Received: by 2002:a25:8b91:0:0:0:0:0 with SMTP id j17csp2263756ybl; Thu, 19 Dec 2019 10:39:00 -0800 (PST) X-Google-Smtp-Source: APXvYqx3cCONMtDnww8IfCybiY/szSxrjDJLtzMVSNIbT37LWURb60Qr4mXX8fO8xb1PeuFdj9re X-Received: by 2002:a05:6830:10c6:: with SMTP id z6mr10615680oto.203.1576780739841; Thu, 19 Dec 2019 10:38:59 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1576780739; cv=none; d=google.com; s=arc-20160816; b=vtc705S47NmNXT3BB1PqJwYT7amw0vutuGmLhJZcOdVPLgAhTzYLmlPdV4roD3iaxz pA6fu0twxcY6dgnKNm/jzxH7qH3N4QWwJbAud2rDlfJmmMLtqDUStU17FXuvoGvBBBdl 0NJ8ClSXiSVXRYECztjn9M9D9DRgKZNI2N6rpppEAvPy7gxY/7uHVmOsoVgJCi4m57GY rN31gTvB+4Cxc4yQfaoPfU5IyP9+YW2ch/MmMZsqulE2eLm7Fcz8+o7H+ke3ZkbgjiYB N5PntBu6QxL8NpGIFC9MJAcNHD4tVwMR6RXyxtV7U+2i0s7Oy8Oy2liaX/n4ZrxzKiYM T8/g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=TbFkhqtJbGHqpDAxiVqlTF8shYwC+5x/n++KjZiwQ5I=; b=TRxQxxjF3FWsTd07xxCbSHeJFBA40lO9g0/8zzFu2o05CTVId2SPnXJrFDRACmCdRP GqL3YVs6wPluytcjj0JEoUDBemw76QMnt8MadcXmIjSRZi5fgMn91lAklITAZYPD306W A5A/PdaEscXPNsccGR/SlEQ4BILxx52/PU6vPOYgZ+VGROhRwigX1TTs7tRiAxXqjE8A hepf50JEE6uEfCvOvnbs2JRHLEJJdRkMxiuwfSrpSrDJXsZrQaXfjs1y25AtOpHq1uGM BMTRq9CQZ3QCB1qz7k7pdC/FMdKW2KtCQ1RA/1ivmpdfWmLe9ddxP4UlDjb0zWmrnLhQ j0eQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=Ej1v8VLU; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id c12si3231584otf.18.2019.12.19.10.38.48; Thu, 19 Dec 2019 10:38:59 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=Ej1v8VLU; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727452AbfLSShe (ORCPT + 99 others); Thu, 19 Dec 2019 13:37:34 -0500 Received: from mail.kernel.org ([198.145.29.99]:55226 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727492AbfLSShc (ORCPT ); Thu, 19 Dec 2019 13:37:32 -0500 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 77B4224679; Thu, 19 Dec 2019 18:37:31 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1576780651; bh=U4z2sRDYdJKHX1PNo+xR3U0qZN1owb1vJ9hDYEmbJF4=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=Ej1v8VLU3IRWn9lpGvZSRfD2PjGp8bowlzQJwjymcMc7AH2r6cvikj1QYy5nqEZKX kaGra04H1UFprDLDzmBT4CdEGlfG3FnYCy4578kobl/6XzGJsPAfve9qNGmrOugFAl jlGk+6vb8MtrzhTVk4r3hWKc15xTYPrGw5W1Jg4E= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, syzbot+19340dff067c2d3835c0@syzkaller.appspotmail.com, Dmitry Torokhov Subject: [PATCH 4.4 060/162] tty: vt: keyboard: reject invalid keycodes Date: Thu, 19 Dec 2019 19:32:48 +0100 Message-Id: <20191219183211.520428414@linuxfoundation.org> X-Mailer: git-send-email 2.24.1 In-Reply-To: <20191219183150.477687052@linuxfoundation.org> References: <20191219183150.477687052@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Dmitry Torokhov commit b2b2dd71e0859436d4e05b2f61f86140250ed3f8 upstream. Do not try to handle keycodes that are too big, otherwise we risk doing out-of-bounds writes: BUG: KASAN: global-out-of-bounds in clear_bit include/asm-generic/bitops-instrumented.h:56 [inline] BUG: KASAN: global-out-of-bounds in kbd_keycode drivers/tty/vt/keyboard.c:1411 [inline] BUG: KASAN: global-out-of-bounds in kbd_event+0xe6b/0x3790 drivers/tty/vt/keyboard.c:1495 Write of size 8 at addr ffffffff89a1b2d8 by task syz-executor108/1722 ... kbd_keycode drivers/tty/vt/keyboard.c:1411 [inline] kbd_event+0xe6b/0x3790 drivers/tty/vt/keyboard.c:1495 input_to_handler+0x3b6/0x4c0 drivers/input/input.c:118 input_pass_values.part.0+0x2e3/0x720 drivers/input/input.c:145 input_pass_values drivers/input/input.c:949 [inline] input_set_keycode+0x290/0x320 drivers/input/input.c:954 evdev_handle_set_keycode_v2+0xc4/0x120 drivers/input/evdev.c:882 evdev_do_ioctl drivers/input/evdev.c:1150 [inline] In this case we were dealing with a fuzzed HID device that declared over 12K buttons, and while HID layer should not be reporting to us such big keycodes, we should also be defensive and reject invalid data ourselves as well. Reported-by: syzbot+19340dff067c2d3835c0@syzkaller.appspotmail.com Signed-off-by: Dmitry Torokhov Cc: stable Link: https://lore.kernel.org/r/20191122204220.GA129459@dtor-ws Signed-off-by: Greg Kroah-Hartman --- drivers/tty/vt/keyboard.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/drivers/tty/vt/keyboard.c +++ b/drivers/tty/vt/keyboard.c @@ -1460,7 +1460,7 @@ static void kbd_event(struct input_handl if (event_type == EV_MSC && event_code == MSC_RAW && HW_RAW(handle->dev)) kbd_rawcode(value); - if (event_type == EV_KEY) + if (event_type == EV_KEY && event_code <= KEY_MAX) kbd_keycode(event_code, value, HW_RAW(handle->dev)); spin_unlock(&kbd_event_lock);