Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp4085951imu; Mon, 14 Jan 2019 14:48:30 -0800 (PST) X-Google-Smtp-Source: ALg8bN7Q0vrJD8/aXPdmYk3FpTClkJZxbgB+OTVVkv46y1loZau2FIUqhNfokgCaUIqdDwd32NZG X-Received: by 2002:a62:cf02:: with SMTP id b2mr785769pfg.183.1547506110371; Mon, 14 Jan 2019 14:48:30 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1547506110; cv=none; d=google.com; s=arc-20160816; b=CaEcTRWBGJ6jBLXKh9oWDDtWtRwVktE7daP12/N40/nhSYu8eZAp4KsCvQ1v3paTap rf381hHgA3N8kFGmjbaFRoqErkzSIfkaLQ+dIIuW9eWt5FIGOibt0oqbMHaPnCP+CNOo FsneOphT3t67Iy4St0Iysgh3wfj8+vfMd3AKlUAol577rDUimCK0CCopbHkzeBPz2GRi AnpxXzscYpN0ZfTTKQ2Cps/QRCO4LHrrYADmFW6WQquAZVUmH0cQYrUFqg9nhrwNhqSA Ddw8bHFku6sG0DgdTgIEPHYKGQNDiqHjl8mTNG5S7UTcaodW3jkrhl+5XAHY5t4cdmdu fBHQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:dkim-signature:dkim-signature; bh=NHgrd3T5V4ufClGBUWgbNL6MNfQlMqZicW1/D9DPrSs=; b=hb1UToA/kIhSYMDnsuSRL9w6qbv4m95C6QqWm3Xkc8oFGIaLuGL25s7gdY06psMhHm e2k8mgpcFJqkBLNMarVXP2rI7oOY4CZbu9f6ps4MLxAdEj8yBNlHLzZAX/Yf4lEzAXBH AhwUT/cEbHEnleo+ki/xgo+2vI4xnwv4UQdgbfMcrKOSrRnFUSw+jyhHOlO+4hMNdXzZ mHTBtKjjK7biu9Jg7yUFP7ibjpAHFiHAjg1FBcM31cyBywY5s6UnRnKhPP2DNZdcE3wq EIywJTW993nlvUJsKi4tL1F9c+SbTODDYVCfcsp123eKVkSQtaqGbwjlA3pzpo0rhrI3 b0EA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@who-t.net header.s=fm2 header.b="uhoDVn/t"; dkim=pass header.i=@messagingengine.com header.s=fm1 header.b=XGggvW4D; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id j13si1408197pgi.227.2019.01.14.14.48.12; Mon, 14 Jan 2019 14:48:30 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@who-t.net header.s=fm2 header.b="uhoDVn/t"; dkim=pass header.i=@messagingengine.com header.s=fm1 header.b=XGggvW4D; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726770AbfANWrC (ORCPT + 99 others); Mon, 14 Jan 2019 17:47:02 -0500 Received: from out3-smtp.messagingengine.com ([66.111.4.27]:44221 "EHLO out3-smtp.messagingengine.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726618AbfANWrC (ORCPT ); Mon, 14 Jan 2019 17:47:02 -0500 X-Greylist: delayed 341 seconds by postgrey-1.27 at vger.kernel.org; Mon, 14 Jan 2019 17:47:01 EST Received: from compute3.internal (compute3.nyi.internal [10.202.2.43]) by mailout.nyi.internal (Postfix) with ESMTP id 96472286D8; Mon, 14 Jan 2019 17:41:19 -0500 (EST) Received: from mailfrontend1 ([10.202.2.162]) by compute3.internal (MEProxy); Mon, 14 Jan 2019 17:41:19 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=who-t.net; h= date:from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to; s=fm2; bh=NHgrd3T5V4ufClGBUWgbNL6MNfQ lMqZicW1/D9DPrSs=; b=uhoDVn/tYuaCz5+JIJu1PtmSVDFSPOVkHg7CtGfLgwH DgfPxfy+hd4kLyTuC9rHnuiJ4FmZ1nChaDdk8JWOXGlsqQTUaFWhRioLtjR9u8zM 6+OgrttBSHU5tA9BZ4gTHxK+MxPNx1DJ99aVZe+zcWA2bHcVHy4jNyyvP0ZZKmZj Gzx/ih0dygF1EgiW63U9wmTtM7XAzT/AyizN+IJubYWHUJozI/zvhqoLXtIowndX E4M+pAF6+7CzrmyWllqIaG7iKq1Q7Ls5uW1cJM+14BqH+uDLrBHSpK2u4yW5jiH6 dyc/tGP4O1QGxJoDMH6uI0oIASy+0yz2Dy57qg0rhUw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm1; bh=NHgrd3 T5V4ufClGBUWgbNL6MNfQlMqZicW1/D9DPrSs=; b=XGggvW4DY7tyzuclzDgQ8K W3DtqS8xWPmbd7pw4FinnwOLd6+EV6MX9g/3gxdcOHOJ7nV0zA7pE3L3J65IlzB6 sspohyesln34T3YguhRSOhxiyeYpWBfWVyWDqOFOWqmQZyXaQsncdmL4DyUWIKIM