / Atom feed
* [PATCH] HID: picolcd: prevent NULL pointer dereference in picolcd_send_and_wait()
@ 2026-05-17 12:06 Georgiy Osokin
  2026-06-29  8:46 ` Jiri Kosina
  0 siblings, 1 reply; 3+ messages in thread
From: Georgiy Osokin @ 2026-05-17 12:06 UTC (permalink / raw)
  To: bonbons, jikos, bentiss
  Cc: linux-input, linux-kernel, lvc-project, s.shtylyov

In picolcd_send_and_wait(), an integer overflow of the signed loop counter
'k' can theoretically lead to a NULL pointer dereference of 'raw_data'.
If the loop executes more than INT_MAX times, 'k' becomes negative,
making the condition 'k < size' true even when 'size' is 0.

Change the type of 'k' to 'unsigned int' to prevent the overflow and
eliminate the out-of-bounds access.

Found by Linux Verification Center (linuxtesting.org) with the Svace static
analysis tool.

Fixes: fabdbf2 ("HID: picoLCD: split driver code")
Signed-off-by: Georgiy Osokin <g.osokin@auroraos.dev>

---
 drivers/hid/hid-picolcd_core.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/hid/hid-picolcd_core.c b/drivers/hid/hid-picolcd_core.c
index 2cc01e1bc1a8..d73e97c8b853 100644
--- a/drivers/hid/hid-picolcd_core.c
+++ b/drivers/hid/hid-picolcd_core.c
@@ -72,7 +72,8 @@ struct picolcd_pending *picolcd_send_and_wait(struct hid_device *hdev,
 	struct picolcd_pending *work;
 	struct hid_report *report = picolcd_out_report(report_id, hdev);
 	unsigned long flags;
-	int i, j, k;
+	int i, j;
+	unsigned int k;
 
 	if (!report || !data)
 		return NULL;
-- 
2.50.1


^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [PATCH] HID: picolcd: prevent NULL pointer dereference in picolcd_send_and_wait()
  2026-05-17 12:06 [PATCH] HID: picolcd: prevent NULL pointer dereference in picolcd_send_and_wait() Georgiy Osokin
@ 2026-06-29  8:46 ` Jiri Kosina
  2026-06-29 13:16   ` Sergey Shtylyov
  0 siblings, 1 reply; 3+ messages in thread
From: Jiri Kosina @ 2026-06-29  8:46 UTC (permalink / raw)
  To: Georgiy Osokin
  Cc: bonbons, bentiss, linux-input, linux-kernel, lvc-project, s.shtylyov

On Sun, 17 May 2026, Georgiy Osokin wrote:

> In picolcd_send_and_wait(), an integer overflow of the signed loop counter
> 'k' can theoretically lead to a NULL pointer dereference of 'raw_data'.
> If the loop executes more than INT_MAX times, 'k' becomes negative,
> making the condition 'k < size' true even when 'size' is 0.
> 
> Change the type of 'k' to 'unsigned int' to prevent the overflow and
> eliminate the out-of-bounds access.
> 
> Found by Linux Verification Center (linuxtesting.org) with the Svace static
> analysis tool.
> 
> Fixes: fabdbf2 ("HID: picoLCD: split driver code")

Next time, please make the shas of commits a little bit longer to avoid 
uncertainity.

> Signed-off-by: Georgiy Osokin <g.osokin@auroraos.dev>

Applied, thanks!

-- 
Jiri Kosina
SUSE Labs


^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [PATCH] HID: picolcd: prevent NULL pointer dereference in picolcd_send_and_wait()
  2026-06-29  8:46 ` Jiri Kosina
@ 2026-06-29 13:16   ` Sergey Shtylyov
  0 siblings, 0 replies; 3+ messages in thread
From: Sergey Shtylyov @ 2026-06-29 13:16 UTC (permalink / raw)
  To: Jiri Kosina, Georgiy Osokin
  Cc: bonbons, bentiss, linux-input, linux-kernel, lvc-project

On 6/29/26 11:46 AM, Jiri Kosina wrote:

>> In picolcd_send_and_wait(), an integer overflow of the signed loop counter
>> 'k' can theoretically lead to a NULL pointer dereference of 'raw_data'.
>> If the loop executes more than INT_MAX times, 'k' becomes negative,
>> making the condition 'k < size' true even when 'size' is 0.
>>
>> Change the type of 'k' to 'unsigned int' to prevent the overflow and
>> eliminate the out-of-bounds access.
>>
>> Found by Linux Verification Center (linuxtesting.org) with the Svace static
>> analysis tool.
>>
>> Fixes: fabdbf2 ("HID: picoLCD: split driver code")
> 
> Next time, please make the shas of commits a little bit longer to avoid
> uncertainity.
> 
>> Signed-off-by: Georgiy Osokin <g.osokin@auroraos.dev>
> 
> Applied, thanks!

   Hm, I think we (with the help of Sashiko [1]) arrived to the conclusion
that an overflow should never happen with the current ranges of the loop
counters. We have re-resolved this issue as false positive internally...

[1] https://lore.kernel.org/all/20260517125108.BC3FDC2BCB0@smtp.kernel.org/

> --
> Jiri Kosina
> SUSE Labs

MBR, Sergey


^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2026-06-29 13:16 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2026-05-17 12:06 [PATCH] HID: picolcd: prevent NULL pointer dereference in picolcd_send_and_wait() Georgiy Osokin
2026-06-29  8:46 ` Jiri Kosina
2026-06-29 13:16   ` Sergey Shtylyov

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox

Powered by JetHome