New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 2 users
Status: Fixed
Owner:
Last visit > 30 days ago
Closed: Sep 2014
Cc:



Sign in to add a comment
PicoLCD HID device driver pool overflow
Project Member Reported by scvitti@google.com, Aug 25 2014 Back to list
Nexus 7 config show enabled by default:

CONFIG_HID_PICOLCD=y

Structure with raw event registered:

From /devices/hid/hid-picolcd_core.c

static struct hid_driver picolcd_driver = {
	.name =          "hid-picolcd",
	.id_table =      picolcd_devices,
	.probe =         picolcd_probe,
	.remove =        picolcd_remove,
	.raw_event =     picolcd_raw_event,
#ifdef CONFIG_PM
	.suspend =       picolcd_suspend,
	.resume =        picolcd_resume,
	.reset_resume =  picolcd_reset_resume,
#endif
};
…



static int picolcd_raw_event(struct hid_device *hdev,
		struct hid_report *report, u8 *raw_data, int size)
{
	struct picolcd_data *data = hid_get_drvdata(hdev);
	unsigned long flags;
	int ret = 0;

	if (!data)
		return 1;

	if (report->id == REPORT_KEY_STATE) {
		if (data->input_keys)
			ret = picolcd_raw_keypad(data, report, raw_data+1, size-1);
	} else if (report->id == REPORT_IR_DATA) {
		ret = picolcd_raw_cir(data, report, raw_data+1, size-1);
	} else {
		spin_lock_irqsave(&data->lock, flags);
		/*
		 * We let the caller of picolcd_send_and_wait() check if the
		 * report we got is one of the expected ones or not.
		 */
		if (data->pending) {
			// data->pending->raw_data fixed size 64 byte buffer
			// believe size can be > 65 bytes

			memcpy(data->pending->raw_data, raw_data+1, size-1);
			data->pending->raw_size  = size-1;
			data->pending->in_report = report;
			complete(&data->pending->ready);
		}
		spin_unlock_irqrestore(&data->lock, flags);
	}

	picolcd_debug_raw_event(data, hdev, report, raw_data, size);
	return 1;
}


From /devices/hid/hid-picolcd.h

struct picolcd_data {
	struct hid_device *hdev;
#ifdef CONFIG_DEBUG_FS
	struct dentry *debug_reset;
	struct dentry *debug_eeprom;
	struct dentry *debug_flash;
	struct mutex mutex_flash;
	int addr_sz;
#endif
	u8 version[2];
	unsigned short opmode_delay;
	/* input stuff */
	u8 pressed_keys[2];
	struct input_dev *input_keys;
#ifdef CONFIG_HID_PICOLCD_CIR
	struct rc_dev *rc_dev;
#endif
	unsigned short keycode[PICOLCD_KEYS];

#ifdef CONFIG_HID_PICOLCD_FB
	/* Framebuffer stuff */
	struct fb_info *fb_info;
#endif /* CONFIG_HID_PICOLCD_FB */
#ifdef CONFIG_HID_PICOLCD_LCD
	struct lcd_device *lcd;
	u8 lcd_contrast;
#endif /* CONFIG_HID_PICOLCD_LCD */
#ifdef CONFIG_HID_PICOLCD_BACKLIGHT
	struct backlight_device *backlight;
	u8 lcd_brightness;
	u8 lcd_power;
#endif /* CONFIG_HID_PICOLCD_BACKLIGHT */
#ifdef CONFIG_HID_PICOLCD_LEDS
	/* LED stuff */
	u8 led_state;
	struct led_classdev *led[8];
#endif /* CONFIG_HID_PICOLCD_LEDS */

	/* Housekeeping stuff */
	spinlock_t lock;
	struct mutex mutex;
	struct picolcd_pending *pending;
	int status;
#define PICOLCD_BOOTLOADER 1
#define PICOLCD_FAILED 2
#define PICOLCD_CIR_SHUN 4
};

…

struct picolcd_pending {
	struct hid_report *out_report;
	struct hid_report *in_report;
	struct completion ready;
	int raw_size;
	u8 raw_data[64];
};
 
Project Member Comment 1 by scvitti@google.com, Aug 25 2014
Labels: -Reported-yes Reported-2014-Aug25
Project Member Comment 2 by scvitti@google.com, Sep 5 2014
Status: Fixed
Project Member Comment 3 by hawkes@google.com, Sep 11 2014
Labels: -Restrict-View-Commit CVE-2014-3186
Project Member Comment 4 by scvitti@google.com, Jan 13 2015
Labels: -Reported-2014-Aug25 Reported-2014-Aug-25
Sign in to add a comment