tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

Input: force feedback - potential integer wrap in input_ff_create()

The problem here is that max_effects can wrap on 32 bits systems.
We'd allocate a smaller amount of data than sizeof(struct ff_device).
The call to kcalloc() on the next line would fail but it would write
the NULL return outside of the memory we just allocated causing data
corruption.

The call path is that uinput_setup_device() get ->ff_effects_max from
the user and sets the value in the ->private_data struct. From there
it is:
-> uinput_ioctl_handler()
-> uinput_create_device()
-> input_ff_create(dev, udev->ff_effects_max);

I've also changed ff_effects_max so it's an unsigned int instead of
a signed int as a cleanup.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Dmitry Torokhov <dtor@mail.ru>

authored by

Dan Carpenter and committed by
Dmitry Torokhov 05be8b81 341deefe

+10 -5
+8 -3
drivers/input/ff-core.c
··· 309 309 * Once ff device is created you need to setup its upload, erase, 310 310 * playback and other handlers before registering input device 311 311 */ 312 - int input_ff_create(struct input_dev *dev, int max_effects) 312 + int input_ff_create(struct input_dev *dev, unsigned int max_effects) 313 313 { 314 314 struct ff_device *ff; 315 + size_t ff_dev_size; 315 316 int i; 316 317 317 318 if (!max_effects) { ··· 320 319 return -EINVAL; 321 320 } 322 321 323 - ff = kzalloc(sizeof(struct ff_device) + 324 - max_effects * sizeof(struct file *), GFP_KERNEL); 322 + ff_dev_size = sizeof(struct ff_device) + 323 + max_effects * sizeof(struct file *); 324 + if (ff_dev_size < max_effects) /* overflow */ 325 + return -EINVAL; 326 + 327 + ff = kzalloc(ff_dev_size, GFP_KERNEL); 325 328 if (!ff) 326 329 return -ENOMEM; 327 330
+1 -1
include/linux/input.h
··· 1610 1610 struct file *effect_owners[]; 1611 1611 }; 1612 1612 1613 - int input_ff_create(struct input_dev *dev, int max_effects); 1613 + int input_ff_create(struct input_dev *dev, unsigned int max_effects); 1614 1614 void input_ff_destroy(struct input_dev *dev); 1615 1615 1616 1616 int input_ff_event(struct input_dev *dev, unsigned int type, unsigned int code, int value);
+1 -1
include/linux/uinput.h
··· 68 68 unsigned char head; 69 69 unsigned char tail; 70 70 struct input_event buff[UINPUT_BUFFER_SIZE]; 71 - int ff_effects_max; 71 + unsigned int ff_effects_max; 72 72 73 73 struct uinput_request *requests[UINPUT_NUM_REQUESTS]; 74 74 wait_queue_head_t requests_waitq;