This is a note to let you know that I've just added the patch titled
Input: joydev - prevent potential read overflow in ioctl
to the 5.11-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
input-joydev-prevent-potential-read-overflow-in-ioctl.patch
and it can be found in the queue-5.11 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.
>From 182d679b2298d62bf42bb14b12a8067b8e17b617 Mon Sep 17 00:00:00 2001
From: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
Date: Wed, 17 Feb 2021 12:21:10 -0800
Subject: Input: joydev - prevent potential read overflow in ioctl
From: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
commit 182d679b2298d62bf42bb14b12a8067b8e17b617 upstream.
The problem here is that "len" might be less than "joydev->nabs" so the
loops which verfy abspam[i] and keypam[] might read beyond the buffer.
Fixes: 999b874f4aa3 ("Input: joydev - validate axis/button maps before clobbering current ones")
Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
Link: https://lore.kernel.org/r/YCyzR8WvFRw4HWw6@mwanda
[dtor: additional check for len being even in joydev_handle_JSIOCSBTNMAP]
Cc: stable@xxxxxxxxxxxxxxx
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@xxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
drivers/input/joydev.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
--- a/drivers/input/joydev.c
+++ b/drivers/input/joydev.c
@@ -456,7 +456,7 @@ static int joydev_handle_JSIOCSAXMAP(str
if (IS_ERR(abspam))
return PTR_ERR(abspam);
- for (i = 0; i < joydev->nabs; i++) {
+ for (i = 0; i < len && i < joydev->nabs; i++) {
if (abspam[i] > ABS_MAX) {
retval = -EINVAL;
goto out;
@@ -480,6 +480,9 @@ static int joydev_handle_JSIOCSBTNMAP(st
int i;
int retval = 0;
+ if (len % sizeof(*keypam))
+ return -EINVAL;
+
len = min(len, sizeof(joydev->keypam));
/* Validate the map. */
@@ -487,7 +490,7 @@ static int joydev_handle_JSIOCSBTNMAP(st
if (IS_ERR(keypam))
return PTR_ERR(keypam);
- for (i = 0; i < joydev->nkey; i++) {
+ for (i = 0; i < (len / 2) && i < joydev->nkey; i++) {
if (keypam[i] > KEY_MAX || keypam[i] < BTN_MISC) {
retval = -EINVAL;
goto out;
Patches currently in stable-queue which might be from dan.carpenter@xxxxxxxxxx are
queue-5.11/media-allegro-fix-use-after-free-on-error.patch
queue-5.11/asoc-cs42l56-fix-up-error-handling-in-probe.patch
queue-5.11/media-atomisp-fix-a-buffer-overflow-in-debug-code.patch
queue-5.11/media-camss-missing-error-code-in-msm_video_register.patch
queue-5.11/staging-vchiq-fix-bulk-transfers-on-64-bit-builds.patch
queue-5.11/mtd-parser-imagetag-fix-error-codes-in-bcm963xx_pars.patch
queue-5.11/asoc-cpcap-fix-microphone-timeslot-mask.patch
queue-5.11/drm-amdgpu-prevent-shift-wrapping-in-amdgpu_read_mas.patch
queue-5.11/drm-virtio-fix-an-error-code-in-virtio_gpu_init.patch
queue-5.11/rdma-rtrs-srv-do-not-pass-a-valid-pointer-to-ptr_err.patch
queue-5.11/soc-qcom-socinfo-fix-an-off-by-one-in-qcom_show_pmic.patch
queue-5.11/media-camss-fix-signedness-bug-in-video_enum_fmt.patch
queue-5.11/gma500-clean-up-error-handling-in-init.patch
queue-5.11/input-joydev-prevent-potential-read-overflow-in-ioctl.patch
queue-5.11/nvmem-core-fix-a-resource-leak-on-error-in-nvmem_add.patch
queue-5.11/input-elo-fix-an-error-code-in-elo_connect.patch
queue-5.11/usb-serial-mos7840-fix-error-code-in-mos7840_write.patch
queue-5.11/usb-serial-mos7720-fix-error-code-in-mos7720_write.patch
queue-5.11/ath11k-fix-a-locking-bug-in-ath11k_mac_op_start.patch
queue-5.11/staging-vchiq-fix-bulk-userdata-handling.patch
queue-5.11/phy-cadence-torrent-fix-error-code-in-cdns_torrent_p.patch
queue-5.11/octeontx2-af-fix-an-off-by-one-in-rvu_dbg_qsize_writ.patch
queue-5.11/input-sur40-fix-an-error-code-in-sur40_probe.patch
queue-5.11/scsi-lpfc-fix-ancient-double-free.patch
queue-5.11/staging-gdm724x-fix-dma-from-stack.patch
queue-5.11/mfd-wm831x-auxadc-prevent-use-after-free-in-wm831x_a.patch
queue-5.11/ocfs2-fix-a-use-after-free-on-error.patch
queue-5.11/scsi-sd-sd_zbc-don-t-pass-gfp_noio-to-kvcalloc.patch
