lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-Id: <20210620120030.1513655-1-avlarkin82@gmail.com>
Date:   Sun, 20 Jun 2021 15:00:30 +0300
From:   Alexander Larkin <avlarkin82@...il.com>
To:     dmitry.torokhov@...il.com, dan.carpenter@...cle.com,
        linux-input@...r.kernel.org, linux-kernel@...r.kernel.org,
        security@...nel.org
Cc:     Alexander Larkin <avlarkin82@...il.com>,
        Murray McAllister <murray.mcallister@...il.com>
Subject: [PATCH]     Input: joydev - prevent potential write out of bounds in ioctl

    The problem is that the check of user input values that is just
    before the fixed line of code is for the part of first values
    (before len or before len/2), but then the usage of all the values
    including i >= len (or i >= len/2) could be.
    Since the resulted array of values inited by default with some
    good values, the fix is to ignore out of bounds values and
    just to use only correct input values by user.
    Originally detected by Murray with this simple poc
    (If you run the following as an unprivileged user on a default install
     it will instantly panic the system:

int main(void) {
	int fd, ret;
	unsigned int buffer[10000];

	fd = open("/dev/input/js0", O_RDONLY);
	if (fd == -1)
		printf("Error opening file\n");

	ret = ioctl(fd, JSIOCSBTNMAP & ~IOCSIZE_MASK, &buffer);
	printf("%d\n", ret);
}

Fixes: 182d679b2298 ("Input: joydev - prevent potential read overflow in ioctl")
Reported-by: Murray McAllister <murray.mcallister@...il.com>
Signed-off-by: Alexander Larkin <avlarkin82@...il.com>
---
 drivers/input/joydev.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/input/joydev.c b/drivers/input/joydev.c
index da8963a9f044..1aa067d4a3e8 100644
--- a/drivers/input/joydev.c
+++ b/drivers/input/joydev.c
@@ -464,7 +464,7 @@ static int joydev_handle_JSIOCSAXMAP(struct joydev *joydev,
 
 	memcpy(joydev->abspam, abspam, len);
 
-	for (i = 0; i < joydev->nabs; i++)
+	for (i = 0; i < len && i < joydev->nabs; i++)
 		joydev->absmap[joydev->abspam[i]] = i;
 
  out:
@@ -498,7 +498,7 @@ static int joydev_handle_JSIOCSBTNMAP(struct joydev *joydev,
 
 	memcpy(joydev->keypam, keypam, len);
 
-	for (i = 0; i < joydev->nkey; i++)
+	for (i = 0; i < (len / 2) && i < joydev->nkey; i++)
 		joydev->keymap[keypam[i] - BTN_MISC] = i;
 
  out:
-- 
2.27.0

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