From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org,
syzbot+19340dff067c2d3835c0@syzkaller.appspotmail.com,
Dmitry Torokhov <dmitry.torokhov@gmail.com>
Subject: [PATCH 5.3 066/105] tty: vt: keyboard: reject invalid keycodes
Date: Wed, 11 Dec 2019 16:05:55 +0100 [thread overview]
Message-ID: <20191211150247.684002354@linuxfoundation.org> (raw)
In-Reply-To: <20191211150221.153659747@linuxfoundation.org>
From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
commit b2b2dd71e0859436d4e05b2f61f86140250ed3f8 upstream.
Do not try to handle keycodes that are too big, otherwise we risk doing
out-of-bounds writes:
BUG: KASAN: global-out-of-bounds in clear_bit include/asm-generic/bitops-instrumented.h:56 [inline]
BUG: KASAN: global-out-of-bounds in kbd_keycode drivers/tty/vt/keyboard.c:1411 [inline]
BUG: KASAN: global-out-of-bounds in kbd_event+0xe6b/0x3790 drivers/tty/vt/keyboard.c:1495
Write of size 8 at addr ffffffff89a1b2d8 by task syz-executor108/1722
...
kbd_keycode drivers/tty/vt/keyboard.c:1411 [inline]
kbd_event+0xe6b/0x3790 drivers/tty/vt/keyboard.c:1495
input_to_handler+0x3b6/0x4c0 drivers/input/input.c:118
input_pass_values.part.0+0x2e3/0x720 drivers/input/input.c:145
input_pass_values drivers/input/input.c:949 [inline]
input_set_keycode+0x290/0x320 drivers/input/input.c:954
evdev_handle_set_keycode_v2+0xc4/0x120 drivers/input/evdev.c:882
evdev_do_ioctl drivers/input/evdev.c:1150 [inline]
In this case we were dealing with a fuzzed HID device that declared over
12K buttons, and while HID layer should not be reporting to us such big
keycodes, we should also be defensive and reject invalid data ourselves as
well.
Reported-by: syzbot+19340dff067c2d3835c0@syzkaller.appspotmail.com
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Cc: stable <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20191122204220.GA129459@dtor-ws
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/tty/vt/keyboard.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/tty/vt/keyboard.c
+++ b/drivers/tty/vt/keyboard.c
@@ -1491,7 +1491,7 @@ static void kbd_event(struct input_handl
if (event_type == EV_MSC && event_code == MSC_RAW && HW_RAW(handle->dev))
kbd_rawcode(value);
- if (event_type == EV_KEY)
+ if (event_type == EV_KEY && event_code <= KEY_MAX)
kbd_keycode(event_code, value, HW_RAW(handle->dev));
spin_unlock(&kbd_event_lock);
next prev parent reply other threads:[~2019-12-11 15:57 UTC|newest]
Thread overview: 125+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-12-11 15:04 [PATCH 5.3 000/105] 5.3.16-stable review Greg Kroah-Hartman
2019-12-11 15:04 ` [PATCH 5.3 001/105] rsi: release skb if rsi_prepare_beacon fails Greg Kroah-Hartman
2019-12-11 15:04 ` [PATCH 5.3 002/105] arm64: tegra: Fix active-low warning for Jetson TX1 regulator Greg Kroah-Hartman
2019-12-11 15:04 ` [PATCH 5.3 003/105] perf scripts python: exported-sql-viewer.py: Fix use of TRUE with SQLite Greg Kroah-Hartman
2019-12-11 15:04 ` [PATCH 5.3 004/105] sparc64: implement ioremap_uc Greg Kroah-Hartman
