On Sun, Nov 08, 2015 at 06:37:34PM +0100, Elias Vanderstuyft wrote:
> Currently the user can set ff_effects_max to zero with the EV_FF bit
> (and the FF_GAIN and/or FF_AUTOCENTER bits) set,
> in this case the uninitialized methods
> ff->set_gain and/or ff->set_autocenter can be dereferenced,
> resulting in a kernel oops.
>
> Check in uinput_create_device() and
> print a helpful message and return -EINVAL in case the check fails.
>
> Signed-off-by: Elias Vanderstuyft <elias.vds@xxxxxxxxx>
Applied, thank you.
> ---
> Changes in v2:
> - Rebase on pending patches from David Herrmann and Benjamin Tissoires:
> - v3 Input: uinput - add new UINPUT_DEV_SETUP and UI_ABS_SETUP ioctl
> - Input: uinput - rework ABS validation
> - Don't require EV_FF bit to be set when ff_effects_max is non-zero
> - Move check from uinput_setup_device() to uinput_create_device()
> - Update commit description
>
> At the same time, the new UINPUT_DEV_SETUP and UI_ABS_SETUP ioctls were
> tested as well (in both orders).
> The legacy write() (instead of UINPUT_DEV_SETUP) was also tested.
>
> drivers/input/misc/uinput.c | 7 +++++++
> 1 file changed, 7 insertions(+)
>
> diff --git a/drivers/input/misc/uinput.c b/drivers/input/misc/uinput.c
> index 1d93037..b9d0713 100644
> --- a/drivers/input/misc/uinput.c
> +++ b/drivers/input/misc/uinput.c
> @@ -272,6 +272,13 @@ static int uinput_create_device(struct uinput_device *udev)
> input_set_events_per_packet(dev, 60);
> }
>
> + if (test_bit(EV_FF, dev->evbit) && !udev->ff_effects_max) {
> + printk(KERN_DEBUG "%s: ff_effects_max should be non-zero when FF_BIT is set\n",
> + UINPUT_NAME);
> + error = -EINVAL;
> + goto fail1;
> + }
> +
> if (udev->ff_effects_max) {
> error = input_ff_create(dev, udev->ff_effects_max);
> if (error)
> --
> 1.9.3
>
--
Dmitry
--
To unsubscribe from this list: send the line "unsubscribe linux-input" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
