Input: iforce - bound the device-reported force-feedback effect index

iforce_process_packet() handles a status report (packet id 0x02) by
taking a force-feedback effect index straight from the device wire and
using it to address the per-effect state array:

	i = data[1] & 0x7f;
	if (data[1] & 0x80) {
		if (!test_and_set_bit(FF_CORE_IS_PLAYED,
				      iforce->core_effects[i].flags))
			...
	} else if (test_and_clear_bit(FF_CORE_IS_PLAYED,
				      iforce->core_effects[i].flags)) {
		...
	}

The index is masked only with 0x7f, so it ranges 0..127, but
core_effects[] holds only IFORCE_EFFECTS_MAX (32) entries.  For an index
of 32..127 the test_and_set_bit()/test_and_clear_bit() is an
out-of-bounds single-bit read-modify-write past the array.  core_effects[]
is the second-to-last member of struct iforce, so the write lands in the
trailing members and beyond the embedding kzalloc()'d iforce_serio /
iforce_usb object.

data[1] is unvalidated device payload on both transports (the USB
interrupt endpoint and serio), and the status path is not gated on force
feedback being present, so a malicious or counterfeit device can set or
clear a bit at an attacker-chosen offset past the object.

Reject an out-of-range index instead of indexing with it.  Bound against
the array dimension IFORCE_EFFECTS_MAX rather than dev->ff->max_effects so
the check guarantees memory safety regardless of how many effects the
device registered.  A legitimate "effect started/stopped" status always
carries an index below IFORCE_EFFECTS_MAX, so well-formed devices are
unaffected; the neighbouring mark_core_as_ready() loop is already bounded
and is left untouched.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Bryam Vargas <hexlabsecurity@proton.me>
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/20260613-b4-disp-4828d263-v1-1-02320e1a89dd@proton.me
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>

diff --git a/drivers/input/joystick/iforce/iforce-packets.c b/drivers/input/joystick/iforce/iforce-packets.c
index fd1cd731d781a221f24e7987e5fffe037cc7e56f..effa76bfd8f9a1fa017a58c32e84cc0f4fab05b9 100644 (file)
--- a/drivers/input/joystick/iforce/iforce-packets.c
+++ b/drivers/input/joystick/iforce/iforce-packets.c
@@ -186,14 +186,18 @@ void iforce_process_packet(struct iforce *iforce,
 
                /* Check if an effect was just started or stopped */
                i = data[1] & 0x7f;
-               if (data[1] & 0x80) {
-                       if (!test_and_set_bit(FF_CORE_IS_PLAYED, iforce->core_effects[i].flags)) {
-                               /* Report play event */
-                               input_report_ff_status(dev, i, FF_STATUS_PLAYING);
+               if (i < IFORCE_EFFECTS_MAX) {
+                       if (data[1] & 0x80) {
+                               if (!test_and_set_bit(FF_CORE_IS_PLAYED,
+                                                     iforce->core_effects[i].flags)) {
+                                       /* Report play event */
+                                       input_report_ff_status(dev, i, FF_STATUS_PLAYING);
+                               }
+                       } else if (test_and_clear_bit(FF_CORE_IS_PLAYED,
+                                                     iforce->core_effects[i].flags)) {
+                               /* Report stop event */
+                               input_report_ff_status(dev, i, FF_STATUS_STOPPED);
                        }
-               } else if (test_and_clear_bit(FF_CORE_IS_PLAYED, iforce->core_effects[i].flags)) {
-                       /* Report stop event */
-                       input_report_ff_status(dev, i, FF_STATUS_STOPPED);
                }
 
                for (j = 3; j < len; j += 2)