Received: by 2002:a25:1985:0:0:0:0:0 with SMTP id 127csp2334765ybz; Thu, 23 Apr 2020 16:14:05 -0700 (PDT) X-Google-Smtp-Source: APiQypI3EBu9M/ImxM5PJcNU13jVbuIzVnEL9ju0cW0cyF5g6ldDSENi76n2eZrsvqTkwyHtKdiL X-Received: by 2002:a05:6402:1543:: with SMTP id p3mr5129588edx.333.1587683645536; Thu, 23 Apr 2020 16:14:05 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1587683645; cv=none; d=google.com; s=arc-20160816; b=wMzTW18YlCQfnTRAN697JsIollbLs9gum8ZQHDi4Cpup3zDTt7AqoXiZis42zB4rbM c8dgmv4wOAVK17FTso4IECc3CVCas2wDcTqNps/M+oCN6heO1NdHY/iGZe+IpxSOXTBw y146i015IAh+tLBKfds73r80+vBOZEGBbG4wwAqbn2myCfjNg/aIXQqRtPzxFTsRoCHD 7Obuvdtu8mZn9C5lCmbnb0k2hIMi/H2LHzMDRioagMqmy2VEYjyhSwKM4HHuEXhXb8/k 663p7CPaFTVRlWy0k6bOKpHq/kGNOmTGyhv4z7uwPmCGDI35nz9fQStr6NPHE8srJtH4 ovQw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:subject:message-id:date:cc:to :from:mime-version:content-transfer-encoding:content-disposition; bh=p4yZRy42NFIb2XC93O+6oXYI8HQpaC2xbI+DIVOml/g=; b=vLqtaQg9nRTJ4kc5bt5RxHjmc7HZ2SJ07Tsc+MNsr9GN5yZfhl9n5KXpbbUUYK9AC+ jJjkf46Xd2dxa/Ji4JNUoz9AEwFoYqpAFE7zYejSpGO1FYHF3GN9+XqVJVuduEKNtmle O8roNmdvkio1zVn/3TBLoj/G2pJUebKmjcD4pDZlP5ccnm35uox3LqcrHmSPVQu2h/jA 7RG+xxLreWGwxjyk14vRFmq/vH2rJZS69iDWaPysHxzBv4NauqkEXc9KjLygO7HQ8ZwR t+TyndZT/jOpivZN86MzcuEKcpaEHA5Sh4+CvJOty2kb6K6xe0mxTIvRionHyuTMV7we Qa2Q== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id w14si307934edf.402.2020.04.23.16.13.42; Thu, 23 Apr 2020 16:14:05 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729163AbgDWXKe (ORCPT + 99 others); Thu, 23 Apr 2020 19:10:34 -0400 Received: from shadbolt.e.decadent.org.uk ([88.96.1.126]:50388 "EHLO shadbolt.e.decadent.org.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728600AbgDWXGx (ORCPT ); Thu, 23 Apr 2020 19:06:53 -0400 Received: from [192.168.4.242] (helo=deadeye) by shadbolt.decadent.org.uk with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from ) id 1jRkvf-0004sZ-9R; Fri, 24 Apr 2020 00:06:47 +0100 Received: from ben by deadeye with local (Exim 4.93) (envelope-from ) id 1jRkvb-00E70v-1M; Fri, 24 Apr 2020 00:06:43 +0100 Content-Type: text/plain; charset="UTF-8" Content-Disposition: inline Content-Transfer-Encoding: 8bit MIME-Version: 1.0 From: Ben Hutchings To: linux-kernel@vger.kernel.org, stable@vger.kernel.org CC: akpm@linux-foundation.org, Denis Kirjanov , syzbot+c769968809f9359b07aa@syzkaller.appspotmail.com, syzbot+76f3a30e88d256644c78@syzkaller.appspotmail.com, "Dmitry Torokhov" Date: Fri, 24 Apr 2020 00:07:21 +0100 Message-ID: X-Mailer: LinuxStableQueue (scripts by bwh) X-Patchwork-Hint: ignore Subject: [PATCH 3.16 214/245] Input: add safety guards to input_set_keycode() In-Reply-To: X-SA-Exim-Connect-IP: 192.168.4.242 X-SA-Exim-Mail-From: ben@decadent.org.uk X-SA-Exim-Scanned: No (on shadbolt.decadent.org.uk); SAEximRunCond expanded to false Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 3.16.83-rc1 review patch. If anyone has any objections, please let me know. ------------------ From: Dmitry Torokhov commit cb222aed03d798fc074be55e59d9a112338ee784 upstream. If we happen to have a garbage in input device's keycode table with values too big we'll end up doing clear_bit() with offset way outside of our bitmaps, damaging other objects within an input device or even outside of it. Let's add sanity checks to the returned old keycodes. Reported-by: syzbot+c769968809f9359b07aa@syzkaller.appspotmail.com Reported-by: syzbot+76f3a30e88d256644c78@syzkaller.appspotmail.com Link: https://lore.kernel.org/r/20191207212757.GA245964@dtor-ws Signed-off-by: Dmitry Torokhov Signed-off-by: Ben Hutchings --- drivers/input/input.c | 26 ++++++++++++++++---------- 1 file changed, 16 insertions(+), 10 deletions(-) --- a/drivers/input/input.c +++ b/drivers/input/input.c @@ -841,16 +841,18 @@ static int input_default_setkeycode(stru } } - __clear_bit(*old_keycode, dev->keybit); - __set_bit(ke->keycode, dev->keybit); - - for (i = 0; i < dev->keycodemax; i++) { - if (input_fetch_keycode(dev, i) == *old_keycode) { - __set_bit(*old_keycode, dev->keybit); - break; /* Setting the bit twice is useless, so break */ + if (*old_keycode <= KEY_MAX) { + __clear_bit(*old_keycode, dev->keybit); + for (i = 0; i < dev->keycodemax; i++) { + if (input_fetch_keycode(dev, i) == *old_keycode) { + __set_bit(*old_keycode, dev->keybit); + /* Setting the bit twice is useless, so break */ + break; + } } } + __set_bit(ke->keycode, dev->keybit); return 0; } @@ -906,9 +908,13 @@ int input_set_keycode(struct input_dev * * Simulate keyup event if keycode is not present * in the keymap anymore */ - if (test_bit(EV_KEY, dev->evbit) && - !is_event_supported(old_keycode, dev->keybit, KEY_MAX) && - __test_and_clear_bit(old_keycode, dev->key)) { + if (old_keycode > KEY_MAX) { + dev_warn(dev->dev.parent ?: &dev->dev, + "%s: got too big old keycode %#x\n", + __func__, old_keycode); + } else if (test_bit(EV_KEY, dev->evbit) && + !is_event_supported(old_keycode, dev->keybit, KEY_MAX) && + __test_and_clear_bit(old_keycode, dev->key)) { struct input_value vals[] = { { EV_KEY, old_keycode, 0 }, input_value_sync