OpenE2K
/
linux
6
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
linux/drivers/input
History
Alexander Larkin 0f382fa359 Input: joydev - prevent use of not validated data in JSIOCSBTNMAP ioctl 
commit f8f84af5da9ee04ef1d271528656dac42a090d00 upstream.

Even though we validate user-provided inputs we then traverse past
validated data when applying the new map. The issue was originally
discovered by Murray McAllister with this simple POC (if the following
is executed by an unprivileged user it will instantly panic the system):

int main(void) {
	int fd, ret;
	unsigned int buffer[10000];

	fd = open("/dev/input/js0", O_RDONLY);
	if (fd == -1)
		printf("Error opening file\n");

	ret = ioctl(fd, JSIOCSBTNMAP & ~IOCSIZE_MASK, &buffer);
	printf("%d\n", ret);
}

The solution is to traverse internal buffer which is guaranteed to only
contain valid date when constructing the map.

Fixes: 182d679b2298 ("Input: joydev - prevent potential read overflow in ioctl")
Fixes: 999b874f4a ("Input: joydev - validate axis/button maps before clobbering current ones")
Reported-by: Murray McAllister <murray.mcallister@gmail.com>
Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Alexander Larkin <avlarkin82@gmail.com>
Link: https://lore.kernel.org/r/20210620120030.1513655-1-avlarkin82@gmail.com
Cc: stable@vger.kernel.org
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 		2021-07-14 16:53:02 +02:00
..
gameport
joystick Input: xpad - add support for PowerA Enhanced Wired Controller for Xbox Series X|S 2021-03-04 10:26:41 +01:00
keyboard Input: nspire-keypad - enable interrupts only when opened 2021-04-21 12:56:13 +02:00
misc Input: cm109 - do not stomp on control URB 2020-12-16 10:56:57 +01:00
mouse Input: elantech - fix protocol errors for some trackpoints in SMBus mode 2021-03-07 12:20:41 +01:00
rmi4 Input: synaptics-rmi4 - fix error return code in rmi_driver_probe() 2020-06-03 08:21:17 +02:00
serio Input: i8042 - fix Pegatron C15B ID entry 2021-04-21 12:56:15 +02:00
tablet
touchscreen Input: usbtouchscreen - fix control-request directions 2021-07-14 16:53:00 +02:00
Kconfig
Makefile
apm-power.c
evbug.c
evdev.c Input: evdev - call input_flush_device() on release(), not flush() 2020-06-03 08:21:16 +02:00
ff-core.c
ff-memless.c
input-compat.c
input-compat.h
input-leds.c
input-mt.c
input-polldev.c
input-poller.c
input-poller.h
input.c
joydev.c Input: joydev - prevent use of not validated data in JSIOCSBTNMAP ioctl 2021-07-14 16:53:02 +02:00
matrix-keymap.c
mousedev.c
sparse-keymap.c