2019-12-11 15:04 ` [PATCH 5.3 005/105] lp: fix sparc64 LPSETTIMEOUT ioctl Greg Kroah-Hartman
2019-12-11 15:04 ` [PATCH 5.3 006/105] time: Zero the upper 32-bits in __kernel_timespec on 32-bit Greg Kroah-Hartman
2019-12-11 15:04 ` [PATCH 5.3 007/105] usb: gadget: u_serial: add missing port entry locking Greg Kroah-Hartman
2019-12-11 15:04 ` [PATCH 5.3 008/105] tty: serial: fsl_lpuart: use the sg count from dma_map_sg Greg Kroah-Hartman
2019-12-11 15:04 ` [PATCH 5.3 009/105] tty: serial: msm_serial: Fix flow control Greg Kroah-Hartman
2019-12-11 15:04 ` [PATCH 5.3 010/105] serial: pl011: Fix DMA ->flush_buffer() Greg Kroah-Hartman
2019-12-11 15:05 ` [PATCH 5.3 011/105] serial: serial_core: Perform NULL checks for break_ctl ops Greg Kroah-Hartman
2019-12-11 15:05 ` [PATCH 5.3 012/105] serial: stm32: fix clearing interrupt error flags Greg Kroah-Hartman
2019-12-11 15:05 ` [PATCH 5.3 013/105] serial: ifx6x60: add missed pm_runtime_disable Greg Kroah-Hartman
2019-12-11 15:05 ` [PATCH 5.3 014/105] aio: Fix io_pgetevents() struct __compat_aio_sigset layout Greg Kroah-Hartman
2019-12-11 15:05 ` [PATCH 5.3 015/105] autofs: fix a leak in autofs_expire_indirect() Greg Kroah-Hartman
2019-12-11 15:05 ` [PATCH 5.3 016/105] MIPS: SGI-IP27: fix exception handler replication Greg Kroah-Hartman
2019-12-11 15:05 ` [PATCH 5.3 017/105] RDMA/hns: Correct the value of HNS_ROCE_HEM_CHUNK_LEN Greg Kroah-Hartman
2019-12-11 15:05 ` [PATCH 5.3 018/105] RDMA/hns: Correct the value of srq_desc_size Greg Kroah-Hartman
2019-12-11 15:05 ` [PATCH 5.3 019/105] iwlwifi: pcie: dont consider IV len in A-MSDU Greg Kroah-Hartman
2019-12-11 15:05 ` [PATCH 5.3 020/105] cgroup: dont put ERR_PTR() into fc->root Greg Kroah-Hartman
2019-12-11 15:05 ` [PATCH 5.3 021/105] exportfs_decode_fh(): negative pinned may become positive without the parent locked Greg Kroah-Hartman
2019-12-11 15:05 ` [PATCH 5.3 022/105] audit_get_nd(): dont unlock parent too early Greg Kroah-Hartman
2019-12-11 15:05 ` [PATCH 5.3 023/105] ecryptfs: fix unlink and rmdir in face of underlying fs modifications Greg Kroah-Hartman
2019-12-11 15:05 ` [PATCH 5.3 024/105] ALSA: hda: Add Cometlake-S PCI ID Greg Kroah-Hartman
2019-12-11 15:05 ` [PATCH 5.3 025/105] NFC: nxp-nci: Fix NULL pointer dereference after I2C communication error Greg Kroah-Hartman
2019-12-11 15:05 ` [PATCH 5.3 026/105] xfrm: release device reference for invalid state Greg Kroah-Hartman
2019-12-11 15:05 ` [PATCH 5.3 027/105] block: check bi_size overflow before merge Greg Kroah-Hartman
2019-12-11 15:05 ` [PATCH 5.3 028/105] Input: cyttsp4_core - fix use after free bug Greg Kroah-Hartman
2019-12-11 15:05 ` [PATCH 5.3 029/105] sched/core: Avoid spurious lock dependencies Greg Kroah-Hartman
2019-12-11 15:05 ` [PATCH 5.3 030/105] sched/pelt: Fix update of blocked PELT ordering Greg Kroah-Hartman
2019-12-11 15:05 ` [PATCH 5.3 031/105] perf/core: Consistently fail fork on allocation failures Greg Kroah-Hartman
2019-12-11 15:05 ` [PATCH 5.3 032/105] ALSA: pcm: Fix stream lock usage in snd_pcm_period_elapsed() Greg Kroah-Hartman
