Input: atkbd - validate scancode in firmware keymap entries

The SCANCODE() macro extracts a 16-bit value (0..65535) from firmware
device property data, but atkbd_get_keymap_from_fwnode() uses it
directly to index atkbd->keycode[], which only has ATKBD_KEYMAP_SIZE
(512) elements. A firmware-supplied scancode >= 512 causes a heap
out-of-bounds write that can corrupt adjacent struct atkbd fields and
neighboring slab objects.

Add a bounds check that rejects the entire firmware keymap if any entry
contains an out-of-range scancode, consistent with the validation
performed by matrix_keypad_parse_keymap() in drivers/input/matrix-keymap.c
for the same "linux,keymap" property format. When rejected, the driver
falls back to the default keycode table.

Fixes: 9d17ad2369dc ("Input: atkbd - receive and use physcode->keycode mapping from FW")
Signed-off-by: Ariel Silver <arielsilver77@gmail.com>
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>

diff --git a/drivers/input/keyboard/atkbd.c b/drivers/input/keyboard/atkbd.c
index 6c999d89ee4bd006a009ed574a85940238e488e7..7e6fa0e3cbd8ff2885e6ee1768fe04b4bb4a2169 100644 (file)
--- a/drivers/input/keyboard/atkbd.c
+++ b/drivers/input/keyboard/atkbd.c
@@ -1110,6 +1110,12 @@ static int atkbd_get_keymap_from_fwnode(struct atkbd *atkbd)
        for (i = 0; i < n; i++) {
                scancode = SCANCODE(ptr[i]);
                keycode = KEYCODE(ptr[i]);
+               if (scancode >= ATKBD_KEYMAP_SIZE) {
+                       dev_warn(dev, "invalid scancode %#x in FW keymap entry %d\n",
+                                scancode, i);
+                       kfree(ptr);
+                       return -EINVAL;
+               }
                atkbd->keycode[scancode] = keycode;
        }