This is a note to let you know that I've just added the patch titled Input: psmouse - fix OOB access in Elantech protocol to the 4.14-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary The filename of the patch is: input-psmouse-fix-oob-access-in-elantech-protocol.patch and it can be found in the queue-4.14 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable@xxxxxxxxxxxxxxx> know about it. >From 7b63a88bb62ba2ddf5fcd956be85fe46624628b9 Mon Sep 17 00:00:00 2001 From: Dmitry Torokhov <dmitry.torokhov@xxxxxxxxx> Date: Thu, 11 May 2023 12:08:37 -0700 Subject: Input: psmouse - fix OOB access in Elantech protocol From: Dmitry Torokhov <dmitry.torokhov@xxxxxxxxx> commit 7b63a88bb62ba2ddf5fcd956be85fe46624628b9 upstream. The kernel only allocate 5 MT slots; check that transmitted slot ID falls within the acceptable range. Link: https://lore.kernel.org/r/ZFnEL91nrT789dbG@xxxxxxxxxx Cc: stable@xxxxxxxxxxxxxxx Signed-off-by: Dmitry Torokhov <dmitry.torokhov@xxxxxxxxx> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> --- drivers/input/mouse/elantech.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) --- a/drivers/input/mouse/elantech.c +++ b/drivers/input/mouse/elantech.c @@ -595,10 +595,11 @@ static void process_packet_head_v4(struc struct input_dev *dev = psmouse->dev; struct elantech_data *etd = psmouse->private; unsigned char *packet = psmouse->packet; - int id = ((packet[3] & 0xe0) >> 5) - 1; + int id; int pres, traces; - if (id < 0) + id = ((packet[3] & 0xe0) >> 5) - 1; + if (id < 0 || id >= ETP_MAX_FINGERS) return; etd->mt[id].x = ((packet[1] & 0x0f) << 8) | packet[2]; @@ -628,7 +629,7 @@ static void process_packet_motion_v4(str int id, sid; id = ((packet[0] & 0xe0) >> 5) - 1; - if (id < 0) + if (id < 0 || id >= ETP_MAX_FINGERS) return; sid = ((packet[3] & 0xe0) >> 5) - 1; @@ -649,7 +650,7 @@ static void process_packet_motion_v4(str input_report_abs(dev, ABS_MT_POSITION_X, etd->mt[id].x); input_report_abs(dev, ABS_MT_POSITION_Y, etd->mt[id].y); - if (sid >= 0) { + if (sid >= 0 && sid < ETP_MAX_FINGERS) { etd->mt[sid].x += delta_x2 * weight; etd->mt[sid].y -= delta_y2 * weight; input_mt_slot(dev, sid); Patches currently in stable-queue which might be from dmitry.torokhov@xxxxxxxxx are queue-4.14/input-psmouse-fix-oob-access-in-elantech-protocol.patch queue-4.14/input-xpad-delete-a-razer-deathadder-mouse-vid-pid-entry.patch