Received: by 2002:a05:6a10:f3d0:0:0:0:0 with SMTP id a16csp2716923pxv; Sun, 11 Jul 2021 23:39:56 -0700 (PDT) X-Google-Smtp-Source: ABdhPJx+PM3wGlfDXgXEga56lO8ng4kW1+O1xlHrIigkFkR+UrLVuKCpxXVpcQ4ggLzOeMzKwS8B X-Received: by 2002:a17:906:8252:: with SMTP id f18mr28024003ejx.261.1626071996011; Sun, 11 Jul 2021 23:39:56 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1626071996; cv=none; d=google.com; s=arc-20160816; b=kJm/LZJP3ASuxSVhBI6D6JXgS9Xo1sRVdWB4BwyFPJ0XhGdBwCJciA8kIeLPJhpsKK zb/e1JViaUN6Z+sbsWYlIbhSjPHG1YHaQTdfD2iFy8TBNYMPyoO522fT5Xlk78GMCZjv b439aO8wSQD45NAuMW9T9Uwdg0C+u3+B/m1QkB/wFUakxpQrsUZeG8naYL2jIkyORFcB ulfug5AGukemxmiN/jvD/Da9m1XgA/y964doX6x8wBgJKCv1zHn9o8YSTuAW7+pqwl9A /XiE8D+PBTBOWXuOlNzm1scGvX4lP1x+fVOYrboLwT0IiINZuHQxce6E1ZjJrWvYVOIP f3Cg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=9QA8L5fRqWYzhr14RrbwFlA06EXqfAiTry/jet1G+mo=; b=f+zwJI6/bQYJgqSeSLiGEMd0/chpUFC1VWK1JHQjgXgD7LS99sZgtO9OAPu2MyKiun ufc9TfOESU18OQzl9ftz/4dofIdQizid4J1t2sh061hrDhds/V8aIkake2I60kbDOMdQ MC4LzqZZ7y7IfK2LEpjWxypBBa4uc0s8aZ8jXhKIyJIHuWOVecuDYlSdbkVKP7ccAhDZ 4mybdHA4RbxCrr3ukJ61aGhyp9AqOydvOiUBPEe4/w0EKIvKxti5cLi2LADSBXg3GTv9 h00nlduue2U1UGw7nOF26fgXYrnKEH5mbAaCgc3raKv/uXPxCf76IARX350gMREQCMnT j1ig== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=vzdLCJ0b; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id ce5si15699577ejb.237.2021.07.11.23.39.33; Sun, 11 Jul 2021 23:39:55 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=vzdLCJ0b; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S238131AbhGLGj4 (ORCPT + 99 others); Mon, 12 Jul 2021 02:39:56 -0400 Received: from mail.kernel.org ([198.145.29.99]:54238 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S236567AbhGLGb5 (ORCPT ); Mon, 12 Jul 2021 02:31:57 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 8377A610CA; Mon, 12 Jul 2021 06:29:09 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1626071350; bh=ttr+Sm68czz0/JvBfvQiQw5mAxOuyMTBI11fKSVVwxw=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=vzdLCJ0bEpDr5DhmWiDLn2ZKpGolZ37WKjHnK7n6IkhKRSh8gIBoKh2xIe4eZwX1+ AvuCq2MIoXo01J6hUDe2PaG4thRvJ7H0Ou/A5l928rrrR5U18xTVmTzWVjiFMjFVu0 oeXy+zKgVIF72cRAwUq4+RSg8VAm5rv6gQenAJh8= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Murray McAllister , Linus Torvalds , Alexander Larkin , Dmitry Torokhov Subject: [PATCH 5.10 033/593] Input: joydev - prevent use of not validated data in JSIOCSBTNMAP ioctl Date: Mon, 12 Jul 2021 08:03:13 +0200 Message-Id: <20210712060846.822511203@linuxfoundation.org> X-Mailer: git-send-email 2.32.0 In-Reply-To: <20210712060843.180606720@linuxfoundation.org> References: <20210712060843.180606720@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Alexander Larkin commit f8f84af5da9ee04ef1d271528656dac42a090d00 upstream. Even though we validate user-provided inputs we then traverse past validated data when applying the new map. The issue was originally discovered by Murray McAllister with this simple POC (if the following is executed by an unprivileged user it will instantly panic the system): int main(void) { int fd, ret; unsigned int buffer[10000]; fd = open("/dev/input/js0", O_RDONLY); if (fd == -1) printf("Error opening file\n"); ret = ioctl(fd, JSIOCSBTNMAP & ~IOCSIZE_MASK, &buffer); printf("%d\n", ret); } The solution is to traverse internal buffer which is guaranteed to only contain valid date when constructing the map. Fixes: 182d679b2298 ("Input: joydev - prevent potential read overflow in ioctl") Fixes: 999b874f4aa3 ("Input: joydev - validate axis/button maps before clobbering current ones") Reported-by: Murray McAllister Suggested-by: Linus Torvalds Signed-off-by: Alexander Larkin Link: https://lore.kernel.org/r/20210620120030.1513655-1-avlarkin82@gmail.com Cc: stable@vger.kernel.org Signed-off-by: Dmitry Torokhov Signed-off-by: Greg Kroah-Hartman --- drivers/input/joydev.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/drivers/input/joydev.c +++ b/drivers/input/joydev.c @@ -500,7 +500,7 @@ static int joydev_handle_JSIOCSBTNMAP(st memcpy(joydev->keypam, keypam, len); for (i = 0; i < joydev->nkey; i++) - joydev->keymap[keypam[i] - BTN_MISC] = i; + joydev->keymap[joydev->keypam[i] - BTN_MISC] = i; out: kfree(keypam);