OpenE2K
/
linux
6
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
linux/drivers
History
Dmitry Torokhov a3812fe7a4 tty: vt: keyboard: reject invalid keycodes 
commit b2b2dd71e0 upstream.

Do not try to handle keycodes that are too big, otherwise we risk doing
out-of-bounds writes:

BUG: KASAN: global-out-of-bounds in clear_bit include/asm-generic/bitops-instrumented.h:56 [inline]
BUG: KASAN: global-out-of-bounds in kbd_keycode drivers/tty/vt/keyboard.c:1411 [inline]
BUG: KASAN: global-out-of-bounds in kbd_event+0xe6b/0x3790 drivers/tty/vt/keyboard.c:1495
Write of size 8 at addr ffffffff89a1b2d8 by task syz-executor108/1722
...
 kbd_keycode drivers/tty/vt/keyboard.c:1411 [inline]
 kbd_event+0xe6b/0x3790 drivers/tty/vt/keyboard.c:1495
 input_to_handler+0x3b6/0x4c0 drivers/input/input.c:118
 input_pass_values.part.0+0x2e3/0x720 drivers/input/input.c:145
 input_pass_values drivers/input/input.c:949 [inline]
 input_set_keycode+0x290/0x320 drivers/input/input.c:954
 evdev_handle_set_keycode_v2+0xc4/0x120 drivers/input/evdev.c:882
 evdev_do_ioctl drivers/input/evdev.c:1150 [inline]

In this case we were dealing with a fuzzed HID device that declared over
12K buttons, and while HID layer should not be reporting to us such big
keycodes, we should also be defensive and reject invalid data ourselves as
well.

