CVE-2021-47097

In the Linux kernel, the following vulnerability has been resolved:

Input: elantech - fix stack out of bound access in elantechchangereport_id()

The array param[] in elantechchangereportid() must be at least 3 bytes, because elantechreadregparams() is calling ps2command() with PSMOUSECMD_GETINFO, that is going to access 3 bytes from param[], but it's defined in the stack as an array of 2 bytes, therefore we have a potential stack out-of-bounds access here, also confirmed by KASAN:

[ 6.512374] BUG: KASAN: stack-out-of-bounds in _ps2command+0x372/0x7e0 [ 6.512397] Read of size 1 at addr ffff8881024d77c2 by task kworker/2:1/118

[ 6.512416] CPU: 2 PID: 118 Comm: kworker/2:1 Not tainted 5.13.0-22-generic #22+arighi20211110 [ 6.512428] Hardware name: LENOVO 20T8000QGE/20T8000QGE, BIOS R1AET32W (1.08 ) 08/14/2020 [ 6.512436] Workqueue: eventslong seriohandleevent [ 6.512453] Call Trace: [ 6.512462] showstack+0x52/0x58 [ 6.512474] dumpstack+0xa1/0xd3 [ 6.512487] printaddressdescription.constprop.0+0x1d/0x140 [ 6.512502] ? _ps2command+0x372/0x7e0 [ 6.512516] _kasanreport.cold+0x7d/0x112 [ 6.512527] ? _rawwritelockirq+0x20/0xd0 [ 6.512539] ? _ps2command+0x372/0x7e0 [ 6.512552] kasanreport+0x3c/0x50 [ 6.512564] _asanload1+0x6a/0x70 [ 6.512575] _ps2command+0x372/0x7e0 [ 6.512589] ? ps2drain+0x240/0x240 [ 6.512601] ? devprintkemit+0xa2/0xd3 [ 6.512612] ? devvprintkemit+0xc5/0xc5 [ 6.512621] ? _kasancheckwrite+0x14/0x20 [ 6.512634] ? mutexlock+0x8f/0xe0 [ 6.512643] ? _mutexlockslowpath+0x20/0x20 [ 6.512655] ps2command+0x52/0x90 [ 6.512670] elantechps2command+0x4f/0xc0 [psmouse] [ 6.512734] elantechchangereportid+0x1e6/0x256 [psmouse] [ 6.512799] ? elantechreporttrackpoint.constprop.0.cold+0xd/0xd [psmouse] [ 6.512863] ? ps2command+0x7f/0x90 [ 6.512877] elantechqueryinfo.cold+0x6bd/0x9ed [psmouse] [ 6.512943] ? elantechsetupps2+0x460/0x460 [psmouse] [ 6.513005] ? psmousereset+0x69/0xb0 [psmouse] [ 6.513064] ? psmouseattrsethelper+0x2a0/0x2a0 [psmouse] [ 6.513122] ? physpmdinit+0x30e/0x521 [ 6.513137] elantechinit+0x8a/0x200 [psmouse] [ 6.513200] ? elantechinitps2+0xf0/0xf0 [psmouse] [ 6.513249] ? elantechqueryinfo+0x440/0x440 [psmouse] [ 6.513296] ? synapticssendcmd+0x60/0x60 [psmouse] [ 6.513342] ? elantechqueryinfo+0x440/0x440 [psmouse] [ 6.513388] ? psmousetryprotocol+0x11e/0x170 [psmouse] [ 6.513432] psmouseextensions+0x65d/0x6e0 [psmouse] [ 6.513476] ? psmousetryprotocol+0x170/0x170 [psmouse] [ 6.513519] ? mutexunlock+0x22/0x40 [ 6.513526] ? ps2command+0x7f/0x90 [ 6.513536] ? psmouseprobe+0xa3/0xf0 [psmouse] [ 6.513580] psmouseswitchprotocol+0x27d/0x2e0 [psmouse] [ 6.513624] psmouseconnect+0x272/0x530 [psmouse] [ 6.513669] seriodriverprobe+0x55/0x70 [ 6.513679] reallyprobe+0x190/0x720 [ 6.513689] driverprobedevice+0x160/0x1f0 [ 6.513697] devicedriverattach+0x119/0x130 [ 6.513705] ? devicedriverattach+0x130/0x130 [ 6.513713] _driverattach+0xe7/0x1a0 [ 6.513720] ? devicedriverattach+0x130/0x130 [ 6.513728] busforeachdev+0xfb/0x150 [ 6.513738] ? subsysdeviterexit+0x10/0x10 [ 6.513748] ? _rawwriteunlockbh+0x30/0x30 [ 6.513757] driverattach+0x2d/0x40 [ 6.513764] seriohandleevent+0x199/0x3d0 [ 6.513775] processonework+0x471/0x740 [ 6.513785] workerthread+0x2d2/0x790 [ 6.513794] ? processonework+0x740/0x740 [ 6.513802] kthread+0x1b4/0x1e0 [ 6.513809] ? setkthreadstruct+0x80/0x80 [ 6.513816] retfromfork+0x22/0x30

[ 6.513832] The buggy address belongs to the page: [ 6.513838] page:00000000bc35e189 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1024d7 [ 6.513847] flags: 0x17ffffc0000000(node=0|zone=2|lastcpupid=0x1fffff) [ 6.513860] raw: 0 ---truncated---