Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S934785AbbDIJmz (ORCPT <rfc822;w@1wt.eu>);
	Thu, 9 Apr 2015 05:42:55 -0400
Received: from mail.kernel.org ([198.145.29.136]:42364 "EHLO mail.kernel.org"
	rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
	id S933304AbbDIIye (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
	Thu, 9 Apr 2015 04:54:34 -0400
From: lizf@kernel.org
To: stable@vger.kernel.org
Cc: linux-kernel@vger.kernel.org, Dan Carpenter <dan.carpenter@oracle.com>,
        Jiri Kosina <jkosina@suse.cz>, Zefan Li <lizefan@huawei.com>
Subject: [PATCH 3.4 095/176] HID: roccat: potential out of bounds in pyra_sysfs_write_settings()
Date: Thu,  9 Apr 2015 16:45:43 +0800
Message-Id: <1428569224-23820-95-git-send-email-lizf@kernel.org>
X-Mailer: git-send-email 1.9.1
In-Reply-To: <1428569028-23762-1-git-send-email-lizf@kernel.org>
References: <1428569028-23762-1-git-send-email-lizf@kernel.org>
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 2172
Lines: 62

From: Dan Carpenter <dan.carpenter@oracle.com>

3.4.107-rc1 review patch.  If anyone has any objections, please let me know.

------------------


commit 606185b20caf4c57d7e41e5a5ea4aff460aef2ab upstream.

This is a static checker fix.  We write some binary settings to the
sysfs file.  One of the settings is the "->startup_profile".  There
isn't any checking to make sure it fits into the
pyra->profile_settings[] array in the profile_activated() function.

I added a check to pyra_sysfs_write_settings() in both places because
I wasn't positive that the other callers were correct.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
[lizf: Backported to 3.4: define the variable @settings]
Signed-off-by: Zefan Li <lizefan@huawei.com>
---
 drivers/hid/hid-roccat-pyra.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/drivers/hid/hid-roccat-pyra.c b/drivers/hid/hid-roccat-pyra.c
index df05c1b1..5346647 100644
--- a/drivers/hid/hid-roccat-pyra.c
+++ b/drivers/hid/hid-roccat-pyra.c
@@ -35,6 +35,8 @@ static struct class *pyra_class;
 static void profile_activated(struct pyra_device *pyra,
 		unsigned int new_profile)
 {
+	if (new_profile >= ARRAY_SIZE(pyra->profile_settings))
+		return;
 	pyra->actual_profile = new_profile;
 	pyra->actual_cpi = pyra->profile_settings[pyra->actual_profile].y_cpi;
 }
@@ -299,10 +301,15 @@ static ssize_t pyra_sysfs_write_settings(struct file *fp,
 	int retval = 0;
 	int difference;
 	struct pyra_roccat_report roccat_report;
+	struct pyra_settings const *settings;
 
 	if (off != 0 || count != sizeof(struct pyra_settings))
 		return -EINVAL;
 
+	settings = (struct pyra_settings const *)buf;
+	if (settings->startup_profile >= ARRAY_SIZE(pyra->profile_settings))
+		return -EINVAL;
+
 	mutex_lock(&pyra->pyra_lock);
 	difference = memcmp(buf, &pyra->settings, sizeof(struct pyra_settings));
 	if (difference) {
-- 
1.9.1

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/