From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Kyungtae Kim <kt0755@gmail.com>,
Dmitry Torokhov <dmitry.torokhov@gmail.com>
Subject: [PATCH 4.19 14/25] vt: keyboard: avoid signed integer overflow in k_ascii
Date: Tue, 9 Jun 2020 19:45:04 +0200 [thread overview]
Message-ID: <20200609174050.224328991@linuxfoundation.org> (raw)
In-Reply-To: <20200609174048.576094775@linuxfoundation.org>
From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
commit b86dab054059b970111b5516ae548efaae5b3aae upstream.
When k_ascii is invoked several times in a row there is a potential for
signed integer overflow:
UBSAN: Undefined behaviour in drivers/tty/vt/keyboard.c:888:19 signed integer overflow:
10 * 1111111111 cannot be represented in type 'int'
CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.6.11 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
Call Trace:
<IRQ>
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0xce/0x128 lib/dump_stack.c:118
ubsan_epilogue+0xe/0x30 lib/ubsan.c:154
handle_overflow+0xdc/0xf0 lib/ubsan.c:184
__ubsan_handle_mul_overflow+0x2a/0x40 lib/ubsan.c:205
k_ascii+0xbf/0xd0 drivers/tty/vt/keyboard.c:888
kbd_keycode drivers/tty/vt/keyboard.c:1477 [inline]
kbd_event+0x888/0x3be0 drivers/tty/vt/keyboard.c:1495
While it can be worked around by using check_mul_overflow()/
check_add_overflow(), it is better to introduce a separate flag to
signal that number pad is being used to compose a symbol, and
change type of the accumulator from signed to unsigned, thus
avoiding undefined behavior when it overflows.
Reported-by: Kyungtae Kim <kt0755@gmail.com>
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Cc: stable <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20200525232740.GA262061@dtor-ws
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/tty/vt/keyboard.c | 26 ++++++++++++++++----------
1 file changed, 16 insertions(+), 10 deletions(-)
--- a/drivers/tty/vt/keyboard.c
+++ b/drivers/tty/vt/keyboard.c
@@ -127,7 +127,11 @@ static DEFINE_SPINLOCK(func_buf_lock); /
static unsigned long key_down[BITS_TO_LONGS(KEY_CNT)]; /* keyboard key bitmap */
static unsigned char shift_down[NR_SHIFT]; /* shift state counters.. */
static bool dead_key_next;
-static int npadch = -1; /* -1 or number assembled on pad */
+
+/* Handles a number being assembled on the number pad */
+static bool npadch_active;
+static unsigned int npadch_value;
+
static unsigned int diacr;
static char rep; /* flag telling character repeat */
@@ -845,12 +849,12 @@ static void k_shift(struct vc_data *vc,
shift_state &= ~(1 << value);
/* kludge */
- if (up_flag && shift_state != old_state && npadch != -1) {
+ if (up_flag && shift_state != old_state && npadch_active) {
if (kbd->kbdmode == VC_UNICODE)
- to_utf8(vc, npadch);
+ to_utf8(vc, npadch_value);
else
- put_queue(vc, npadch & 0xff);
- npadch = -1;
+ put_queue(vc, npadch_value & 0xff);
+ npadch_active = false;
}
}
@@ -868,7 +872,7 @@ static void k_meta(struct vc_data *vc, u
static void k_ascii(struct vc_data *vc, unsigned char value, char up_flag)
{
- int base;
+ unsigned int base;
if (up_flag)
return;
@@ -882,10 +886,12 @@ static void k_ascii(struct vc_data *vc,
base = 16;
}
- if (npadch == -1)
- npadch = value;
- else
- npadch = npadch * base + value;
+ if (!npadch_active) {
+ npadch_value = 0;
+ npadch_active = true;
+ }
+
+ npadch_value = npadch_value * base + value;
}
static void k_lock(struct vc_data *vc, unsigned char value, char up_flag)
next prev parent reply other threads:[~2020-06-09 18:12 UTC|newest]
