On Sat, 7 Dec 2019, Dmitry Torokhov wrote: > We should not be leaving half-mapped usages with potentially invalid > keycodes, as that may confuse hidinput_find_key() when the key is located > by index, which may end up feeding way too large keycode into the VT > keyboard handler and cause OOB write there: > > BUG: KASAN: global-out-of-bounds in clear_bit include/asm-generic/bitops-instrumented.h:56 [inline] > BUG: KASAN: global-out-of-bounds in kbd_keycode drivers/tty/vt/keyboard.c:1411 [inline] > BUG: KASAN: global-out-of-bounds in kbd_event+0xe6b/0x3790 drivers/tty/vt/keyboard.c:1495 > Write of size 8 at addr ffffffff89a1b2d8 by task syz-executor108/1722 > ... > kbd_keycode drivers/tty/vt/keyboard.c:1411 [inline] > kbd_event+0xe6b/0x3790 drivers/tty/vt/keyboard.c:1495 > input_to_handler+0x3b6/0x4c0 drivers/input/input.c:118 > input_pass_values.part.0+0x2e3/0x720 drivers/input/input.c:145 > input_pass_values drivers/input/input.c:949 [inline] > input_set_keycode+0x290/0x320 drivers/input/input.c:954 > evdev_handle_set_keycode_v2+0xc4/0x120 drivers/input/evdev.c:882 > evdev_do_ioctl drivers/input/evdev.c:1150 [inline] > > Reported-by: syzbot+19340dff067c2d3835c0@xxxxxxxxxxxxxxxxxxxxxxxxx > Signed-off-by: Dmitry Torokhov <dmitry.torokhov@xxxxxxxxx> > --- > > v2: fixed up interaction with hid-multitouch according to Benjamin's > feedback > > Please consider tagging for stable. I'd like to push this for 5.5 (and tag for stable), but would prefer this to have gone through the full battery of Benjamin's testing infrastructure first. Benjamin, did you have chance to run Dmitry's patch through your machinery? Thanks, -- Jiri Kosina SUSE Labs
