There is a suspected integer overflow vulnerability in the tpdbg_write method in drivers/input/touchscreen/ft5x46/ft5x46_ts.c. When the 3rd argument `size' is set to size_t-1, the addition of 1 in kzalloc (line 3807) will result in a wrap around zero because on an integer overflow. kzalloc will return ZERO_SIZE_PTR and since the check checks only for ‘cmd’ equal to NULL (line 3810) it will bypass it. Subsequent dereferencing ZERO_SIZE_PTR (line 3813, 3818) will cause kernel oops.
Additional check for the value of `size' or ZERO_SIZE_PTR is possibly required to fix this issue.
The text was updated successfully, but these errors were encountered:
There is a suspected integer overflow vulnerability in the tpdbg_write method in drivers/input/touchscreen/ft5x46/ft5x46_ts.c. When the 3rd argument `size' is set to size_t-1, the addition of 1 in kzalloc (line 3807) will result in a wrap around zero because on an integer overflow. kzalloc will return ZERO_SIZE_PTR and since the check checks only for ‘cmd’ equal to NULL (line 3810) it will bypass it. Subsequent dereferencing ZERO_SIZE_PTR (line 3813, 3818) will cause kernel oops.
Additional check for the value of `size' or ZERO_SIZE_PTR is possibly required to fix this issue.
The text was updated successfully, but these errors were encountered: