Re: [PATCH 1/2] HID: multitouch: fix out-of-bounds bit access on mt_io_flags
From: Benjamin Tissoires <bentiss@kernel.org>
Date: 2026-07-01 19:12:15
Also in:
lkml, stable
From: Benjamin Tissoires <bentiss@kernel.org>
Date: 2026-07-01 19:12:15
Also in:
lkml, stable
On Thu, 02 Jul 2026 00:13:19 +0700, Trung Nguyen wrote:
mt_io_flags is a single unsigned long, but mt_process_slot(), mt_release_pending_palms() and mt_release_contacts() use it as a per-slot bitmap indexed by the slot number. That slot number is only bounded by td->maxcontacts, which is taken from the device's ContactCountMaximum feature report and can be up to 255, not by BITS_PER_LONG. [...]
Applied to https://git.kernel.org/pub/scm/linux/kernel/git/hid/hid.git (for-7.2/upstream-fixes), thanks! [1/2] HID: multitouch: fix out-of-bounds bit access on mt_io_flags https://git.kernel.org/hid/hid/c/8813b0612275 [2/2] selftests/hid: multitouch: test a large ContactCountMaximum https://git.kernel.org/hid/hid/c/b6eb022890c7 Cheers, -- Benjamin Tissoires [off-list ref]