Thread overview: 40+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-06-09 17:44 [PATCH 4.19 00/25] 4.19.128-rc1 review Greg Kroah-Hartman
2020-06-09 17:44 ` [PATCH 4.19 01/25] devinet: fix memleak in inetdev_init() Greg Kroah-Hartman
2020-06-09 17:44 ` [PATCH 4.19 02/25] l2tp: add sk_family checks to l2tp_validate_socket Greg Kroah-Hartman
2020-06-09 17:44 ` [PATCH 4.19 03/25] l2tp: do not use inet_hash()/inet_unhash() Greg Kroah-Hartman
2020-06-09 17:44 ` [PATCH 4.19 04/25] net: usb: qmi_wwan: add Telit LE910C1-EUX composition Greg Kroah-Hartman
2020-06-09 17:44 ` [PATCH 4.19 05/25] NFC: st21nfca: add missed kfree_skb() in an error path Greg Kroah-Hartman
2020-06-09 17:44 ` [PATCH 4.19 06/25] vsock: fix timeout in vsock_accept() Greg Kroah-Hartman
2020-06-09 17:44 ` [PATCH 4.19 07/25] net: check untrusted gso_size at kernel entry Greg Kroah-Hartman
2020-06-09 17:44 ` [PATCH 4.19 08/25] USB: serial: qcserial: add DW5816e QDL support Greg Kroah-Hartman
2020-06-09 17:44 ` [PATCH 4.19 09/25] USB: serial: usb_wwan: do not resubmit rx urb on fatal errors Greg Kroah-Hartman
2020-06-09 17:45 ` [PATCH 4.19 10/25] USB: serial: option: add Telit LE910C1-EUX compositions Greg Kroah-Hartman
2020-06-09 17:45 ` [PATCH 4.19 11/25] iio: vcnl4000: Fix i2c swapped word reading Greg Kroah-Hartman
2020-06-15 13:30 ` Pavel Machek
2020-06-16 8:18 ` Jonathan Cameron
2020-06-09 17:45 ` [PATCH 4.19 12/25] usb: musb: start session in resume for host port Greg Kroah-Hartman
2020-06-09 17:45 ` [PATCH 4.19 13/25] usb: musb: Fix runtime PM imbalance on error Greg Kroah-Hartman
2020-06-09 17:45 ` Greg Kroah-Hartman [this message]
2020-06-09 17:45 ` [PATCH 4.19 15/25] tty: hvc_console, fix crashes on parallel open/close Greg Kroah-Hartman
2020-06-09 17:45 ` [PATCH 4.19 16/25] staging: rtl8712: Fix IEEE80211_ADDBA_PARAM_BUF_SIZE_MASK Greg Kroah-Hartman
2020-06-09 17:45 ` [PATCH 4.19 17/25] CDC-ACM: heed quirk also in error handling Greg Kroah-Hartman
2020-06-09 17:45 ` [PATCH 4.19 18/25] nvmem: qfprom: remove incorrect write support Greg Kroah-Hartman
2020-06-09 17:45 ` [PATCH 4.19 19/25] x86/cpu: Add a steppings field to struct x86_cpu_id Greg Kroah-Hartman
2020-06-09 17:45 ` [PATCH 4.19 20/25] x86/cpu: Add table argument to cpu_matches() Greg Kroah-Hartman
2020-06-09 17:45 ` [PATCH 4.19 21/25] x86/speculation: Add Special Register Buffer Data Sampling (SRBDS) mitigation Greg Kroah-Hartman
2020-06-09 17:45 ` [PATCH 4.19 22/25] x86/speculation: Add SRBDS vulnerability and mitigation documentation Greg Kroah-Hartman
2020-06-09 17:45 ` [PATCH 4.19 23/25] x86/speculation: Add Ivy Bridge to affected list Greg Kroah-Hartman
2020-06-09 17:45 ` [PATCH 4.19 24/25] uprobes: ensure that uprobe->offset and ->ref_ctr_offset are properly aligned Greg Kroah-Hartman
2020-06-09 18:55 ` Naresh Kamboju
2020-06-09 19:03 ` Greg Kroah-Hartman
2020-06-10 14:53 ` Oleg Nesterov
2020-06-10 14:58 ` Greg Kroah-Hartman
2020-06-11 16:51 ` Oleg Nesterov
2020-06-12 5:46 ` Greg Kroah-Hartman
2020-06-09 17:45 ` [PATCH 4.19 25/25] Revert "net/mlx5: Annotate mutex destroy for root ns" Greg Kroah-Hartman
2020-06-11 22:17 ` Saeed Mahameed
2020-06-12 1:07 ` Sasha Levin
2020-06-09 19:01 ` [PATCH 4.19 00/25] 4.19.128-rc1 review Naresh Kamboju
2020-06-09 19:20 ` Shuah Khan
2020-06-09 19:41 ` Greg Kroah-Hartman
2020-06-10 11:29 ` Jon Hunter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200609174050.224328991@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=dmitry.torokhov@gmail.com \
--cc=kt0755@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).