All of lore.kernel.org
 help / color / mirror / Atom feed
From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
To: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Alexander Larkin <avlarkin82@gmail.com>,
	Dan Carpenter <dan.carpenter@oracle.com>,
	linux-input@vger.kernel.org, lkml <linux-kernel@vger.kernel.org>,
	Security Officers <security@kernel.org>,
	Murray McAllister <murray.mcallister@gmail.com>
Subject: Re: [PATCH] Input: joydev - prevent potential write out of bounds in ioctl
Date: Sun, 20 Jun 2021 22:25:08 -0700	[thread overview]
Message-ID: <YNAitJfOpoBkFitU@google.com> (raw)
In-Reply-To: <CAADWXX-fpcPh+jGX7=Hbkqr7yhwzbUT915NBBzqHGecFVbxmzw@mail.gmail.com>

On Sun, Jun 20, 2021 at 09:37:47AM -0700, Linus Torvalds wrote:
> On Sun, Jun 20, 2021 at 5:01 AM Alexander Larkin <avlarkin82@gmail.com> wrote:
> >
> >     The problem is that the check of user input values that is just
> >     before the fixed line of code is for the part of first values
> >     (before len or before len/2), but then the usage of all the values
> >     including i >= len (or i >= len/2) could be.
> 
> No, I think the problem is simpler than that.
> 
> > -       for (i = 0; i < joydev->nabs; i++)
> > +       for (i = 0; i < len && i < joydev->nabs; i++)
> >                 joydev->absmap[joydev->abspam[i]] = i;
> 
> This part is unnecessary - all values of "joydev->abspam[i]" have been
> validated (either they are the old ones, or the new ones that we just
> validated).
> 
> >         memcpy(joydev->keypam, keypam, len);
> >
> > -       for (i = 0; i < joydev->nkey; i++)
> > +       for (i = 0; i < (len / 2) && i < joydev->nkey; i++)
> >                 joydev->keymap[keypam[i] - BTN_MISC] = i;
> 
> The problem here is not that we walk past "len/2", but that the code
> *should* have used
> 
>         joydev->keymap[joydev->keypam[i] - BTN_MISC] = i;
> 
> (note the "keypam[1]" vs "joydev->keypam[i]").
> 
> And the reason it *should* walk the whole "joydev->nkey" is that if
> there are later cases with the same keypam value, the later ones
> should override the previous ones (well, that "should" is more a
> "traditionally have").

Yes, we can discuss whether "short" ioctl should clear out the part of
map that is not supplied by the call, but given that I consider joydev
legacy my preference would be to leave this as it was.

> 
> So I think the right patch is this one-liner
> 
>   diff --git a/drivers/input/joydev.c b/drivers/input/joydev.c
>   index da8963a9f044..947d440a3be6 100644
>   --- a/drivers/input/joydev.c
>   +++ b/drivers/input/joydev.c
>   @@ -499,7 +499,7 @@ static int joydev_handle_JSIOCSBTNMAP(struct
> joydev *joydev,
>         memcpy(joydev->keypam, keypam, len);
> 
>         for (i = 0; i < joydev->nkey; i++)
>   -             joydev->keymap[keypam[i] - BTN_MISC] = i;
>   +             joydev->keymap[joydev->keypam[i] - BTN_MISC] = i;
> 
>     out:
>         kfree(keypam);
> 
> (whitespace-damaged, I would like Dmitry to think about it rather than
> apply this mindlessly.
> 
> Dmitry?

Yes, this makes sense to me and it is safe as joydev->keypam is
guaranteed to be the right size.

Are you going to reformat this and resend or should I?


Thanks.

-- 
Dmitry

  reply	other threads:[~2021-06-21  5:25 UTC|newest]

Thread overview: 10+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-06-20 12:00 [PATCH] Input: joydev - prevent potential write out of bounds in ioctl Alexander Larkin
2021-06-20 16:37 ` Linus Torvalds
2021-06-21  5:25   ` Dmitry Torokhov [this message]
2021-06-21 15:45     ` Linus Torvalds
2021-06-21 20:06       ` Alexander Larkin
2021-06-21 21:30       ` Alexander Larkin
2021-06-21 21:32       ` Alexander Larkin
2021-06-21 22:38         ` Dmitry Torokhov
2021-07-03 16:21 ` Denis Efremov
2021-07-05 10:54   ` Dan Carpenter

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=YNAitJfOpoBkFitU@google.com \
    --to=dmitry.torokhov@gmail.com \
    --cc=avlarkin82@gmail.com \
    --cc=dan.carpenter@oracle.com \
    --cc=linux-input@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=murray.mcallister@gmail.com \
    --cc=security@kernel.org \
    --cc=torvalds@linux-foundation.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.