Received: by 10.213.65.68 with SMTP id h4csp926222imn;
        Fri, 6 Apr 2018 11:17:19 -0700 (PDT)
X-Google-Smtp-Source: AIpwx485+uN5VN5p+XAJd8BtEPwdGlvMFYQpDfJLZaF0BaiAF4p5VYCluE2BW5WCULBoo+wKfumB
X-Received: by 2002:a17:902:b288:: with SMTP id u8-v6mr28000418plr.339.1523038639945;
        Fri, 06 Apr 2018 11:17:19 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1523038639; cv=none;
        d=google.com; s=arc-20160816;
        b=zBlSGnn6jAFR9ZdrV+nUXh2bQPmPs0LWz1FctZPftAaTS4MpfjQzgB1p3hQfZHQCSA
         DbzPYdEfOj2kWiqy1cGnCzVQcT0Vs1+mRGknBzsHwAFYuIo1PHhUWurTczb0hbZ/m5NH
         SeyuRadt1V76uesZV4cNc/Eek/E++GBih1cH5iY3D7B4TRdJ5NAsMYkJLT7E+hvVZ6p3
         IOAz648X0gtW3kkadmARv0mcuDno7W71+C1ZtwK+OykeX4Tql1A3KjuAK41Uh7VCl/yR
         mtFo/WMtsagnblfMhLhQWDW2iW/mqpdhm5uAOkGa7rdt1sBr8q2W9tUk/0U7N87FUuRu
         xHsA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:user-agent:content-disposition
         :mime-version:message-id:subject:cc:to:from:date:dkim-signature
         :arc-authentication-results;
        bh=vbz6av/mhUx9cwCsPeZpcEPe11y/dC2yZpVJypzpI8w=;
        b=nnBkuhCoYoVp57GDwpzUIwed23cohH6oK9xb6qxKhKs4zx5YU1e9dm65g6nKQdXM3d
         FVLTfw/ozAXWXimQ5kwuxraYH/19/Z5tcRBLLutQYzyFCLgMI4HGq0Hzp3XPr8u+RUkF
         8sklR1/8XiVfeNESRXEKjvbAVseJ4cqdQ3Q5woFC6SrSAppxVHhRSZD0wDWUvpT9ihlb
         ClcRTIHaSRn53j90Tsa8vSAvq7q5wsFJEQSyzHzgnisglgUFQhChT6I3x65Ur5lxF6GW
         l+cu9MIVwy12DaL6Yy6zMA2kPeMa/cQDsVpqBZet5rZWYzejRWf2MxBeLfdaZW9u8cPn
         FO2A==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=HZ16XPxu;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id m2-v6si8907840plt.441.2018.04.06.11.16.42;
        Fri, 06 Apr 2018 11:17:19 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=HZ16XPxu;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1751534AbeDFSMr (ORCPT <rfc822;tuxbino@gmail.com> + 99 others);
        Fri, 6 Apr 2018 14:12:47 -0400
Received: from mail-pl0-f66.google.com ([209.85.160.66]:32891 "EHLO
        mail-pl0-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1750807AbeDFSMp (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 6 Apr 2018 14:12:45 -0400
Received: by mail-pl0-f66.google.com with SMTP id s10-v6so1112747plp.0;
        Fri, 06 Apr 2018 11:12:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=date:from:to:cc:subject:message-id:mime-version:content-disposition
         :user-agent;
        bh=vbz6av/mhUx9cwCsPeZpcEPe11y/dC2yZpVJypzpI8w=;
        b=HZ16XPxuC7ihXlNv11xKxrNE9q+SV3tRkdTNzAv4BtuBUqZVuEUqsfKMR9B2whqk+f
         oHiGbGR2IEroDJtKznU5+oLcgJlyFINQS8nytxk+vWX+xjqgRQVRip2hSzl1TNvtC7cf
         bMv2z3JnSFlJ51IuYpJrUDvno4g7/TVgyuUnE7L8/QOe3fPxRJUNR52+zdy8uTO8Oo8I
         O5LZKTZErTTypMf6y8GxLXJJTP75DUhfgZYgtNz8HN8xIyggGS0lvw/a4ILQGquCgNYJ
         44Xyfioc73SOu0vndIHpt6R45f9pSqZf2N7ux7FHgUn04JM6HZB1v3mcLFOTHYbPchiH
         d7Kg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:date:from:to:cc:subject:message-id:mime-version
         :content-disposition:user-agent;
        bh=vbz6av/mhUx9cwCsPeZpcEPe11y/dC2yZpVJypzpI8w=;
        b=j7ALScG3rqZIisWHxwMJTzJr/9UjlJvhLbzIEDPXVFrMQaw2N3an5NoW2E0xxvwrXd
         hi3X7zx2gs4ztaXqlP2jBMmUlNcBPuMbQgWWIMB9hFj2Gtoji8qlc1RivKZHMzUzzBDp
         Xn7jdZjF7m7zu7Xt0P0nWZcVDaT3s4U4wQQEr+/YwwIWpcY5C8bkEihHpTP+H+8+Ly8y
         qznI8DRSQS5bCvDDY8f0SIoxjULCRQmCndIYjGQWeGggtgz9yn0jsCKBLCVDEYQzzyDa
         FRUU+psWhV6OMkAkLacFSajPU3/yNFlF0sCXesLDUakS2CDPWe8SnufYzFJb+jxZqq3U
         h7jQ==
X-Gm-Message-State: AElRT7FNt1hugAXBfTvUfig/mfdJjmxQg08ABTZ8W2FiRSJVyE0/TAh0
        Ibm4XT04hVFJ91jwRS4i1CLQemqZ
X-Received: by 2002:a17:902:8c8c:: with SMTP id t12-v6mr28382339plo.100.1523038364859;
        Fri, 06 Apr 2018 11:12:44 -0700 (PDT)
Received: from dtor-ws ([2620:0:1000:1511:8de6:27a8:ed13:2ef5])
        by smtp.gmail.com with ESMTPSA id p6sm21308954pfk.104.2018.04.06.11.12.44
        (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256);
        Fri, 06 Apr 2018 11:12:44 -0700 (PDT)
Date:   Fri, 6 Apr 2018 11:12:42 -0700
From:   Dmitry Torokhov <dmitry.torokhov@gmail.com>
To:     linux-input@vger.kernel.org
Cc:     linux-kernel@vger.kernel.org, Tasos Sahanidis <tasos@tasossah.com>,
        Samuel Thibault <samuel.thibault@ens-lyon.org>
Subject: [PATCH] Input: leds - fix out of bound access
Message-ID: <20180406181242.GA225849@dtor-ws>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.9.2 (2017-12-15)
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

