Hi Maciej,
This is my first time looking at anything input related, so pardon if
I'm off the mark here.
On 3 August 2017 at 08:44, Maciej Purski <m.purski@xxxxxxxxxxx> wrote:
[...]
> +static struct {
> + u16 key;
> + u16 extra_key;
> + bool autorepeat;
> +} rcp_keymap[] = {
Ideally this would be "const" allowing the compiler to move the data
to the .rodata section, making exploits a bit harder.
Then again struct input_dev::keycode is "void *" so that cannot quite work atm.
One could(?) toggle make that a const, updating the users. Many of
them memcpy from const data into keycode, while others k[z]alloc and
them memcpy.
Might be worth listing these in the input-tree TODO list ;-)
[...]
> + set_bit(EV_KEY, i_dev->evbit);
> + i_dev->name = "MHL Remote Control";
> + i_dev->keycode = rcp_keymap;
> + i_dev->keycodesize = sizeof(u16);
According to the docs "... keycodesize the size of each entry in it
(in bytes)...".
As such this should be sizeof(rcp_keymap[0])
At the same time, the code in input.c has a hidden assumption -
keycode is an array of u8, u16 or u32 values.
See functions input_fetch_keycode() and input_default_setkeycode() for details.
In this patch, the size is 6 and everything will go crazy.
Couple ideas come to mind:
- enforce keycode layout - must be a simple u8/16/32 array.
- add separate field for the size of "key", such that one can have
more complex data stored in keycode.
Of course, I could be completely wrong :-)
HTH
Emil
_______________________________________________
dri-devel mailing list
dri-devel@xxxxxxxxxxxxxxxxxxxxx
https://lists.freedesktop.org/mailman/listinfo/dri-devel
