From d61ea97ba48d0346a3c3a4d24724e9301019c92c Mon Sep 17 00:00:00 2001 From: Seung-Woo Kim Date: Tue, 31 May 2016 17:29:39 +0900 Subject: input: touchscreen: fts: fix to use touch_id with proper event_id only From event handler, touch_id is used as index of array, but in can be larger than array size, and it causes out of range access for array. From event data of the fts hw, finger touch_id is only valid when event_id is enter/leave/motion pointer event. So this patch fixes to use touch_id as a array index only when the proper event_id is received. This issue is found by ubsan checker like following: ================================================================================ UBSAN: Undefined behaviour in drivers/input/touchscreen/fts_ts.c:342:15 index 13 is out of range for type 'fts_finger [10]' CPU: 1 PID: 98 Comm: irq/150-fts_tou Not tainted 4.1.0-01159-gfb62846 #17 Hardware name: Samsung TM2 board (DT) Call trace: [] dump_backtrace+0x0/0x218 [] show_stack+0x10/0x20 [] dump_stack+0x80/0xfc [] ubsan_epilogue+0x10/0x6c [] __ubsan_handle_out_of_bounds+0xc8/0xf4 [] fts_interrupt_handler+0x570/0x678 [] irq_thread+0x218/0x378 [] kthread+0x194/0x240 ================================================================================ Change-Id: I3b2195ee0eee39b16cd05552c19c26072706125d Signed-off-by: Seung-Woo Kim --- drivers/input/touchscreen/fts_ts.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) (limited to 'drivers/input') diff --git a/drivers/input/touchscreen/fts_ts.c b/drivers/input/touchscreen/fts_ts.c index b843a150ae85..6753b8930baf 100644 --- a/drivers/input/touchscreen/fts_ts.c +++ b/drivers/input/touchscreen/fts_ts.c @@ -339,7 +339,10 @@ static unsigned char fts_event_handler_type_b(struct fts_ts_info *info, } else if (event_id == EVENTID_MOTION_POINTER) info->finger[touch_id].mcount++; - info->finger[touch_id].state = event_id; + if ((event_id == EVENTID_ENTER_POINTER) || + (event_id == EVENTID_LEAVE_POINTER) || + (event_id == EVENTID_MOTION_POINTER)) + info->finger[touch_id].state = event_id; } input_sync(info->input_dev); -- cgit v1.2.3