michael/linux
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
Files
9e3157c56ec7917e6a80ea53a8bd752e0037f2cb
linux/drivers
History
Seungjin Bae c4e746651b Input: pegasus-notetaker - fix potential out-of-bounds access 
[ Upstream commit 69aeb50731 ]

In the pegasus_notetaker driver, the pegasus_probe() function allocates
the URB transfer buffer using the wMaxPacketSize value from
the endpoint descriptor. An attacker can use a malicious USB descriptor
to force the allocation of a very small buffer.

Subsequently, if the device sends an interrupt packet with a specific
pattern (e.g., where the first byte is 0x80 or 0x42),
the pegasus_parse_packet() function parses the packet without checking
the allocated buffer size. This leads to an out-of-bounds memory access.

Fixes: 1afca2b66a ("Input: add Pegasus Notetaker tablet driver")
Signed-off-by: Seungjin Bae <eeodqql09@gmail.com>
Link: https://lore.kernel.org/r/20251007214131.3737115-2-eeodqql09@gmail.com
Cc: stable@vger.kernel.org
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2025-12-03 12:45:22 +01:00
..
accessibility
acpi
ACPI: property: Return present device nodes only on fwnode interface
2025-12-03 12:45:14 +01:00
amba
android
binder: remove "invalid inc weak" check
2025-10-29 14:00:00 +01:00
ata
ata: libata-scsi: Fix system suspend for a security locked drive
2025-12-03 12:45:21 +01:00
atm
atm: atmtcp: Prevent arbitrary write in atmtcp_recv_control().
2025-09-04 14:05:54 +02:00
auxdisplay
base
devcoredump: Fix circular locking dependency with devcd->mutex.
2025-12-03 12:45:05 +01:00
bcma
block
drbd: add missing kref_get in handle_write_conflicts
2025-08-28 16:21:24 +02:00
bluetooth
Bluetooth: btusb: reorder cleanup in btusb_disconnect to avoid UAF
2025-12-03 12:45:16 +01:00
bus
Revert "bus: ti-sysc: Probe for l4_wkup and l4_cfg interconnect devices first"
2025-06-27 11:02:55 +01:00
cdrom
cdrom: gdrom: initialize global variable at init time
2021-05-26 12:05:19 +02:00
char
char: misc: Does not request module for miscdevice with dynamic minor
2025-12-03 12:45:10 +01:00
clk
clk: nxp: Fix pll0 rate check condition in LPC18xx CGU driver
2025-10-29 13:59:51 +01:00
clocksource
clocksource/drivers/vf-pit: Replace raw_readl/writel to readl/writel
2025-12-03 12:45:07 +01:00
connector
counter
counter: stm32-lptimer-cnt: fix error handling when enabling
2025-04-10 14:29:39 +02:00
cpufreq
cpufreq/longhaul: handle NULL policy in longhaul_exit
2025-12-03 12:45:07 +01:00
cpuidle
Revert "cpuidle: menu: Avoid discarding useful information"
2025-10-29 13:59:59 +01:00
crypto
crypto: atmel - Fix dma_unmap_sg() direction
2025-10-29 13:59:52 +01:00
dax
dax: make sure inodes are flushed before destroy cache
2022-04-15 14:18:12 +02:00
dca
devfreq
PM / devfreq: Fix leak in devfreq_dev_release()
2023-09-23 10:59:54 +02:00
dio
dma
dmaengine: dw-edma: Set status for callback_result
2025-12-03 12:45:11 +01:00
dma-buf
dma-buf: fix timeout handling in dma_resv_wait_timeout v2
2025-07-17 18:25:04 +02:00
edac
EDAC/altera: Use INTTEST register for Ethernet and USB SBE injection
2025-12-03 12:45:19 +01:00
eisa
extcon
extcon: adc-jack: Cleanup wakeup source only if it was enabled
2025-12-03 12:45:16 +01:00
firewire
firmware
pmdomain: arm: scmi: Fix genpd leak on provider registration failure
2025-12-03 12:45:21 +01:00
fpga
fpga: zynq_fpga: Fix the wrong usage of dma_map_sgtable()
2025-08-28 16:21:32 +02:00
fsi
fsi: master-ast-cf: Add MODULE_FIRMWARE macro
2023-09-23 10:59:37 +02:00
gnss
gnss: sirf: fix error return code in sirf_probe()
2020-06-22 09:31:20 +02:00
gpio
gpio: pca953x: fix IRQ storm on system wake up
2025-09-09 18:44:00 +02:00
gpu
drm/vmwgfx: Validate command header size against SVGA_CMD_MAX_DATASIZE
2025-12-03 12:45:18 +01:00
greybus
greybus: Fix use-after-free bug in gb_interface_release due to race condition.
