All of lore.kernel.org
 help / color / mirror / Atom feed
From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: "Jeff LaBundy" <jeff@labundy.com>,
	"Tomasz Moń" <tomasz.mon@camlingroup.com>,
	"Dmitry Torokhov" <dmitry.torokhov@gmail.com>,
	"Sasha Levin" <sashal@kernel.org>,
	linux-input@vger.kernel.org
Subject: [PATCH AUTOSEL 5.16 09/30] Input: add bounds checking to input_set_capability()
Date: Wed,  6 Apr 2022 21:11:19 -0400	[thread overview]
Message-ID: <20220407011140.113856-9-sashal@kernel.org> (raw)
In-Reply-To: <20220407011140.113856-1-sashal@kernel.org>

From: Jeff LaBundy <jeff@labundy.com>

[ Upstream commit 409353cbe9fe48f6bc196114c442b1cff05a39bc ]

Update input_set_capability() to prevent kernel panic in case the
event code exceeds the bitmap for the given event type.

Suggested-by: Tomasz Moń <tomasz.mon@camlingroup.com>
Signed-off-by: Jeff LaBundy <jeff@labundy.com>
Reviewed-by: Tomasz Moń <tomasz.mon@camlingroup.com>
Link: https://lore.kernel.org/r/20220320032537.545250-1-jeff@labundy.com
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/input/input.c | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/drivers/input/input.c b/drivers/input/input.c
index c3139bc2aa0d..42099c8c417c 100644
--- a/drivers/input/input.c
+++ b/drivers/input/input.c
@@ -47,6 +47,17 @@ static DEFINE_MUTEX(input_mutex);
 
 static const struct input_value input_value_sync = { EV_SYN, SYN_REPORT, 1 };
 
+static const unsigned int input_max_code[EV_CNT] = {
+	[EV_KEY] = KEY_MAX,
+	[EV_REL] = REL_MAX,
+	[EV_ABS] = ABS_MAX,
+	[EV_MSC] = MSC_MAX,
+	[EV_SW] = SW_MAX,
+	[EV_LED] = LED_MAX,
+	[EV_SND] = SND_MAX,
+	[EV_FF] = FF_MAX,
+};
+
 static inline int is_event_supported(unsigned int code,
 				     unsigned long *bm, unsigned int max)
 {
@@ -2074,6 +2085,14 @@ EXPORT_SYMBOL(input_get_timestamp);
  */
 void input_set_capability(struct input_dev *dev, unsigned int type, unsigned int code)
 {
+	if (type < EV_CNT && input_max_code[type] &&
+	    code > input_max_code[type]) {
+		pr_err("%s: invalid code %u for type %u\n", __func__, code,
+		       type);
+		dump_stack();
+		return;
+	}
+
 	switch (type) {
 	case EV_KEY:
 		__set_bit(code, dev->keybit);
-- 
2.35.1


  parent reply	other threads:[~2022-04-07  1:14 UTC|newest]

