On Wed, Oct 12, 2011 at 12:19:49AM +0300, Dan Carpenter wrote: > The problem here is that max_effects can wrap on 32 bits systems. > We'd allocate a smaller amount of data than sizeof(struct ff_device). > The call to kcalloc() on the next line would fail but it would write > the NULL return outside of the memory we just allocated causing data > corruption. > > The call path is that uinput_setup_device() get ->ff_effects_max from > the user and sets the value in the ->private_data struct. From there > it is: > -> uinput_ioctl_handler() > -> uinput_create_device() > -> input_ff_create(dev, udev->ff_effects_max); > > I've also changed ff_effects_max so it's an unsigned int instead of > a signed int as a cleanup. Applied (adding a temp to hold the size), thanks. -- Dmitry -- To unsubscribe from this list: send the line "unsubscribe linux-input" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
