On Tue, Nov 16, 2021 at 08:22:23AM +0100, Andrea Righi wrote: > The array param[] in elantech_change_report_id() must be at least 3 > bytes, because elantech_read_reg_params() is calling ps2_command() with > PSMOUSE_CMD_GETINFO, that is going to access 3 bytes from param[], but > it's defined in the stack as an array of 2 bytes, therefore we have a > potential stack out-of-bounds access here, also confirmed by KASAN: I think a comment in the code why the array size is 3 when only 2 values are defined would be helpful. Like a short summary of the above.
Attachment:
signature.asc
Description: PGP signature
