[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <ZqlggV3G0t743exX@google.com>
Date: Tue, 30 Jul 2024 14:52:01 -0700
From: Dmitry Torokhov <dmitry.torokhov@...il.com>
To: Tetsuo Handa <penguin-kernel@...ove.sakura.ne.jp>
Cc: Linus Torvalds <torvalds@...ux-foundation.org>,
Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
Henrik Rydberg <rydberg@...math.org>,
"linux-input@...r.kernel.org" <linux-input@...r.kernel.org>,
LKML <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH (resend)] Input: MT - limit max slots
Hi Tetsuo,
On Tue, Jul 30, 2024 at 02:38:19PM +0900, Tetsuo Handa wrote:
> On 2024/07/30 2:59, Dmitry Torokhov wrote:
> > Please do not. Or you will have to patch it again when we will still see
> > the same allocation failures because someone requested an input device
> > with "too many" slots (1024 results in 4Mb mt->red table for example).
> >
> > Just fix malloc/syzkaller not to trigger on benign memory allocation
> > hickups. They are normal.
>
> I chose 1024 because as far as I know 4MB is max acceptable size for
> all environments without triggering too large allocation warning.
>
> You worry about mt->red, but did you notice that syzbot was reporting that
> memory allocation for mt->red has an integer overflow bug, which can cause
> out of bounds write or ZERO_SIZE_PTR pointer dereference bug at input_mt_set_matrix() ?
>
> https://lkml.kernel.org/r/6d878e01-6c2f-8766-2578-c95030442369@I-love.SAKURA.ne.jp
I'll happily take the change converting that to array_size().
>
> Lucky thing is that the uinput interface is for only the "root" user...
uinput also does not request in-kernel contact tracking so it will not
allow hitting that overflow.
Thanks.
--
Dmitry
Powered by blists - more mailing lists