2024-07-05 09:08:20 +02:00
hid
HID: quirks: work around VID/PID conflict for 0x4c4a/0x4155
2025-12-03 12:45:19 +01:00
hsi
HSI: ssi_protocol: Fix use after free vulnerability in ssi_protocol Driver Due to Race Condition
2025-05-02 07:39:18 +02:00
hv
Drivers: hv: vmbus: Don't release fb_mmio resource in vmbus_free_mmio()
2025-04-10 14:29:35 +02:00
hwmon
hwmon: (dell-smm) Add support for Dell OptiPlex 7040
2025-12-03 12:45:08 +01:00
hwspinlock
hwtracing
coresight: catu: Fix number of pages while using 64k pages
2025-04-10 14:29:41 +02:00
i2c
i2c: designware: Add disabling clocks when probe fails
2025-10-29 13:59:47 +01:00
i3c
i3c: don't fail if GETHDRCAP is unsupported
2025-08-28 16:21:29 +02:00
ide
idle
intel_idle: Disable IBRS during long idle
2022-10-07 09:16:55 +02:00
iio
iio: adc: spear_adc: mask SPEAR_ADC_STATUS channel and avg sample before setting register
2025-12-03 12:45:09 +01:00
infiniband
RDMA/siw: Always report immediate post SQ errors
2025-10-29 13:59:49 +01:00
input
Input: pegasus-notetaker - fix potential out-of-bounds access
2025-12-03 12:45:22 +01:00
interconnect
interconnect: Treat xlate() returning NULL node as an error
2024-01-08 11:29:45 +01:00
iommu
iommu/amd: Fix potential buffer overflow in parse_ivrs_acpihid
2025-06-04 14:32:26 +02:00
ipack
ipack: ipoctal: fix module reference leak
2021-10-06 15:42:36 +02:00
irqchip
irqchip/gic-v2m: Handle Multiple MSI base IRQ Alignment
2025-12-03 12:45:07 +01:00
isdn
isdn: mISDN: hfcsusb: fix memory leak in hfcsusb_probe()
2025-12-03 12:45:19 +01:00
leds
leds: lp8860: Write full EEPROM, not only half of it
2025-03-13 12:43:06 +01:00
lightnvm
lightnvm: disable the subsystem
2022-05-09 09:03:20 +02:00
macintosh
macintosh/therm_windtunnel: fix module unload.
2024-08-19 05:33:34 +02:00
mailbox
mailbox: zynqmp-ipi: Remove dev.parent check in zynqmp_ipi_free_mboxes
2025-10-29 13:59:52 +01:00
mcb
mcb: fix a double free bug in chameleon_parse_gdd()
2025-05-02 07:39:26 +02:00
md
dm: fix NULL pointer dereference in __dm_suspend()
2025-10-29 13:59:55 +01:00
media
media: redrat3: use int type to store negative error codes
2025-12-03 12:45:12 +01:00
memory
memory: samsung: exynos-srom: Fix of_iomap leak in exynos_srom_probe
2025-10-29 14:00:00 +01:00
memstick
memstick: Add timeout to prevent indefinite waiting
2025-12-03 12:45:06 +01:00
message
scsi: fusion: Remove unused variable 'rc'
2024-12-14 19:44:29 +01:00
mfd
mfd: madera: Work around false-positive -Wininitialized warning
2025-12-03 12:45:08 +01:00
misc
misc: genwqe: Fix incorrect cmd field being reported in error
2025-10-29 13:59:48 +01:00
mmc
mmc: sdhci-msm: Enable tuning for SDR50 mode for SD card
2025-12-03 12:45:07 +01:00
mtd
spi: cadence-quadspi: Flush posted register writes before DAC access
2025-10-29 14:00:00 +01:00
mux
net
net: qede: Initialize qede_ll_ops with designated initializer
2025-12-03 12:45:21 +01:00
nfc
nfc: pn533: Add poll mod list filling check
2024-09-04 13:15:04 +02:00
ntb
ntb: reduce stack usage in idt_scan_mws
2025-05-02 07:39:28 +02:00
nubus
nvdimm
libnvdimm/labels: Fix divide error in nd_label_data_init()
2025-06-04 14:32:30 +02:00
nvme
nvmet-tcp: don't restore null sk_state_change
2025-06-04 14:32:35 +02:00
nvmem
nvmem: core: improve range check for nvmem_cell_write()
2025-03-13 12:43:10 +01:00
of
of: module: add buffer overflow check in of_modalias()
2025-06-04 14:32:25 +02:00
opp
OPP: Fix passing 0 to PTR_ERR in _opp_attach_genpd()
2023-09-23 10:59:40 +02:00
oprofile
parisc
parisc: iosapic.c: Fix sparse warnings
2023-10-10 21:46:39 +02:00
parport
parport_pc: add support for ASIX AX99100
2025-03-13 12:43:19 +01:00
pci
PCI/P2PDMA: Fix incorrect pointer usage in devm_kfree() call
2025-12-03 12:45:10 +01:00
pcmcia
pcmcia: omap_cf: Mark driver struct with __refdata to prevent section mismatch
2025-10-02 13:34:30 +02:00
perf
perf: arm_spe: Prevent overflow in PERF_IDX2OFF()
2025-10-29 13:59:46 +01:00
phy
phy: cadence: cdns-dphy: Enable lower resolutions in dphy
2025-12-03 12:45:11 +01:00
