On 2022/11/23 8:23, Dmitry Torokhov wrote:
> Hi Tetsuo,
>
> On Sat, Nov 19, 2022 at 04:09:56PM +0900, Tetsuo Handa wrote:
>> syzbot is reporting too large allocation at input_mt_init_slots() {1], for
>> num_slots is supplied from userspace using ioctl(UI_DEV_CREATE).
>> Also, replace n2 with array_size(), for 32bits variable n2 will overflow
>> if num_slots >= 65536.
>
> Not really keen on fiddling with the memory allocator flags just to
> appease syzbot. Maybe keep them as is, and simply limit the number of
> slots to something more reasonable, like 64, and return -EINVAL if it is
> above?
>
Hmm, although most users seem to pass values within "unsigned char" range,
not limited to syzbot.
drivers/input/misc/uinput.c has
nslot = input_abs_get_max(dev, ABS_MT_SLOT) + 1;
error = input_mt_init_slots(dev, nslot, 0);
and drivers/virtio/virtio_input.c has
nslots = input_abs_get_max(vi->idev, ABS_MT_SLOT) + 1;
err = input_mt_init_slots(vi->idev, nslots, 0);
and drivers/input/misc/xen-kbdfront.c has
int num_cont, width, height;
num_cont = xenbus_read_unsigned(info->xbdev->otherend,
XENKBD_FIELD_MT_NUM_CONTACTS,
1);
ret = input_mt_init_slots(mtouch, num_cont, INPUT_MT_DIRECT);
. Since these users might need to pass values beyond "unsigned char" range,
I think we should not limit to too small values like 64.
More worrisome thing is that several users are not handling
input_mt_init_slots() failures.