Thread overview: 44+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-04-07  1:11 [PATCH AUTOSEL 5.16 01/30] gfs2: assign rgrp glock before compute_bitstructs Sasha Levin
2022-04-07  1:11 ` [Cluster-devel] " Sasha Levin
2022-04-07  1:11 ` [PATCH AUTOSEL 5.16 02/30] gfs2: cancel timed-out glock requests Sasha Levin
2022-04-07  1:11   ` [Cluster-devel] " Sasha Levin
2022-04-07  1:11 ` [PATCH AUTOSEL 5.16 03/30] gfs2: Switch lock order of inode and iopen glock Sasha Levin
2022-04-07  1:11   ` [Cluster-devel] " Sasha Levin
2022-04-07  1:11 ` [PATCH AUTOSEL 5.16 04/30] rtc: fix use-after-free on device removal Sasha Levin
2022-04-07  1:11 ` [PATCH AUTOSEL 5.16 05/30] rtc: pcf2127: fix bug when reading alarm registers Sasha Levin
2022-04-07  1:11 ` [PATCH AUTOSEL 5.16 06/30] kconfig: add fflush() before ferror() check Sasha Levin
2022-04-07  1:11 ` [PATCH AUTOSEL 5.16 07/30] um: Cleanup syscall_handler_t definition/cast, fix warning Sasha Levin
2022-04-07  1:11   ` Sasha Levin
2022-04-07  1:11 ` [PATCH AUTOSEL 5.16 08/30] um: port_user: Improve error handling when port-helper is not found Sasha Levin
2022-04-07  1:11   ` Sasha Levin
2022-04-07  1:11 ` Sasha Levin [this message]
2022-04-07  1:11 ` [PATCH AUTOSEL 5.16 10/30] Input: stmfts - fix reference leak in stmfts_input_open Sasha Levin
2022-04-07  1:11   ` Sasha Levin
2022-04-07  1:11 ` [PATCH AUTOSEL 5.16 11/30] nvme-pci: add quirks for Samsung X5 SSDs Sasha Levin
2022-04-07  1:11 ` [PATCH AUTOSEL 5.16 12/30] gfs2: Disable page faults during lockless buffered reads Sasha Levin
2022-04-07  1:11   ` [Cluster-devel] " Sasha Levin
2022-04-07  1:11 ` [PATCH AUTOSEL 5.16 13/30] rtc: sun6i: Fix time overflow handling Sasha Levin
2022-04-07  1:11   ` Sasha Levin
2022-04-07  1:11 ` [PATCH AUTOSEL 5.16 14/30] crypto: stm32 - fix reference leak in stm32_crc_remove Sasha Levin
2022-04-07  1:11   ` Sasha Levin
2022-04-07  1:11 ` [PATCH AUTOSEL 5.16 15/30] crypto: x86/chacha20 - Avoid spurious jumps to other functions Sasha Levin
2022-04-07  1:11 ` [PATCH AUTOSEL 5.16 16/30] ALSA: hda/realtek: Enable headset mic on Lenovo P360 Sasha Levin
2022-04-07  1:11   ` Sasha Levin
2022-04-07  1:11 ` [PATCH AUTOSEL 5.16 17/30] s390/traps: improve panic message for translation-specification exception Sasha Levin
2022-04-07  1:11 ` [PATCH AUTOSEL 5.16 18/30] s390/pci: improve zpci_dev reference counting Sasha Levin
2022-04-07  1:11 ` [PATCH AUTOSEL 5.16 19/30] vhost_vdpa: don't setup irq offloading when irq_num < 0 Sasha Levin
2022-04-07  1:11   ` Sasha Levin
2022-04-07  1:11 ` [PATCH AUTOSEL 5.16 20/30] tools/virtio: compile with -pthread Sasha Levin
2022-04-07  1:11   ` Sasha Levin
2022-04-07  1:11 ` [PATCH AUTOSEL 5.16 21/30] nvmet: use a private workqueue instead of the system workqueue Sasha Levin
2022-04-07  1:11 ` [PATCH AUTOSEL 5.16 22/30] nvme-multipath: fix hang when disk goes live over reconnect Sasha Levin
2022-04-07  1:11 ` [PATCH AUTOSEL 5.16 23/30] rtc: mc146818-lib: Fix the AltCentury for AMD platforms Sasha Levin
2022-04-07  1:11 ` [PATCH AUTOSEL 5.16 24/30] fs: fix an infinite loop in iomap_fiemap Sasha Levin
2022-04-07  1:11 ` [PATCH AUTOSEL 5.16 25/30] MIPS: lantiq: check the return value of kzalloc() Sasha Levin
2022-04-07  1:11 ` [PATCH AUTOSEL 5.16 26/30] drbd: remove usage of list iterator variable after loop Sasha Levin
2022-04-07  1:11 ` [PATCH AUTOSEL 5.16 27/30] platform/chrome: cros_ec_debugfs: detach log reader wq from devm Sasha Levin
2022-04-07  1:11 ` [PATCH AUTOSEL 5.16 28/30] ARM: 9191/1: arm/stacktrace, kasan: Silence KASAN warnings in unwind_frame() Sasha Levin
2022-04-07  1:11   ` Sasha Levin
2022-04-07  1:11 ` [PATCH AUTOSEL 5.16 29/30] nilfs2: fix lockdep warnings in page operations for btree nodes Sasha Levin
2022-04-07  1:11 ` [PATCH AUTOSEL 5.16 30/30] nilfs2: fix lockdep warnings during disk space reclamation Sasha Levin
2022-04-07  1:11   ` Sasha Levin

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20220407011140.113856-9-sashal@kernel.org \
    --to=sashal@kernel.org \
    --cc=dmitry.torokhov@gmail.com \
    --cc=jeff@labundy.com \
    --cc=linux-input@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=stable@vger.kernel.org \
    --cc=tomasz.mon@camlingroup.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.