[lvc-project] [PATCH] HID: picolcd: prevent NULL pointer dereference in picolcd_send_and_wait()

Sergey Shtylyov s.shtylyov at auroraos.dev
Mon Jun 29 16:16:02 MSK 2026


On 6/29/26 11:46 AM, Jiri Kosina wrote:

>> In picolcd_send_and_wait(), an integer overflow of the signed loop counter
>> 'k' can theoretically lead to a NULL pointer dereference of 'raw_data'.
>> If the loop executes more than INT_MAX times, 'k' becomes negative,
>> making the condition 'k < size' true even when 'size' is 0.
>>
>> Change the type of 'k' to 'unsigned int' to prevent the overflow and
>> eliminate the out-of-bounds access.
>>
>> Found by Linux Verification Center (linuxtesting.org) with the Svace static
>> analysis tool.
>>
>> Fixes: fabdbf2 ("HID: picoLCD: split driver code")
> 
> Next time, please make the shas of commits a little bit longer to avoid
> uncertainity.
> 
>> Signed-off-by: Georgiy Osokin <g.osokin at auroraos.dev>
> 
> Applied, thanks!

   Hm, I think we (with the help of Sashiko [1]) arrived to the conclusion
that an overflow should never happen with the current ranges of the loop
counters. We have re-resolved this issue as false positive internally...

[1] https://lore.kernel.org/all/20260517125108.BC3FDC2BCB0@smtp.kernel.org/

> --
> Jiri Kosina
> SUSE Labs

MBR, Sergey




More information about the lvc-project mailing list