From: Colin Ian King <colin.king@xxxxxxxxxxxxx>
A value outside the range 0..MAX_NR_FUNC-1 in kbs->kb_func will
cause an array bounds overflow on func_table. Fix this by adding
a range check.
Detected by CoverityScan, CID#401961 ("Untrusted array index read")
Fixes: 079c9534a96d ("vt:tackle kbd_table")
Signed-off-by: Colin Ian King <colin.king@xxxxxxxxxxxxx>
---
drivers/tty/vt/keyboard.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/drivers/tty/vt/keyboard.c b/drivers/tty/vt/keyboard.c
index f4166263bb3a..1ecf545a96a8 100644
--- a/drivers/tty/vt/keyboard.c
+++ b/drivers/tty/vt/keyboard.c
@@ -1982,6 +1982,11 @@ int vt_do_kdgkb_ioctl(int cmd, struct kbsentry __user *user_kdgkb, int perm)
kbs->kb_string[sizeof(kbs->kb_string)-1] = '\0';
i = kbs->kb_func;
+ if (i < 0 || i >= MAX_NR_FUNC) {
+ ret = -EINVAL;
+ goto reterr;
+ }
+
switch (cmd) {
case KDGKBSENT:
sz = sizeof(kbs->kb_string) - 1; /* sz should have been
--
2.14.1
--
To unsubscribe from this list: send the line "unsubscribe kernel-janitors" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
