superrob1500
/
mirror-linux
mirror of https://github.com/torvalds/linux
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
mirror-linux/drivers/input/tablet
History
Seungjin Bae 69aeb50731 Input: pegasus-notetaker - fix potential out-of-bounds access 
In the pegasus_notetaker driver, the pegasus_probe() function allocates
the URB transfer buffer using the wMaxPacketSize value from
the endpoint descriptor. An attacker can use a malicious USB descriptor
to force the allocation of a very small buffer.

Subsequently, if the device sends an interrupt packet with a specific
pattern (e.g., where the first byte is 0x80 or 0x42),
the pegasus_parse_packet() function parses the packet without checking
the allocated buffer size. This leads to an out-of-bounds memory access.

Fixes: 1afca2b66a ("Input: add Pegasus Notetaker tablet driver")
Signed-off-by: Seungjin Bae <eeodqql09@gmail.com>
Link: https://lore.kernel.org/r/20251007214131.3737115-2-eeodqql09@gmail.com
Cc: stable@vger.kernel.org
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
 		2025-10-17 18:04:15 -07:00
..
Kconfig Input: gtco - remove driver 2020-12-09 17:47:36 -08:00
Makefile Input: gtco - remove driver 2020-12-09 17:47:36 -08:00
acecad.c Input: tablet - use sizeof(*pointer) instead of sizeof(type) 2024-06-02 21:32:03 -07:00
aiptek.c move asm/unaligned.h to linux/unaligned.h 2024-10-02 17:23:23 -04:00
hanwang.c Input: tablet - use sizeof(*pointer) instead of sizeof(type) 2024-06-02 21:32:03 -07:00
kbtab.c move asm/unaligned.h to linux/unaligned.h 2024-10-02 17:23:23 -04:00
pegasus_notetaker.c Input: pegasus-notetaker - fix potential out-of-bounds access 2025-10-17 18:04:15 -07:00
wacom_serial4.c Input: tablet - use sizeof(*pointer) instead of sizeof(type) 2024-06-02 21:32:03 -07:00