On Thu, Sep 17, 2015 at 07:29:48PM +0200, Elias Vanderstuyft wrote:
> Currently the user can specify a non-zero value for ff_effects_max,
> without setting the EV_FF bit.
> Inversely,
> the user can also set ff_effects_max to zero with the EV_FF bit set,
> in this case the uninitialized method ff->upload can be dereferenced,
> resulting in a kernel oops.
>
> Instead of adding a check in uinput_create_device() and
> omitting setup of ff-core infrastructure silently in case the check fails,
> perform the check early in uinput_setup_device(),
> and print a helpful message and return -EINVAL in case the check fails.
>
> Signed-off-by: Elias Vanderstuyft <elias.vds@xxxxxxxxx>
> ---
> drivers/input/misc/uinput.c | 15 +++++++++++++++
> 1 file changed, 15 insertions(+)
>
> diff --git a/drivers/input/misc/uinput.c b/drivers/input/misc/uinput.c
> index 345df9b..3a90a16 100644
> --- a/drivers/input/misc/uinput.c
> +++ b/drivers/input/misc/uinput.c
> @@ -393,6 +393,21 @@ static int uinput_setup_device(struct uinput_device *udev,
> if (IS_ERR(user_dev))
> return PTR_ERR(user_dev);
>
> + if (!!user_dev->ff_effects_max ^ test_bit(EV_FF, dev->evbit)) {
> + if (user_dev->ff_effects_max)
> + printk(KERN_DEBUG
> + "%s: ff_effects_max (%u) should be zero "
> + "when FF_BIT is not set\n",
> + UINPUT_NAME, user_dev->ff_effects_max);
> + else
> + printk(KERN_DEBUG
> + "%s: ff_effects_max should be non-zero "
> + "when FF_BIT is set\n",
> + UINPUT_NAME);
I do not think this is the right place for this check: userspace is
allowed to write device structure before calling any ioctls to set
various bits. Also, userspace doe snot have to explicitly set EV_FF bit
as input_ff_create() does it for us.
I think the check should be in uinput_create_device() and we should only
check case when udev->ff_effects_max is 0 but EV_FF is set.
Thanks.
--
Dmitry
--
To unsubscribe from this list: send the line "unsubscribe linux-input" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
