Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp2915119pxj; Sun, 20 Jun 2021 05:02:46 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxbKHTRUpQYmM3z9N8kABB9OKjTx/6fhA/Pb0DyQsQyKGNd0NOsKtLK9ThsjjC/xfxM2Jb6 X-Received: by 2002:a92:a302:: with SMTP id a2mr14195632ili.184.1624190566652; Sun, 20 Jun 2021 05:02:46 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1624190566; cv=none; d=google.com; s=arc-20160816; b=WAyLNxRBhJeQd4VMwPzaOWyhq7dpLq6G9oXilFpHwvHbIXUiZ4dbl+LbIva8VAnU8T 0N5XdOj2vvNKEWezbvk3X5WKP9mflfFEEGHIo6HcLsKc4d27iuJC7Mes96psZhZCBXP4 1C9lW9ymgSKxRuWtEBIEDC8kNd26PknPtP0lVCIjo69A/jHudt9nac19fcmXBI584wen jxEbaSTE/D4T9xrPVbW8rBZVyhoX1lqXpxX+dT28e70ESNZMzHDDMy/Wtj5hXun2Zjxw a//yZ+TNrXjXbjgwek0FydiLdfyAFHG4L9HIDroh14RfVAHQz0yJJdmunRyQIUArNWmL nmow== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from:dkim-signature; bh=4RUYewpS29ETOvUxb+NczxmZJGUDZdUQNsR1o2uZhLQ=; b=pwHEQxUZVUCziaWTiusG+VLpCS7vXDke07+uJPOcRlHw/C1UgBeYi1dmvL4ef+lICc eaEYCP1wpjkNqE+crpMO1xC8QR8ufSQ9mkq/6597xg6tW5IQ5vpqaJ9OUzoq/WXVLqAT tr7AfQAkdpVXHDMsJZw3bPdPyJkJCYQO7c9uwJcMgU/SOFKfqy+du6mm54YLorkmLKkN aFIB7+24rHtv7Tp5yYrP8I34ZMrwGzqrmIfeTGU8Jk20LEFCRBiJtRaabJFfDn1Sw+k4 HJnZ1OOchxPlSuEtas1pknR4rhfE6zToUpmQ/CEj4k+OMVjthPiZ5ZDWeZMnBHspNvu5 VXwQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=a4P03FHp; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id i9si8644909ila.58.2021.06.20.05.02.31; Sun, 20 Jun 2021 05:02:46 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=a4P03FHp; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229594AbhFTMD0 (ORCPT + 99 others); Sun, 20 Jun 2021 08:03:26 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:48018 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229581AbhFTMDY (ORCPT ); Sun, 20 Jun 2021 08:03:24 -0400 Received: from mail-wr1-x42d.google.com (mail-wr1-x42d.google.com [IPv6:2a00:1450:4864:20::42d]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id DD30AC061574; Sun, 20 Jun 2021 05:01:07 -0700 (PDT) Received: by mail-wr1-x42d.google.com with SMTP id m18so16275930wrv.2; Sun, 20 Jun 2021 05:01:06 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=4RUYewpS29ETOvUxb+NczxmZJGUDZdUQNsR1o2uZhLQ=; b=a4P03FHp/G5xoH/Qz+baVm74UVa5M2x393f/xxz/Aeji9liEJZnnCG39pO0nPjrNQ1 HL3TmGiPA7XDoH0uoVV/DUgDy7U0nWt491sUtZ0hsx9qgVmINZoB1+D+vFicZhrYrt3G ExMC927QkRbueiCv0xGLzMejZN1TuQAYsTfM3OghISZ1Cu4pF0CNVGbcuSUSVLSuTy8T A8RG+xhbcC1LfC3GAH1Vydmryz5MJv33dhN05yu2vB5e+IvCDibqO/z5EuhDP+HUTzC1 tCVx6rZ4PtH0DQyDYHhOKtmBK6ek4sthmHWdnlSijDtqLFXyDk7eHqq1NPSXLQiHl5Yw fBJA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=4RUYewpS29ETOvUxb+NczxmZJGUDZdUQNsR1o2uZhLQ=; b=HQyPzblhG4y8+EH1RwCfDH5FpNk3nnpBoDIRItuh6/PkQcRIidy7eHVfGlFfOf/xq0 cEBv7c5f4FdZC5Y2U9slyHTzDU9M4nPh14YEFKFhmZ/J3fpVMCYHRz+D8Mxic1eRQ4NQ wklDud7Pc1VmBxulqJRYtfZO8LUC94KAPP139v41JHbfpfLDsP3/ttDwY1ooke3t3j1y dhu/K2Teu4GOyFJZcP4d5xbRs42H3afb6d+vceOiJVpEjnPYl3RW1ITzjEtTIYsJrs4U Ai+t8mKZODadBevSobDYn/boWqtuaFW7c6n1uJI04tRNCldwvyESHE7pE2BjskwsdLCB Pzbw== X-Gm-Message-State: AOAM533b7RqFHtIA9KKtJbl8nnVwTiS3KeR5s9g13x48AHLWhlXawV3o jN6yfOHtsQy1omeCfwq+UZ0= X-Received: by 2002:a5d:538c:: with SMTP id d12mr22500253wrv.116.1624190465604; Sun, 20 Jun 2021 05:01:05 -0700 (PDT) Received: from allarkin.tlv.csb ([176.230.197.133]) by smtp.googlemail.com with ESMTPSA id j34sm12640807wms.7.2021.06.20.05.01.04 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 20 Jun 2021 05:01:05 -0700 (PDT) From: Alexander Larkin To: dmitry.torokhov@gmail.com, dan.carpenter@oracle.com, linux-input@vger.kernel.org, linux-kernel@vger.kernel.org, security@kernel.org Cc: Alexander Larkin , Murray McAllister Subject: [PATCH] Input: joydev - prevent potential write out of bounds in ioctl Date: Sun, 20 Jun 2021 15:00:30 +0300 Message-Id: <20210620120030.1513655-1-avlarkin82@gmail.com> X-Mailer: git-send-email 2.27.0 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org The problem is that the check of user input values that is just before the fixed line of code is for the part of first values (before len or before len/2), but then the usage of all the values including i >= len (or i >= len/2) could be. Since the resulted array of values inited by default with some good values, the fix is to ignore out of bounds values and just to use only correct input values by user. Originally detected by Murray with this simple poc (If you run the following as an unprivileged user on a default install it will instantly panic the system: int main(void) { int fd, ret; unsigned int buffer[10000]; fd = open("/dev/input/js0", O_RDONLY); if (fd == -1) printf("Error opening file\n"); ret = ioctl(fd, JSIOCSBTNMAP & ~IOCSIZE_MASK, &buffer); printf("%d\n", ret); } Fixes: 182d679b2298 ("Input: joydev - prevent potential read overflow in ioctl") Reported-by: Murray McAllister Signed-off-by: Alexander Larkin --- drivers/input/joydev.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/input/joydev.c b/drivers/input/joydev.c index da8963a9f044..1aa067d4a3e8 100644 --- a/drivers/input/joydev.c +++ b/drivers/input/joydev.c @@ -464,7 +464,7 @@ static int joydev_handle_JSIOCSAXMAP(struct joydev *joydev, memcpy(joydev->abspam, abspam, len); - for (i = 0; i < joydev->nabs; i++) + for (i = 0; i < len && i < joydev->nabs; i++) joydev->absmap[joydev->abspam[i]] = i; out: @@ -498,7 +498,7 @@ static int joydev_handle_JSIOCSBTNMAP(struct joydev *joydev, memcpy(joydev->keypam, keypam, len); - for (i = 0; i < joydev->nkey; i++) + for (i = 0; i < (len / 2) && i < joydev->nkey; i++) joydev->keymap[keypam[i] - BTN_MISC] = i; out: -- 2.27.0