pinctrl
pinctrl: check the return value of pinmux_ops::get_function_name()
2025-10-29 13:59:50 +01:00
platform
platform/x86: thinkpad_acpi: Handle KCOV __init vs inline mismatches
2025-08-28 16:21:25 +02:00
pnp
PNP: ACPI: fix fortify warning
2024-02-23 08:24:54 +01:00
power
power: supply: bq27xxx: restrict no-battery detection to bq27000
2025-10-02 13:34:31 +02:00
powercap
powercap: call put_device() on an error path in powercap_register_control_type()
2025-04-10 14:29:36 +02:00
pps
pps: fix warning in pps_register_cdev when register device fail
2025-10-29 13:59:48 +01:00
ps3
powerpc/ps3: use dma_mapping_error()
2020-12-30 11:51:26 +01:00
ptp
ptp: Ensure info->enable callback is always set
2025-03-13 12:43:11 +01:00
pwm
pwm: berlin: Fix wrong register in suspend/resume
2025-10-29 13:59:56 +01:00
rapidio
drivers/rapidio/rio_cm.c: prevent possible heap overwrite
2025-06-27 11:02:56 +01:00
ras
regulator
regulator: fixed: fix GPIO descriptor leak on register failure
2025-12-03 12:45:18 +01:00
remoteproc
remoteproc: qcom: q6v5: Avoid handling handover twice
2025-12-03 12:45:13 +01:00
reset
reset: berlin: fix OF node leak in probe() error path
2024-11-08 16:20:28 +01:00
rpmsg
rpmsg: qcom_smd: Fix uninitialized return variable in __qcom_smd_send()
2025-06-27 11:02:48 +01:00
rtc
rtc: interface: Fix long-standing race when setting alarm
2025-10-29 13:59:53 +01:00
s390
s390/ctcm: Fix double-kfree
2025-12-03 12:45:20 +01:00
sbus
treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 61
2019-05-24 17:36:45 +02:00
scsi
scsi: sg: Do not sleep in atomic context
2025-12-03 12:45:20 +01:00
sfi
treewide: Add SPDX license identifier - Makefile/Kconfig
2019-05-21 10:50:46 +02:00
sh
sh: clk: Fix clk_enable() to return 0 on NULL clk
2025-01-09 13:23:29 +01:00
siox
siox: fix possible memory leak in siox_device_add()
2022-11-25 17:42:14 +01:00
slimbus
slimbus: messaging: Free transaction ID in delayed interrupt scenario
2025-03-13 12:43:33 +01:00
soc
pmdomain: imx: Fix reference count leak in imx_gpc_remove
2025-12-03 12:45:21 +01:00
soundwire
soundwire: stream: restore params when prepare ports fail
2025-08-28 16:21:21 +02:00
spi
spi: Try to get ACPI GPIO IRQ earlier
2025-12-03 12:45:19 +01:00
spmi
spmi: Add a check for remove callback when removing a SPMI driver
2023-05-17 11:35:49 +02:00
ssb
ssb: Fix division by zero issue in ssb_calc_clock_rate
2024-09-04 13:14:53 +02:00
staging
comedi: fix divide-by-zero in comedi_buf_munge()
2025-10-29 14:00:00 +01:00
target
scsi: target: tcm_loop: Fix segfault in tcm_loop_tpg_address_show()
2025-12-03 12:45:20 +01:00
tc
tee
tee: allow a driver to allocate a tee_device without a pool
2025-12-03 12:45:07 +01:00
thermal
thermal: sysfs: Return ENODATA instead of EAGAIN for reads
2025-08-28 16:21:25 +02:00
thunderbolt
thunderbolt: Fix copy+paste error in match_service_id()
2025-08-28 16:21:30 +02:00
tty
serial: 8250_dw: handle reset control deassert error
2025-12-03 12:45:06 +01:00
uio
uio_hv_generic: Set event for all channels on the device
2025-12-03 12:45:21 +01:00
usb
usb: xhci: plat: Facilitate using autosuspend for xhci plat devices
2025-12-03 12:45:13 +01:00
vfio
vfio/pci: Enable iowrite64 and ioread64 for vfio pci
2025-03-13 12:43:13 +01:00
vhost
vhost/net: Protect ubufs with rcu read lock in vhost_net_ubuf_put()
2025-09-04 14:05:53 +02:00
video
fbdev: Add bounds checking in bit_putcs to fix vmalloc-out-of-bounds
2025-12-03 12:45:15 +01:00
virt
vboxguest: Do not use devm for irq
2022-08-25 11:18:33 +02:00
virtio
virtio: delete vq in vp_find_vqs_msix() when request_irq() fails
2024-06-16 13:28:46 +02:00
visorbus
vlynq
vme
w1
w1: fix loop in w1_fini()
2023-07-27 08:37:19 +02:00
watchdog
watchdog: mpc8xxx_wdt: Reload the watchdog timer when enabling the watchdog
2025-10-29 13:59:48 +01:00
xen
xen/events: Update virq_to_irq on migration
2025-10-29 13:59:56 +01:00
zorro
Kconfig
Makefile
Merge tag 'staging-5.4-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging
2019-09-18 11:05:34 -07:00