Received: by 10.192.165.156 with SMTP id m28csp1591876imm; Wed, 11 Apr 2018 23:24:17 -0700 (PDT) X-Google-Smtp-Source: AIpwx4/cMc9iGyNAVfDPOrzDzjLV5pfhPlOrpYEzu+EP0XqOnn5AbUsK+hsz60ZwHSHdGCjPncrJ X-Received: by 10.101.77.145 with SMTP id p17mr5722876pgq.275.1523514257853; Wed, 11 Apr 2018 23:24:17 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1523514257; cv=none; d=google.com; s=arc-20160816; b=lXf99rjeGtCqskjakPP/AW19iAd3Wo3uwk5OfSiKG/6gMRus/CRZ02/7o5a6k1tPb/ s1WEeUb5gY0DUn544GgdczmZ85CeABlRMdsDb28yp0JTk5v3oL9SBnUgFSpZhF2/pkJo j4pY19TS0ISYZYcfgC7QpYHKrrwzo/gHU/F762lMR6WE3LgfghJO3IBL2VacEwz1ZjOt 7a7g/K9zqx6AtW6TlX/bkMt9F6Yum7mYzjdd371x2MWs40PwSMti0Xh3d5IiM3tBEADX y4AtTt7QD6v2lmkZaIsMG4uESAMAgd9bAPwSEdwXU3dRlbQrN054kAQWVX60QqOhvX1L iqfA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:arc-authentication-results; bh=vUDIbSJ9ypkxhlkYlAOszGNYDnYiG9iS7zLdCKgLvr4=; b=nOhS/sduF2vVZ4ssreY36nucw6Rw5ckuASBIq2YeJS2r/awjHDBjmKcwJ0M9Yyx0Uk gQNimfgVkx2xVVo7xt3TDoeKf5VaI5Ajo8SAeAG1dKKIUz93BuGu6BgzSO67vMsnwfZx zOMHW4BtEsEknm4gz78Jycqq+ouv5a6p5FWsLOQXqTOpcg2Y+K8Xst0GqOyaKWYs1orY OUEBbaQ/XUikKeHVNtFLS/voE4t9QbNoRvGmrvWECUFrSaqZPHrQj0kWAK3qTexlCC5K 8jzHSqlGCCLK+Sd49h9TmcAjDC5jNLg4VZf7psT7XVftTE9wBaiLfxdNm03dkFxQ6Ixd MEnA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id q124si1836522pgq.215.2018.04.11.23.23.41; Wed, 11 Apr 2018 23:24:17 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752430AbeDLGUO (ORCPT + 99 others); Thu, 12 Apr 2018 02:20:14 -0400 Received: from leo.clearchain.com ([199.73.29.74]:19526 "EHLO mail.clearchain.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750837AbeDLGUN (ORCPT ); Thu, 12 Apr 2018 02:20:13 -0400 Received: from leo.clearchain.com (localhost [127.0.0.1]) by mail.clearchain.com (8.15.2/8.15.2) with ESMTPS id w3C6JsKX060926 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Thu, 12 Apr 2018 15:49:55 +0930 (CST) (envelope-from peter.hutterer@who-t.net) X-Authentication-Warning: leo.clearchain.com: Host localhost [127.0.0.1] claimed to be leo.clearchain.com Received: (from whot@localhost) by leo.clearchain.com (8.15.2/8.15.2/Submit) id w3C6Jrqd060925; Thu, 12 Apr 2018 15:49:53 +0930 (CST) (envelope-from peter.hutterer@who-t.net) X-Authentication-Warning: leo.clearchain.com: whot set sender to peter.hutterer@who-t.net using -f Date: Thu, 12 Apr 2018 16:20:01 +1000 From: Peter Hutterer To: Dmitry Torokhov Cc: linux-input@vger.kernel.org, linux-kernel@vger.kernel.org, Tasos Sahanidis , Samuel Thibault Subject: Re: [PATCH] Input: leds - fix out of bound access Message-ID: <20180412062001.GA5560@jelly> References: <20180406181242.GA225849@dtor-ws> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20180406181242.GA225849@dtor-ws> User-Agent: Mutt/1.9.2 (2017-12-15) X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.4.3 (mail.clearchain.com [127.0.0.1]); Thu, 12 Apr 2018 15:49:55 +0930 (CST) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Apr 06, 2018 at 11:12:42AM -0700, Dmitry Torokhov wrote: > UI_SET_LEDBIT ioctl() causes the following KASAN splat when used with > led > LED_CHARGING: > > [ 1274.663418] BUG: KASAN: slab-out-of-bounds in input_leds_connect+0x611/0x730 [input_leds] > [ 1274.663426] Write of size 8 at addr ffff88003377b2c0 by task ckb-next-daemon/5128 > > This happens because we were writing to the led structure before making > sure that it exists. > > Reported-by: Tasos Sahanidis > Tested-by: Tasos Sahanidis > Cc: stable@vger.kernel.org > Signed-off-by: Dmitry Torokhov Reviewed-by: Peter Hutterer Cheers, Peter > --- > drivers/input/input-leds.c | 8 ++++---- > 1 file changed, 4 insertions(+), 4 deletions(-) > > diff --git a/drivers/input/input-leds.c b/drivers/input/input-leds.c > index 766bf26601163..5f04b2d946350 100644 > --- a/drivers/input/input-leds.c > +++ b/drivers/input/input-leds.c > @@ -88,6 +88,7 @@ static int input_leds_connect(struct input_handler *handler, > const struct input_device_id *id) > { > struct input_leds *leds; > + struct input_led *led; > unsigned int num_leds; > unsigned int led_code; > int led_no; > @@ -119,14 +120,13 @@ static int input_leds_connect(struct input_handler *handler, > > led_no = 0; > for_each_set_bit(led_code, dev->ledbit, LED_CNT) { > - struct input_led *led = &leds->leds[led_no]; > + if (!input_led_info[led_code].name) > + continue; > > + led = &leds->leds[led_no]; > led->handle = &leds->handle; > led->code = led_code; > > - if (!input_led_info[led_code].name) > - continue; > - > led->cdev.name = kasprintf(GFP_KERNEL, "%s::%s", > dev_name(&dev->dev), > input_led_info[led_code].name); > -- > 2.17.0.484.g0c8726318c-goog