pc/pc64: fix ps2mouse memory corruption race

there was a memory corruption bug caused by us enabling the
ps2mouseputc() handler *before* initializing packetsize.

once we enabled the handler, mouse interrupts could come
in and advance the packet buffer index (nb) beyond the
buffer boundaries.

as ps2mouseputc() only checked for ++nb == packetsize, once
nb was advanced beyond the packetsize, it would continue writing
beyond the buffer and corrupt memory with each mouse packet byte.

solution is to initialize packetsize *before* enabling the
handler, and also do a >= check in ps2mouseputc() in case the
packetsize gets changed to a smaller value at runtime.

1 files changed, 4 insertions, 5 deletions

diff --git a/sys/src/9/pc/mouse.c b/sys/src/9/pc/mouse.c
index 0519e5e76..9d69095f9 100644
--- a/sys/src/9/pc/mouse.c
+++ b/sys/src/9/pc/mouse.c
@@ -113,7 +113,7 @@ ps2mouseputc(int c, int shift)
 	}
 
 	msg[nb] = c;
-	if(++nb == packetsize){
+	if(++nb >= packetsize){
 		nb = 0;
 		if(msg[0] & 0x10)
 			msg[1] |= 0xFF00;
@@ -152,7 +152,6 @@ ps2mouseputc(int c, int shift)
 		dy = -msg[2];
 		mousetrack(dx, dy, buttons, TK2MS(MACHP(0)->ticks));
 	}
-	return;
 }
 
 /*
@@ -164,12 +163,12 @@ ps2mouse(void)
 	if(mousetype == MousePS2)
 		return;
 
-	i8042auxenable(ps2mouseputc);
-	i8042auxcmd(0xEA);	/* set stream mode */
-
 	mousetype = MousePS2;
 	packetsize = 3;
 	mousehwaccel = 0;
+
+	i8042auxenable(ps2mouseputc);
+	i8042auxcmd(0xEA);	/* set stream mode */
 }
 
 /*