2019-12-11 15:05 ` [PATCH 5.3 033/105] x86/resctrl: Fix potential lockdep warning Greg Kroah-Hartman
2019-12-11 15:05 ` [PATCH 5.3 034/105] drm/sun4i: tcon: Set min division of TCON0_DCLK to 1 Greg Kroah-Hartman
2019-12-11 15:05 ` [PATCH 5.3 035/105] selftests: kvm: fix build with glibc >= 2.30 Greg Kroah-Hartman
2019-12-11 15:05 ` [PATCH 5.3 036/105] rbd: silence bogus uninitialized warning in rbd_object_map_update_finish() Greg Kroah-Hartman
2019-12-11 15:05 ` [PATCH 5.3 037/105] rsxx: add missed destroy_workqueue calls in remove Greg Kroah-Hartman
2019-12-11 15:05 ` [PATCH 5.3 038/105] ravb: implement MTU change while device is up Greg Kroah-Hartman
2019-12-11 15:05 ` [PATCH 5.3 039/105] net: hns3: reallocate SSU buffer size when pfc_en changes Greg Kroah-Hartman
2019-12-11 15:05 ` [PATCH 5.3 040/105] net: hns3: fix ETS bandwidth validation bug Greg Kroah-Hartman
2019-12-11 15:05 ` [PATCH 5.3 041/105] afs: Fix race in commit bulk status fetch Greg Kroah-Hartman
2019-12-11 15:05 ` [PATCH 5.3 042/105] net: ep93xx_eth: fix mismatch of request_mem_region in remove Greg Kroah-Hartman
2019-12-11 15:05 ` [PATCH 5.3 043/105] i2c: core: fix use after free in of_i2c_notify Greg Kroah-Hartman
2019-12-11 15:05 ` [PATCH 5.3 044/105] io_uring: transform send/recvmsg() -ERESTARTSYS to -EINTR Greg Kroah-Hartman
2019-12-11 15:05 ` [PATCH 5.3 045/105] fuse: verify nlink Greg Kroah-Hartman
2019-12-11 15:05 ` [PATCH 5.3 046/105] fuse: verify attributes Greg Kroah-Hartman
2019-12-11 15:05 ` [PATCH 5.3 047/105] io_uring: ensure req->submit is copied when req is deferred Greg Kroah-Hartman
2019-12-11 15:05 ` [PATCH 5.3 048/105] SUNRPC: Avoid RPC delays when exiting suspend Greg Kroah-Hartman
2019-12-11 15:05 ` [PATCH 5.3 049/105] ALSA: hda/realtek - Enable internal speaker of ASUS UX431FLC Greg Kroah-Hartman
2019-12-11 15:05 ` [PATCH 5.3 050/105] ALSA: hda/realtek - Enable the headset-mic on a Xiaomis laptop Greg Kroah-Hartman
2019-12-11 15:05 ` [PATCH 5.3 051/105] ALSA: hda/realtek - Dell headphone has noise on unmute for ALC236 Greg Kroah-Hartman
2019-12-11 15:05 ` [PATCH 5.3 052/105] ALSA: pcm: oss: Avoid potential buffer overflows Greg Kroah-Hartman
2019-12-11 15:05 ` [PATCH 5.3 053/105] ALSA: hda - Add mute led support for HP ProBook 645 G4 Greg Kroah-Hartman
2019-12-11 15:05 ` [PATCH 5.3 054/105] ALSA: hda: Modify stream stripe mask only when needed Greg Kroah-Hartman
2019-12-11 15:05 ` [PATCH 5.3 055/105] Input: synaptics - switch another X1 Carbon 6 to RMI/SMbus Greg Kroah-Hartman
2019-12-11 15:05 ` [PATCH 5.3 056/105] Input: synaptics-rmi4 - re-enable IRQs in f34v7_do_reflash Greg Kroah-Hartman
2019-12-11 15:05 ` [PATCH 5.3 057/105] Input: synaptics-rmi4 - dont increment rmiaddr for SMBus transfers Greg Kroah-Hartman
2019-12-11 15:05 ` [PATCH 5.3 058/105] Input: goodix - add upside-down quirk for Teclast X89 tablet Greg Kroah-Hartman
2019-12-11 15:05 ` [PATCH 5.3 059/105] coresight: etm4x: Fix input validation for sysfs Greg Kroah-Hartman
2019-12-11 15:05 ` [PATCH 5.3 060/105] Input: Fix memory leak in psxpad_spi_probe Greg Kroah-Hartman
