Re: [PATCH] Input: joydev - prevent potential read overflow in ioctl

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Dan,

On Wed, Feb 17, 2021 at 09:10:15AM +0300, Dan Carpenter wrote:
> The problem here is that "len" might be less than "joydev->nabs" so the
> loops which verfy abspam[i] and keypam[] might read beyond the buffer.
> 
> Fixes: 999b874f4aa3 ("Input: joydev - validate axis/button maps before clobbering current ones")
> Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>

Thank you for the patch.

> ---
>  drivers/input/joydev.c | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/input/joydev.c b/drivers/input/joydev.c
> index a2b5fbba2d3b..750f4513fe20 100644
> --- a/drivers/input/joydev.c
> +++ b/drivers/input/joydev.c
> @@ -456,7 +456,7 @@ static int joydev_handle_JSIOCSAXMAP(struct joydev *joydev,
>  	if (IS_ERR(abspam))
>  		return PTR_ERR(abspam);
>  
> -	for (i = 0; i < joydev->nabs; i++) {
> +	for (i = 0; i < len && i < joydev->nabs; i++) {
>  		if (abspam[i] > ABS_MAX) {
>  			retval = -EINVAL;
>  			goto out;
> @@ -487,7 +487,7 @@ static int joydev_handle_JSIOCSBTNMAP(struct joydev *joydev,
>  	if (IS_ERR(keypam))
>  		return PTR_ERR(keypam);
>  
> -	for (i = 0; i < joydev->nkey; i++) {
> +	for (i = 0; i < (len / 2) && i < joydev->nkey; i++) {


I think we also need to make sure that len is even. Do you mind if I add
the check at the top of the function to return -EINVAL if it is odd?

>  		if (keypam[i] > KEY_MAX || keypam[i] < BTN_MISC) {
>  			retval = -EINVAL;
>  			goto out;
> -- 
> 2.30.0
> 

Thanks.

-- 
Dmitry



[Index of Archives]     [Kernel Development]     [Kernel Announce]     [Kernel Newbies]     [Linux Networking Development]     [Share Photos]     [IDE]     [Security]     [Git]     [Netfilter]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Device Mapper]

  Powered by Linux