Reported-by: syzbot+19340dff067c2d3835c0@syzkaller.appspotmail.com
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Cc: stable <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20191122204220.GA129459@dtor-ws
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 		2019-12-13 08:42:50 +01:00
..
accessibility
acpi Power management fix for 5.4-rc6 2019-11-01 09:30:48 -07:00
amba ARM updates for 5.4-rc: 2019-10-23 06:26:33 -04:00
android binder: Don't modify VMA bounds in ->mmap handler 2019-10-17 05:58:44 -07:00
ata ata: libahci_platform: Fix regulator_get_optional() misuse 2019-10-25 14:22:20 -06:00
atm atm: he: clean up an indentation issue 2019-09-25 13:54:45 +02:00
auxdisplay
base driver core: platform: use the correct callback type for bus_find_device 2019-12-04 22:30:45 +01:00
bcma
block nbd: prevent memory leak 2019-11-29 10:09:47 +01:00
bluetooth Revert "Bluetooth: hci_ll: set operational frequency earlier" 2019-11-29 10:09:43 +01:00
bus bus: ti-sysc: Fix watchdog quirk handling 2019-10-18 08:45:32 -07:00
cdrom
char lp: fix sparc64 LPSETTIMEOUT ioctl 2019-12-13 08:42:17 +01:00
clk Fixes for various clk driver issues that happened because of code we 2019-11-08 08:15:01 -08:00
clocksource - Fix scary messages in sh_mtu2 by using platform_irq_count() helper 2019-11-04 18:43:23 +01:00
connector
counter
cpufreq cpufreq: Add NULL checks to show() and store() methods of cpufreq 2019-11-29 10:10:07 +01:00
cpuidle cpuidle: haltpoll: Take 'idle=' override into account 2019-10-22 11:43:17 +02:00
crypto crypto: talitos - Fix build error by selecting LIB_DES 2019-12-04 22:31:07 +01:00
dax
dca
devfreq
dio
dma dmaengine: cppi41: Fix cppi41_dma_prep_slave_sg() when idle 2019-10-23 21:15:21 +05:30
dma-buf dma-buf/resv: fix exclusive fence get 2019-10-10 17:05:20 +02:00
edac EDAC/ghes: Fix Use after free in ghes_edac remove path 2019-10-17 11:27:05 +02:00
eisa
extcon
firewire
firmware efi/efi_test: Lock down /dev/efi_test and require CAP_SYS_ADMIN 2019-10-31 09:40:21 +01:00
fpga
fsi
gnss
gpio gpio fixes for v5.4-rc8 2019-11-13 22:58:01 +01:00
gpu - Fix kernel oops on dumb_create ioctl on no crtc situation 2019-11-22 10:29:52 +10:00
greybus
hid HID: core: check whether Usage Page item is after Usage ID items 2019-12-04 22:31:07 +01:00
hsi HSI changes for the 5.4 series 2019-09-22 12:02:21 -07:00
hv Drivers: hv: vmbus: Fix harmless building warnings without CONFIG_PM_SLEEP 2019-10-01 14:49:45 -04:00
hwmon hwmon: (ina3221) Fix read timeout issue 2019-10-28 18:46:55 -07:00
hwspinlock
hwtracing coresight: etm4x: Fix input validation for sysfs. 2019-12-13 08:42:43 +01:00
i2c i2c: core: fix use after free in of_i2c_notify 2019-11-15 22:01:13 +01:00
i3c
ide
idle
iio iio: adc: stm32-adc: fix stopping dma 2019-10-27 15:57:19 +00:00
infiniband RDMA/hns: Correct the value of srq_desc_size 2019-11-06 13:37:02 -04:00
input Input: Fix memory leak in psxpad_spi_probe 2019-12-13 08:42:44 +01:00
interconnect interconnect: Add locking in icc_set_tag() 2019-10-20 12:14:41 +03:00
iommu iommu/vt-d: Fix panic after kexec -p for kdump 2019-10-30 10:30:22 +01:00
ipack
irqchip irqchip updates for 5.4, take 2 2019-10-25 14:25:15 +02:00
isdn net: use skb_queue_empty_lockless() in poll() handlers 2019-10-28 13:33:41 -07:00
leds
lightnvm
macintosh cpufreq: Use per-policy frequency QoS 2019-10-21 02:05:21 +02:00
mailbox mailbox: tegra: Fix superfluous IRQ error message 2019-12-13 08:42:19 +01:00
mcb
md md/raid10: prevent access of uninitialized resync_pages offset 2019-11-29 10:09:45 +01:00
media media: rc: mark input device as pointing stick 2019-12-13 08:42:45 +01:00
memory
memstick memstick: jmb38x_ms: Fix an error handling path in 'jmb38x_ms_probe()' 2019-10-09 11:08:03 +02:00
message
mfd mfd: mt6397: Fix probe after changing mt6397-core 2019-10-24 08:49:25 +01:00
misc mei: me: add comet point V device id 2019-12-04 22:30:49 +01:00
mmc mmc: sdhci-of-at91: fix quirk2 overwrite 2019-11-14 14:57:53 +01:00
mtd mtd: rawnand: au1550nd: Fix au_read_buf16() prototype 2019-10-07 09:56:36 +02:00
mux
net mwifiex: Re-work support for SDIO HW reset 2019-12-13 08:42:26 +01:00
nfc nfc: port100: handle command failure cleanly 2019-11-21 11:48:17 -08:00
ntb NTB: fix IDT Kconfig typos/spellos 2019-09-23 17:20:40 -04:00
nubus
nvdimm libnvdimm fixes v5.4-rc1 2019-09-29 10:33:41 -07:00
nvme for-linus-2019-11-08 2019-11-08 18:15:55 -08:00
nvmem
of of: reserved_mem: add missing of_node_put() for proper ref-counting 2019-10-23 15:15:05 -05:00
opp opp: Reinitialize the list_kref before adding the static OPPs again 2019-10-23 10:58:44 +05:30
oprofile
parisc parisc: Remove 32-bit DMA enforcement from sba_iommu 2019-10-14 21:44:26 +02:00
parport
pci PCI: PM: Fix pci_power_up() 2019-10-15 23:51:36 +02:00
pcmcia Merge branch 'next-lockdown' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security 2019-09-28 08:14:15 -07:00
perf
phy pci-v5.4-changes 2019-09-23 19:16:01 -07:00
pinctrl pinctrl: stmfx: fix valid_mask init sequence 2019-11-07 10:06:46 +01:00
platform platform/x86: hp-wmi: Fix ACPI errors caused by passing 0 as input size 2019-12-04 22:31:08 +01:00
pnp
power power supply and reset changes for the v5.4 series 2019-09-22 12:04:59 -07:00
powercap
pps
ps3
ptp ptp: Introduce strict checking of external time stamp options. 2019-11-15 12:48:32 -08:00
pwm pwm: bcm-iproc: Prevent unloading the driver module while in use 2019-11-08 18:38:06 +01:00
rapidio
ras
regulator regulator: Fixes for v5.4 2019-10-23 15:31:17 -04:00
remoteproc remoteproc updates for v5.4 2019-09-22 10:55:08 -07:00
reset reset: fix of_reset_control_get_count kerneldoc comment 2019-10-24 10:26:33 +02:00
rpmsg
rtc RTC for 5.4 2019-09-22 11:05:43 -07:00
s390 s390/qeth: return proper errno on IO error 2019-11-20 12:29:47 -08:00
sbus
scsi SCSI fixes on 20191111 2019-11-11 09:14:36 -08:00
sfi
sh
siox
slimbus
soc soc: mediatek: cmdq: fixup wrong input order of write api 2019-12-13 08:42:40 +01:00
soundwire soundwire: slave: fix scanf format 2019-10-24 16:55:45 +05:30
spi
spmi
ssb
staging staging/octeon: Use stubs for MIPS && !CAVIUM_OCTEON_SOC 2019-12-13 08:42:19 +01:00
target SCSI fixes on 20191101 2019-11-02 11:15:52 -07:00
tc
tee tee/shm: untag user pointers in tee_shm_register 2019-09-25 17:51:41 -07:00
thermal cpufreq: Use per-policy frequency QoS 2019-10-21 02:05:21 +02:00
thunderbolt thunderbolt: Power cycle the router if NVM authentication fails 2019-12-04 22:30:50 +01:00
tty tty: vt: keyboard: reject invalid keycodes 2019-12-13 08:42:50 +01:00
uio
usb usb: gadget: u_serial: add missing port entry locking 2019-12-13 08:42:20 +01:00
vfio vfio/type1: Initialize resv_msi_base 2019-10-15 14:07:01 -06:00
vhost vringh: fix copy direction of vringh_iov_push_kern() 2019-10-28 04:25:04 -04:00
video - Some new documentation for GEM shmem madvise helpers 2019-11-08 12:12:57 +10:00
virt virt: vbox: fix memory leak in hgcm_call_preprocess_linaddr 2019-10-10 14:50:32 +02:00
virtio virtio_balloon: fix shrinker count 2019-11-20 02:15:57 -05:00
visorbus
vlynq
vme
w1 w1: ds250x: Fix build error without CRC16 2019-10-10 15:35:41 +02:00
watchdog watchdog: bd70528: Add MODULE_ALIAS to allow module auto loading 2019-11-05 16:58:12 +01:00
xen Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2019-10-19 17:09:11 -04:00
zorro
Kconfig
Makefile