2019-12-11 15:05 ` [PATCH 5.3 061/105] media: rc: mark input device as pointing stick Greg Kroah-Hartman
2019-12-11 15:05 ` [PATCH 5.3 062/105] x86/mm/32: Sync only to VMALLOC_END in vmalloc_sync_all() Greg Kroah-Hartman
2019-12-11 15:05 ` [PATCH 5.3 063/105] x86/PCI: Avoid AMD FCH XHCI USB PME# from D0 defect Greg Kroah-Hartman
2019-12-11 15:05 ` [PATCH 5.3 064/105] CIFS: Fix NULL-pointer dereference in smb2_push_mandatory_locks Greg Kroah-Hartman
2019-12-11 15:05 ` [PATCH 5.3 065/105] CIFS: Fix SMB2 oplock break processing Greg Kroah-Hartman
2019-12-11 15:05 ` Greg Kroah-Hartman [this message]
2019-12-11 15:05 ` [PATCH 5.3 067/105] can: slcan: Fix use-after-free Read in slcan_open Greg Kroah-Hartman
2019-12-11 15:05 ` [PATCH 5.3 068/105] nfsd: Ensure CLONE persists data and metadata changes to the target file Greg Kroah-Hartman
2019-12-11 15:05 ` [PATCH 5.3 069/105] nfsd: restore NFSv3 ACL support Greg Kroah-Hartman
2019-12-11 15:05 ` [PATCH 5.3 070/105] kernfs: fix ino wrap-around detection Greg Kroah-Hartman
2019-12-11 15:06 ` [PATCH 5.3 071/105] jbd2: Fix possible overflow in jbd2_log_space_left() Greg Kroah-Hartman
2019-12-11 15:06 ` [PATCH 5.3 072/105] drm/msm: fix memleak on release Greg Kroah-Hartman
2019-12-11 15:06 ` [PATCH 5.3 073/105] drm: damage_helper: Fix race checking plane->state->fb Greg Kroah-Hartman
2019-12-11 15:06 ` [PATCH 5.3 074/105] drm/i810: Prevent underflow in ioctl Greg Kroah-Hartman
2019-12-11 15:06 ` [PATCH 5.3 075/105] arm64: dts: exynos: Revert "Remove unneeded address space mapping for soc node" Greg Kroah-Hartman
2019-12-11 15:06 ` [PATCH 5.3 076/105] KVM: PPC: Book3S HV: XIVE: Free previous EQ page when setting up a new one Greg Kroah-Hartman
2019-12-11 15:06 ` [PATCH 5.3 077/105] KVM: PPC: Book3S HV: XIVE: Fix potential page leak on error path Greg Kroah-Hartman
2019-12-11 15:06 ` [PATCH 5.3 078/105] KVM: PPC: Book3S HV: XIVE: Set kvm->arch.xive when VPs are allocated Greg Kroah-Hartman
2019-12-11 15:06 ` [PATCH 5.3 079/105] KVM: nVMX: Always write vmcs02.GUEST_CR3 during nested VM-Enter Greg Kroah-Hartman
2019-12-11 15:06 ` [PATCH 5.3 080/105] KVM: arm/arm64: vgic: Dont rely on the wrong pending table Greg Kroah-Hartman
2019-12-11 15:06 ` [PATCH 5.3 081/105] KVM: x86: do not modify masked bits of shared MSRs Greg Kroah-Hartman
2019-12-11 15:06 ` [PATCH 5.3 082/105] KVM: x86: fix presentation of TSX feature in ARCH_CAPABILITIES Greg Kroah-Hartman
2019-12-11 15:06 ` [PATCH 5.3 083/105] KVM: x86: Remove a spurious export of a static function Greg Kroah-Hartman
2019-12-11 15:06 ` [PATCH 5.3 084/105] KVM: x86: Grab KVMs srcu lock when setting nested state Greg Kroah-Hartman
2019-12-11 15:06 ` [PATCH 5.3 085/105] crypto: crypto4xx - fix double-free in crypto4xx_destroy_sdr Greg Kroah-Hartman
2019-12-11 15:06 ` [PATCH 5.3 086/105] crypto: atmel-aes - Fix IV handling when req->nbytes < ivsize Greg Kroah-Hartman
2019-12-11 15:06 ` [PATCH 5.3 087/105] crypto: af_alg - cast ki_complete ternary op to int Greg Kroah-Hartman