IzIcyydRRzmzHFBDYVWNqCHOYUT1OTA+e4HmJe7fEv8D/jnaeBbnSwoT/7/+OMOC epNh4y5TM98kGlK5WNlG7PTSrB0UsBbibxgHAS5N4uADQ4zkCOathVVS43gARRsT 0zOHUpWXn1gsxTjGyzAkd+dvrTQe6YmUuajkm/vr0t34cfyq0o4miTSf/ovFYH4Q == X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedtledrgedugdduieduucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfquhhtnecuuegrihhlohhuthemucef tddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenucfjughrpeffhffvuffkfh ggtggujggfsehttdertddtredvnecuhfhrohhmpefrvghtvghrucfjuhhtthgvrhgvrhcu oehpvghtvghrrdhhuhhtthgvrhgvrhesfihhohdqthdrnhgvtheqnecukfhppeduieejrd dujeelrdduieeirddvleenucfrrghrrghmpehmrghilhhfrhhomhepphgvthgvrhdrhhhu thhtvghrvghrseifhhhoqdhtrdhnvghtnecuvehluhhsthgvrhfuihiivgeptd X-ME-Proxy: Received: from jelly (167-179-166-29.a7b3a6.bne.nbn.aussiebb.net [167.179.166.29]) by mail.messagingengine.com (Postfix) with ESMTPA id 8A613E40E1; Mon, 14 Jan 2019 17:41:16 -0500 (EST) Date: Tue, 15 Jan 2019 08:41:14 +1000 From: Peter Hutterer To: Dmitry Torokhov Cc: linux-input@vger.kernel.org, Byoungyoung Lee , rydberg@bitmath.org, DaeRyong Jeong , syzkaller@googlegroups.com, linux-kernel@vger.kernel.org Subject: Re: [PATCH] Input: uinput - fix undefined behavior in uinput_validate_absinfo() Message-ID: <20190114224114.GA18464@jelly> References: <20190114220448.GA241112@dtor-ws> <20190114220756.GF117329@dtor-ws> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20190114220756.GF117329@dtor-ws> User-Agent: Mutt/1.10.1 (2018-07-13) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Jan 14, 2019 at 02:07:56PM -0800, Dmitry Torokhov wrote: > On Mon, Jan 14, 2019 at 02:04:48PM -0800, Dmitry Torokhov wrote: > > An integer overflow may arise in uinput_validate_absinfo() if "max - min" > > can't be represented by an "int". We should check for overflow before > > trying to use the result. > > > > Reported-by: Kyungtae Kim > > Cc: stable@vger.kernel.org > > Signed-off-by: Dmitry Torokhov > > --- > > drivers/input/misc/uinput.c | 5 +++-- > > 1 file changed, 3 insertions(+), 2 deletions(-) > > > > diff --git a/drivers/input/misc/uinput.c b/drivers/input/misc/uinput.c > > index 8ec483e8688b..26ec603fe220 100644 > > --- a/drivers/input/misc/uinput.c > > +++ b/drivers/input/misc/uinput.c > > @@ -39,6 +39,7 @@ > > #include > > #include > > #include > > +#include > > #include > > #include "../input-compat.h" > > > > @@ -405,7 +406,7 @@ static int uinput_open(struct inode *inode, struct file *file) > > static int uinput_validate_absinfo(struct input_dev *dev, unsigned int code, > > const struct input_absinfo *abs) > > { > > - int min, max; > > + int min, max, range; > > > > min = abs->minimum; > > max = abs->maximum; > > @@ -417,7 +418,7 @@ static int uinput_validate_absinfo(struct input_dev *dev, unsigned int code, > > return -EINVAL; > > } > > > > - if (abs->flat > max - min) { > > + if (check_sub_overflow(max, min, &range) && abs->flat > range) { > > This should be !check_sub_overflow(...) of course. Reviewed-by: Peter Hutterer with that in place, thanks. Cheers, Peter > > printk(KERN_DEBUG > > "%s: abs_flat #%02x out of range: %d (min:%d/max:%d)\n", > > UINPUT_NAME, code, abs->flat, min, max); > > -- > > 2.20.1.97.g81188d93c3-goog > > > > > > -- > > Dmitry > > -- > Dmitry