Package: openrazer / 3.5.1+dfsg-2+deb12u1

0002-driver-Fix-possible-integer-overflow-in-write_matrix.patch Patch series | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
 
From 42f4b7c4eab618031b2c9bb19188c69f40900c52 Mon Sep 17 00:00:00 2001
From: Luca Weiss <luca@lucaweiss.eu>
Date: Thu, 10 Apr 2025 20:34:39 +0200
Subject: driver: Fix possible integer overflow in write_matrix_custom_frame

When a user passes start_col=0x00 and stop_col=0x55 with the data,
row_length can easily wrap around leading to undesired behavior
including out of bounds read while copying data into report.arguments.

Avoid the overflow by making sure the underlying type has enough space
for the value ((255 + 1) - 0) * 3 = 768.

Issue: https://github.com/openrazer/openrazer/issues/2433
---
 driver/razeraccessory_driver.c | 2 +-
 driver/razerkbd_driver.c       | 2 +-
 driver/razermouse_driver.c     | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/driver/razeraccessory_driver.c b/driver/razeraccessory_driver.c
index 2bfb00e0..0928b0bb 100644
--- a/driver/razeraccessory_driver.c
+++ b/driver/razeraccessory_driver.c
@@ -830,7 +830,7 @@ static ssize_t razer_attr_write_matrix_custom_frame(struct device *dev, struct d
     unsigned char row_id;
     unsigned char start_col;
     unsigned char stop_col;
-    unsigned char row_length;
+    size_t row_length;
 
     //printk(KERN_ALERT "razermyg: Total count: %d\n", (unsigned char)count);
 
diff --git a/driver/razerkbd_driver.c b/driver/razerkbd_driver.c
index 672f88a0..c647202c 100644
--- a/driver/razerkbd_driver.c
+++ b/driver/razerkbd_driver.c
@@ -2484,7 +2484,7 @@ static ssize_t razer_attr_write_matrix_custom_frame(struct device *dev, struct d
     unsigned char row_id;
     unsigned char start_col;
     unsigned char stop_col;
-    unsigned char row_length;
+    size_t row_length;
 
     //printk(KERN_ALERT "razerkbd: Total count: %d\n", (unsigned char)count);
 
diff --git a/driver/razermouse_driver.c b/driver/razermouse_driver.c
index 01c95f3f..e325920d 100644
--- a/driver/razermouse_driver.c
+++ b/driver/razermouse_driver.c
@@ -2230,7 +2230,7 @@ static ssize_t razer_attr_write_matrix_custom_frame(struct device *dev, struct d
     unsigned char row_id;
     unsigned char start_col;
     unsigned char stop_col;
-    unsigned char row_length;
+    size_t row_length;
 
     //printk(KERN_ALERT "razermouse: Total count: %d\n", (unsigned char)count);
 
-- 
2.30.2