2019-12-11 15:06 ` [PATCH 5.3 088/105] crypto: geode-aes - switch to skcipher for cbc(aes) fallback Greg Kroah-Hartman
2019-12-11 15:06 ` [PATCH 5.3 089/105] crypto: ccp - fix uninitialized list head Greg Kroah-Hartman
2019-12-11 15:06 ` [PATCH 5.3 090/105] crypto: ecdh - fix big endian bug in ECC library Greg Kroah-Hartman
2019-12-11 15:06 ` [PATCH 5.3 091/105] crypto: user - fix memory leak in crypto_report Greg Kroah-Hartman
2019-12-11 15:06 ` [PATCH 5.3 092/105] crypto: user - fix memory leak in crypto_reportstat Greg Kroah-Hartman
2019-12-11 15:06 ` [PATCH 5.3 093/105] spi: spi-fsl-qspi: Clear TDH bits in FLSHCR register Greg Kroah-Hartman
2019-12-11 15:06 ` [PATCH 5.3 094/105] spi: stm32-qspi: Fix kernel oops when unbinding driver Greg Kroah-Hartman
2019-12-11 15:06 ` [PATCH 5.3 095/105] spi: atmel: Fix CS high support Greg Kroah-Hartman
2019-12-11 15:06 ` [PATCH 5.3 096/105] spi: Fix SPI_CS_HIGH setting when using native and GPIO CS Greg Kroah-Hartman
2019-12-11 15:06 ` [PATCH 5.3 097/105] spi: Fix NULL pointer when setting SPI_CS_HIGH for " Greg Kroah-Hartman
2019-12-11 15:06 ` [PATCH 5.3 098/105] can: ucan: fix non-atomic allocation in completion handler Greg Kroah-Hartman
2019-12-11 15:06 ` [PATCH 5.3 099/105] RDMA/qib: Validate ->show()/store() callbacks before calling them Greg Kroah-Hartman
2019-12-11 15:06 ` [PATCH 5.3 100/105] iomap: Fix pipe page leakage during splicing Greg Kroah-Hartman
2019-12-11 15:06 ` [PATCH 5.3 101/105] thermal: Fix deadlock in thermal thermal_zone_device_check Greg Kroah-Hartman
2019-12-11 15:06 ` [PATCH 5.3 102/105] vcs: prevent write access to vcsu devices Greg Kroah-Hartman
2019-12-11 15:06 ` [PATCH 5.3 103/105] binder: Fix race between mmap() and binder_alloc_print_pages() Greg Kroah-Hartman
2019-12-11 15:06 ` [PATCH 5.3 104/105] binder: Prevent repeated use of ->mmap() via NULL mapping Greg Kroah-Hartman
2019-12-11 15:06 ` [PATCH 5.3 105/105] binder: Handle start==NULL in binder_update_page_range() Greg Kroah-Hartman
2019-12-11 16:16 ` [PATCH 5.3 000/105] 5.3.16-stable review Jeffrin Jose
2019-12-11 18:28 ` Greg Kroah-Hartman
2019-12-11 19:22 ` Jeffrin Jose
2019-12-11 21:23 ` Jeffrin Jose
2019-12-11 21:13 ` Jon Hunter
2019-12-12 9:30 ` Greg Kroah-Hartman
2019-12-11 21:43 ` [PATCH 5.3 000/105] 5.3.16-stable review [warning related] Jeffrin Jose
2019-12-12 7:42 ` Greg Kroah-Hartman
2019-12-12 2:47 ` [PATCH 5.3 000/105] 5.3.16-stable review shuah
2019-12-12 5:22 ` Naresh Kamboju
2019-12-12 6:52 ` Jeffrin Jose
2019-12-12 7:41 ` Greg Kroah-Hartman
2019-12-12 8:05 ` Jeffrin Jose
2019-12-12 9:10 ` Greg Kroah-Hartman
2019-12-12 10:04 ` Greg Kroah-Hartman
2019-12-12 12:18 ` Greg Kroah-Hartman
2019-12-12 13:16 ` Jon Hunter
2019-12-13 4:53 ` Naresh Kamboju
2019-12-12 18:24 ` Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20191211150247.684002354@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=dmitry.torokhov@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=syzbot+19340dff067c2d3835c0@syzkaller.appspotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).