git.ipfire.org Git - thirdparty/kernel/stable.git/commit

author	Alexander Larkin <avlarkin82@gmail.com>
	Mon, 5 Jul 2021 05:39:36 +0000 (22:39 -0700)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Tue, 20 Jul 2021 14:22:30 +0000 (16:22 +0200)
commit	68a9d136eca8946c7a1ad8ffa0d0cf08a32f0f04
tree	4159479ca96265172d30f228be00ad1dfb2137d4	tree
parent	fe64755f5de79918053e3737f0187ce628195342	commit \| diff

Input: joydev - prevent use of not validated data in JSIOCSBTNMAP ioctl

commit f8f84af5da9ee04ef1d271528656dac42a090d00 upstream.

Even though we validate user-provided inputs we then traverse past
validated data when applying the new map. The issue was originally
discovered by Murray McAllister with this simple POC (if the following
is executed by an unprivileged user it will instantly panic the system):

int main(void) {
int fd, ret;
unsigned int buffer[10000];

fd = open("/dev/input/js0", O_RDONLY);
if (fd == -1)
printf("Error opening file\n");

ret = ioctl(fd, JSIOCSBTNMAP & ~IOCSIZE_MASK, &buffer);
printf("%d\n", ret);
}

The solution is to traverse internal buffer which is guaranteed to only
contain valid date when constructing the map.

Fixes: 182d679b2298 ("Input: joydev - prevent potential read overflow in ioctl")
Fixes: 999b874f4aa3 ("Input: joydev - validate axis/button maps before clobbering current ones")
Reported-by: Murray McAllister <murray.mcallister@gmail.com>
Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Alexander Larkin <avlarkin82@gmail.com>
Link: https://lore.kernel.org/r/20210620120030.1513655-1-avlarkin82@gmail.com
Cc: stable@vger.kernel.org
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>