UI_SET_LEDBIT ioctl() causes the following KASAN splat when used with
led > LED_CHARGING:

[ 1274.663418] BUG: KASAN: slab-out-of-bounds in input_leds_connect+0x611/0x730 [input_leds]
[ 1274.663426] Write of size 8 at addr ffff88003377b2c0 by task ckb-next-daemon/5128

This happens because we were writing to the led structure before making
sure that it exists.

Reported-by: Tasos Sahanidis <tasos@tasossah.com>
Tested-by: Tasos Sahanidis <tasos@tasossah.com>
Cc: stable@vger.kernel.org
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
---
 drivers/input/input-leds.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/drivers/input/input-leds.c b/drivers/input/input-leds.c
index 766bf26601163..5f04b2d946350 100644
--- a/drivers/input/input-leds.c
+++ b/drivers/input/input-leds.c
@@ -88,6 +88,7 @@ static int input_leds_connect(struct input_handler *handler,
 			      const struct input_device_id *id)
 {
 	struct input_leds *leds;
+	struct input_led *led;
 	unsigned int num_leds;
 	unsigned int led_code;
 	int led_no;
@@ -119,14 +120,13 @@ static int input_leds_connect(struct input_handler *handler,
 
 	led_no = 0;
 	for_each_set_bit(led_code, dev->ledbit, LED_CNT) {
-		struct input_led *led = &leds->leds[led_no];
+		if (!input_led_info[led_code].name)
+			continue;
 
+		led = &leds->leds[led_no];
 		led->handle = &leds->handle;
 		led->code = led_code;
 
-		if (!input_led_info[led_code].name)
-			continue;
-
 		led->cdev.name = kasprintf(GFP_KERNEL, "%s::%s",
 					   dev_name(&dev->dev),
 					   input_led_info[led_code].name);
-- 
2.17.0.484.g0c8726318c-goog


-- 
Dmitry