Input: xpad - fix out-of-bounds access for Share button

xpadone_process_packet() receives len directly from urb->actual_length
and uses it to index the share-button byte at data[len - 18] or
data[len - 26]. Since both len and data[0] are under the device's
control, a broken controller can send a GIP_CMD_INPUT packet with
actual_length < 18 (e.g. 5 bytes) and reach this code path, causing
accesses beyond the actual array.

Fix this by calculating the offset and checking bounds against the
packet length.

Reported-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Fixes: 4ef46367073b ("Input: xpad - fix Share button on Xbox One controllers")
Cc: stable@vger.kernel.org
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>

diff --git a/drivers/input/joystick/xpad.c b/drivers/input/joystick/xpad.c
index 0549fdc5a9851a2eb353667f0ab231a3cd38515d..19ce90da89e9b2d11f64a067b2913737b8db65ac 100644 (file)
--- a/drivers/input/joystick/xpad.c
+++ b/drivers/input/joystick/xpad.c
@@ -1077,10 +1077,10 @@ static void xpadone_process_packet(struct usb_xpad *xpad, u16 cmd, unsigned char
                input_report_key(dev, BTN_START,  data[4] & BIT(2));
                input_report_key(dev, BTN_SELECT, data[4] & BIT(3));
                if (xpad->mapping & MAP_SHARE_BUTTON) {
-                       if (xpad->mapping & MAP_SHARE_OFFSET)
-                               input_report_key(dev, KEY_RECORD, data[len - 26] & BIT(0));
-                       else
-                               input_report_key(dev, KEY_RECORD, data[len - 18] & BIT(0));
+                       u32 offset = (xpad->mapping & MAP_SHARE_OFFSET) ? 26 : 18;
+
+                       if (len >= offset)
+                               input_report_key(dev, KEY_RECORD, data[len - offset] & BIT(0));
                }
 
                /* buttons A,B,X,Y */